idnits 2.17.1 draft-dulaunoy-misp-object-template-format-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 4 instances of too long lines in the document, the longest one being 58 characters in excess of 72. ** The abstract seems to contain references ([MISP-O]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 5, 2021) is 1206 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 1180 -- Looks like a reference, but probably isn't: '2' on line 1183 -- Looks like a reference, but probably isn't: '3' on line 1186 -- Looks like a reference, but probably isn't: '4' on line 1189 -- Looks like a reference, but probably isn't: '5' on line 1192 -- Looks like a reference, but probably isn't: '6' on line 1195 -- Looks like a reference, but probably isn't: '7' on line 1198 -- Looks like a reference, but probably isn't: '8' on line 1200 -- Looks like a reference, but probably isn't: '9' on line 1203 -- Looks like a reference, but probably isn't: '10' on line 1206 -- Looks like a reference, but probably isn't: '11' on line 1209 -- Looks like a reference, but probably isn't: '12' on line 1212 -- Looks like a reference, but probably isn't: '13' on line 1215 -- Looks like a reference, but probably isn't: '14' on line 1218 -- Looks like a reference, but probably isn't: '15' on line 1221 -- Looks like a reference, but probably isn't: '16' on line 1224 -- Looks like a reference, but probably isn't: '17' on line 1227 -- Looks like a reference, but probably isn't: '18' on line 1230 -- Looks like a reference, but probably isn't: '19' on line 1233 -- Looks like a reference, but probably isn't: '20' on line 1236 -- Looks like a reference, but probably isn't: '21' on line 1239 -- Looks like a reference, but probably isn't: '22' on line 1242 -- Looks like a reference, but probably isn't: '23' on line 1245 -- Looks like a reference, but probably isn't: '24' on line 1248 -- Looks like a reference, but probably isn't: '25' on line 1251 -- Looks like a reference, but probably isn't: '26' on line 1254 -- Looks like a reference, but probably isn't: '27' on line 1257 -- Looks like a reference, but probably isn't: '28' on line 1260 -- Looks like a reference, but probably isn't: '29' on line 1263 -- Looks like a reference, but probably isn't: '30' on line 1266 -- Looks like a reference, but probably isn't: '31' on line 1269 -- Looks like a reference, but probably isn't: '32' on line 1272 -- Looks like a reference, but probably isn't: '33' on line 1275 -- Looks like a reference, but probably isn't: '34' on line 1278 -- Looks like a reference, but probably isn't: '35' on line 1281 -- Looks like a reference, but probably isn't: '36' on line 1284 -- Looks like a reference, but probably isn't: '37' on line 1287 -- Looks like a reference, but probably isn't: '38' on line 1290 -- Looks like a reference, but probably isn't: '39' on line 1293 -- Looks like a reference, but probably isn't: '40' on line 1296 -- Looks like a reference, but probably isn't: '41' on line 1299 -- Looks like a reference, but probably isn't: '42' on line 1302 -- Looks like a reference, but probably isn't: '43' on line 1305 -- Looks like a reference, but probably isn't: '44' on line 1308 -- Looks like a reference, but probably isn't: '45' on line 1311 -- Looks like a reference, but probably isn't: '46' on line 1314 -- Looks like a reference, but probably isn't: '47' on line 1317 -- Looks like a reference, but probably isn't: '48' on line 1320 -- Looks like a reference, but probably isn't: '49' on line 1323 -- Looks like a reference, but probably isn't: '50' on line 1326 -- Looks like a reference, but probably isn't: '51' on line 1329 -- Looks like a reference, but probably isn't: '52' on line 1332 -- Looks like a reference, but probably isn't: '53' on line 1335 -- Looks like a reference, but probably isn't: '54' on line 1338 -- Looks like a reference, but probably isn't: '55' on line 1341 -- Looks like a reference, but probably isn't: '56' on line 1344 -- Looks like a reference, but probably isn't: '57' on line 1347 -- Looks like a reference, but probably isn't: '58' on line 1350 -- Looks like a reference, but probably isn't: '59' on line 1353 -- Looks like a reference, but probably isn't: '60' on line 1356 -- Looks like a reference, but probably isn't: '61' on line 1359 -- Looks like a reference, but probably isn't: '62' on line 1362 -- Looks like a reference, but probably isn't: '63' on line 1365 -- Looks like a reference, but probably isn't: '64' on line 1368 -- Looks like a reference, but probably isn't: '65' on line 1371 -- Looks like a reference, but probably isn't: '66' on line 1374 -- Looks like a reference, but probably isn't: '67' on line 1377 -- Looks like a reference, but probably isn't: '68' on line 1380 -- Looks like a reference, but probably isn't: '69' on line 1383 -- Looks like a reference, but probably isn't: '70' on line 1386 -- Looks like a reference, but probably isn't: '71' on line 1389 -- Looks like a reference, but probably isn't: '72' on line 1392 -- Looks like a reference, but probably isn't: '73' on line 1395 -- Looks like a reference, but probably isn't: '74' on line 1398 -- Looks like a reference, but probably isn't: '75' on line 1401 -- Looks like a reference, but probably isn't: '76' on line 1404 -- Looks like a reference, but probably isn't: '77' on line 1407 -- Looks like a reference, but probably isn't: '78' on line 1410 -- Looks like a reference, but probably isn't: '79' on line 1413 -- Looks like a reference, but probably isn't: '80' on line 1416 -- Looks like a reference, but probably isn't: '81' on line 1419 -- Looks like a reference, but probably isn't: '82' on line 1422 -- Looks like a reference, but probably isn't: '83' on line 1425 -- Looks like a reference, but probably isn't: '84' on line 1428 -- Looks like a reference, but probably isn't: '85' on line 1431 -- Looks like a reference, but probably isn't: '86' on line 1434 -- Looks like a reference, but probably isn't: '87' on line 1437 -- Looks like a reference, but probably isn't: '88' on line 1440 -- Looks like a reference, but probably isn't: '89' on line 1443 -- Looks like a reference, but probably isn't: '90' on line 1446 -- Looks like a reference, but probably isn't: '91' on line 1449 -- Looks like a reference, but probably isn't: '92' on line 1452 -- Looks like a reference, but probably isn't: '93' on line 1455 -- Looks like a reference, but probably isn't: '94' on line 1458 -- Looks like a reference, but probably isn't: '95' on line 1461 -- Looks like a reference, but probably isn't: '96' on line 1464 -- Looks like a reference, but probably isn't: '97' on line 1467 -- Looks like a reference, but probably isn't: '98' on line 1470 -- Looks like a reference, but probably isn't: '99' on line 1473 -- Looks like a reference, but probably isn't: '100' on line 1476 -- Looks like a reference, but probably isn't: '101' on line 1479 -- Looks like a reference, but probably isn't: '102' on line 1482 -- Looks like a reference, but probably isn't: '103' on line 1485 -- Looks like a reference, but probably isn't: '104' on line 1488 -- Looks like a reference, but probably isn't: '105' on line 1491 -- Looks like a reference, but probably isn't: '106' on line 1494 -- Looks like a reference, but probably isn't: '107' on line 1497 -- Looks like a reference, but probably isn't: '108' on line 1500 -- Looks like a reference, but probably isn't: '109' on line 1503 -- Looks like a reference, but probably isn't: '110' on line 1506 -- Looks like a reference, but probably isn't: '111' on line 1509 -- Looks like a reference, but probably isn't: '112' on line 1512 -- Looks like a reference, but probably isn't: '113' on line 1515 -- Looks like a reference, but probably isn't: '114' on line 1518 -- Looks like a reference, but probably isn't: '115' on line 1521 -- Looks like a reference, but probably isn't: '116' on line 1524 -- Looks like a reference, but probably isn't: '117' on line 1527 -- Looks like a reference, but probably isn't: '118' on line 1530 -- Looks like a reference, but probably isn't: '119' on line 1533 -- Looks like a reference, but probably isn't: '120' on line 1536 -- Looks like a reference, but probably isn't: '121' on line 1539 -- Looks like a reference, but probably isn't: '122' on line 1542 -- Looks like a reference, but probably isn't: '123' on line 1545 -- Looks like a reference, but probably isn't: '124' on line 1548 -- Looks like a reference, but probably isn't: '125' on line 1551 -- Looks like a reference, but probably isn't: '126' on line 1554 -- Looks like a reference, but probably isn't: '127' on line 1557 -- Looks like a reference, but probably isn't: '128' on line 1560 -- Looks like a reference, but probably isn't: '129' on line 1563 -- Looks like a reference, but probably isn't: '130' on line 1566 -- Looks like a reference, but probably isn't: '131' on line 1569 -- Looks like a reference, but probably isn't: '132' on line 1572 -- Looks like a reference, but probably isn't: '133' on line 1575 -- Looks like a reference, but probably isn't: '134' on line 1578 -- Looks like a reference, but probably isn't: '135' on line 1581 -- Looks like a reference, but probably isn't: '136' on line 1584 -- Looks like a reference, but probably isn't: '137' on line 1587 -- Looks like a reference, but probably isn't: '138' on line 1590 -- Looks like a reference, but probably isn't: '139' on line 1592 -- Looks like a reference, but probably isn't: '140' on line 1595 -- Looks like a reference, but probably isn't: '141' on line 1598 -- Looks like a reference, but probably isn't: '142' on line 1601 -- Looks like a reference, but probably isn't: '143' on line 1604 -- Looks like a reference, but probably isn't: '144' on line 1607 -- Looks like a reference, but probably isn't: '145' on line 1610 -- Looks like a reference, but probably isn't: '146' on line 1613 -- Looks like a reference, but probably isn't: '147' on line 1616 -- Looks like a reference, but probably isn't: '148' on line 1619 -- Looks like a reference, but probably isn't: '149' on line 1622 -- Looks like a reference, but probably isn't: '150' on line 1625 -- Looks like a reference, but probably isn't: '151' on line 1628 -- Looks like a reference, but probably isn't: '152' on line 1631 -- Looks like a reference, but probably isn't: '153' on line 1634 -- Looks like a reference, but probably isn't: '154' on line 1637 -- Looks like a reference, but probably isn't: '155' on line 1640 -- Looks like a reference, but probably isn't: '156' on line 1643 -- Looks like a reference, but probably isn't: '157' on line 1646 -- Looks like a reference, but probably isn't: '158' on line 1649 -- Looks like a reference, but probably isn't: '159' on line 1652 -- Looks like a reference, but probably isn't: '160' on line 1655 -- Looks like a reference, but probably isn't: '161' on line 1658 -- Looks like a reference, but probably isn't: '162' on line 1661 -- Looks like a reference, but probably isn't: '163' on line 1664 -- Looks like a reference, but probably isn't: '164' on line 1667 -- Looks like a reference, but probably isn't: '165' on line 1670 -- Looks like a reference, but probably isn't: '166' on line 1673 -- Looks like a reference, but probably isn't: '167' on line 1676 -- Looks like a reference, but probably isn't: '168' on line 1679 -- Looks like a reference, but probably isn't: '169' on line 1682 -- Looks like a reference, but probably isn't: '170' on line 1685 -- Looks like a reference, but probably isn't: '171' on line 1688 -- Looks like a reference, but probably isn't: '172' on line 1691 -- Looks like a reference, but probably isn't: '173' on line 1694 -- Looks like a reference, but probably isn't: '174' on line 1697 -- Looks like a reference, but probably isn't: '175' on line 1700 -- Looks like a reference, but probably isn't: '176' on line 1703 -- Looks like a reference, but probably isn't: '177' on line 1706 -- Looks like a reference, but probably isn't: '178' on line 1709 -- Looks like a reference, but probably isn't: '179' on line 1712 -- Looks like a reference, but probably isn't: '180' on line 1715 -- Looks like a reference, but probably isn't: '181' on line 1718 -- Looks like a reference, but probably isn't: '182' on line 1721 -- Looks like a reference, but probably isn't: '183' on line 1724 -- Looks like a reference, but probably isn't: '184' on line 1727 -- Looks like a reference, but probably isn't: '185' on line 1730 -- Looks like a reference, but probably isn't: '186' on line 1733 -- Looks like a reference, but probably isn't: '187' on line 1736 -- Looks like a reference, but probably isn't: '188' on line 1739 -- Looks like a reference, but probably isn't: '189' on line 1742 -- Looks like a reference, but probably isn't: '190' on line 1745 -- Looks like a reference, but probably isn't: '191' on line 1748 -- Looks like a reference, but probably isn't: '192' on line 1751 -- Looks like a reference, but probably isn't: '193' on line 1754 -- Looks like a reference, but probably isn't: '194' on line 1757 -- Looks like a reference, but probably isn't: '195' on line 1760 -- Looks like a reference, but probably isn't: '196' on line 1763 -- Looks like a reference, but probably isn't: '197' on line 1766 -- Looks like a reference, but probably isn't: '198' on line 1769 -- Looks like a reference, but probably isn't: '199' on line 1772 -- Looks like a reference, but probably isn't: '200' on line 1775 -- Looks like a reference, but probably isn't: '201' on line 1778 -- Looks like a reference, but probably isn't: '202' on line 1781 -- Looks like a reference, but probably isn't: '203' on line 1784 -- Looks like a reference, but probably isn't: '204' on line 1787 -- Looks like a reference, but probably isn't: '205' on line 1790 -- Looks like a reference, but probably isn't: '206' on line 1793 -- Looks like a reference, but probably isn't: '207' on line 1796 -- Looks like a reference, but probably isn't: '208' on line 1799 -- Looks like a reference, but probably isn't: '209' on line 1802 -- Looks like a reference, but probably isn't: '210' on line 1805 -- Looks like a reference, but probably isn't: '211' on line 1808 -- Looks like a reference, but probably isn't: '212' on line 1811 -- Looks like a reference, but probably isn't: '213' on line 1814 -- Looks like a reference, but probably isn't: '214' on line 1817 -- Looks like a reference, but probably isn't: '215' on line 1820 -- Looks like a reference, but probably isn't: '216' on line 1823 -- Looks like a reference, but probably isn't: '217' on line 1826 -- Looks like a reference, but probably isn't: '218' on line 1829 -- Looks like a reference, but probably isn't: '219' on line 1832 -- Looks like a reference, but probably isn't: '220' on line 1835 -- Looks like a reference, but probably isn't: '221' on line 1838 -- Looks like a reference, but probably isn't: '222' on line 1841 -- Looks like a reference, but probably isn't: '223' on line 1844 -- Looks like a reference, but probably isn't: '224' on line 1847 -- Looks like a reference, but probably isn't: '225' on line 1850 -- Looks like a reference, but probably isn't: '226' on line 1853 -- Looks like a reference, but probably isn't: '227' on line 1856 -- Looks like a reference, but probably isn't: '228' on line 1859 -- Looks like a reference, but probably isn't: '229' on line 1862 -- Looks like a reference, but probably isn't: '230' on line 1865 -- Looks like a reference, but probably isn't: '231' on line 1868 -- Looks like a reference, but probably isn't: '232' on line 1871 -- Looks like a reference, but probably isn't: '233' on line 1874 -- Looks like a reference, but probably isn't: '234' on line 1877 -- Looks like a reference, but probably isn't: '235' on line 1880 -- Looks like a reference, but probably isn't: '236' on line 1883 -- Looks like a reference, but probably isn't: '237' on line 1886 -- Looks like a reference, but probably isn't: '238' on line 1889 -- Looks like a reference, but probably isn't: '239' on line 1892 -- Looks like a reference, but probably isn't: '240' on line 1895 -- Looks like a reference, but probably isn't: '241' on line 1898 -- Looks like a reference, but probably isn't: '242' on line 1901 -- Looks like a reference, but probably isn't: '243' on line 1904 -- Looks like a reference, but probably isn't: '244' on line 1907 -- Looks like a reference, but probably isn't: '245' on line 1910 -- Looks like a reference, but probably isn't: '246' on line 1913 -- Looks like a reference, but probably isn't: '247' on line 1916 -- Looks like a reference, but probably isn't: '248' on line 1919 -- Looks like a reference, but probably isn't: '249' on line 1922 -- Looks like a reference, but probably isn't: '250' on line 1925 -- Looks like a reference, but probably isn't: '251' on line 1928 -- Looks like a reference, but probably isn't: '252' on line 1931 -- Looks like a reference, but probably isn't: '253' on line 1933 -- Looks like a reference, but probably isn't: '254' on line 1936 -- Looks like a reference, but probably isn't: '255' on line 1939 -- Looks like a reference, but probably isn't: '256' on line 1942 -- Looks like a reference, but probably isn't: '257' on line 1945 Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 258 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Expires: July 9, 2021 CIRCL 5 January 5, 2021 7 MISP object template format 8 draft-dulaunoy-misp-object-template-format-04 10 Abstract 12 This document describes the MISP object template format which 13 describes a simple JSON format to represent the various templates 14 used to construct MISP objects. A public directory of common 15 vocabularies MISP object templates [MISP-O] is available and relies 16 on the MISP object reference format. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on July 9, 2021. 35 Copyright Notice 37 Copyright (c) 2021 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 54 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1.1. Object Template . . . . . . . . . . . . . . . . . . . 3 57 2.1.2. attributes . . . . . . . . . . . . . . . . . . . . . 4 58 2.1.3. Sample Object Template object . . . . . . . . . . . . 6 59 2.1.4. Object Relationships . . . . . . . . . . . . . . . . 9 60 3. Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 10 61 3.1. Existing and public MISP object templates . . . . . . . . 10 62 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 25 63 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 64 5.1. Normative References . . . . . . . . . . . . . . . . . . 25 65 5.2. Informative References . . . . . . . . . . . . . . . . . 26 66 5.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 26 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42 69 1. Introduction 71 Due to the increased maturity of threat information sharing, the need 72 arose for more complex and exhaustive data-points to be shared across 73 the various sharing communities. MISP's information sharing in 74 general relied on a flat structure of attributes contained within an 75 event, where attributes served as atomic secluded data-points with 76 some commonalities as defined by the encapsulating event. However, 77 this flat structure restricted the use of more diverse and complex 78 data-points described by a list of atomic values, a problem solved by 79 the MISP object structure. 81 MISP objects combine a list of attributes to represent a singular 82 object with various facets. In order to bootstrap the object 83 creation process and to maintain uniformity among objects describing 84 similar data-points, the MISP object template format serves as a 85 reusable and share-able blueprint format. 87 MISP object templates also include a vocabulary to describe the 88 various inter object and object to attribute relationships and are 89 leveraged by MISP object references. 91 1.1. Conventions and Terminology 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 95 document are to be interpreted as described in RFC 2119 [RFC2119]. 97 2. Format 99 MISP object templates are composed of the MISP object template (MUST) 100 structure itself and a list of MISP object template elements (SHOULD) 101 describing the list of possible attributes belonging to the resulting 102 object, along with their context and settings. 104 MISP object templates themselves consist of a name (MUST), a meta- 105 category (MUST) and a description (SHOULD). They are identified by a 106 uuid (MUST) and a version (MUST). For any updates or transfer of the 107 same object reference. UUID version 4 is RECOMMENDED when assigning 108 it to a new object reference. The list of requirements when it comes 109 to the contained MISP object template elements is defined in the 110 requirements field (OPTIONAL). 112 MISP object template elements consist of an object_relation (MUST), a 113 type (MUST), an object_template_id (SHOULD), a ui_priority (SHOULD), 114 a list of categories (MAY), a list of sane_default values (MAY) or a 115 values_list (MAY). 117 2.1. Overview 119 The MISP object template format uses the JSON [RFC8259] format. Each 120 template is represented as a JSON object with meta information 121 including the following fields: uuid, requiredOneOf, description, 122 version, meta-category, name. 124 2.1.1. Object Template 126 2.1.1.1. uuid 128 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 129 the object template. The uuid MUST be preserved for to keep 130 consistency of the templates across instances. UUID version 4 is 131 RECOMMENDED when assigning it to a new object template. 133 uuid is represented as a JSON string. uuid MUST be present. 135 2.1.1.2. requiredOneOf 137 requiredOneOf is represented as a JSON list and contains a list of 138 attribute relationships of which one must be present in the object to 139 be created based on the given template. The requiredOneOf field MAY 140 be present. 142 2.1.1.3. required 144 required is represented as a JSON list and contains a list of 145 attribute relationships of which all must be present in the object to 146 be created based on the given template. The required field MAY be 147 present. 149 2.1.1.4. description 151 description is represented as a JSON string and contains the assigned 152 meaning given to objects created using this template. The 153 description field MUST be present. 155 2.1.1.5. version 157 version represents a numeric incrementing version of the object 158 template. It is used to associate the object to the correct version 159 of the template and together with the uuid field forms an association 160 to the correct template type and version. 162 version is represented as a JSON string. version MUST be present. 164 2.1.1.6. meta-category 166 meta-category represents the sub-category of objects that the given 167 object template belongs to. meta-categories are not tied to a fixed 168 list of options but can be created on the fly. 170 meta-category is represented as a JSON string. meta-category MUST be 171 present. 173 2.1.1.7. name 175 name represents the human-readable name of the objects created using 176 the given template, describing the intent of the object package. 178 name is represented as a JSON string. name MUST be present 180 2.1.2. attributes 182 attributes is represented as a JSON list and contains a list of 183 template elements used as a template for creating the individual 184 attributes within the object that is to be created with the object. 186 attributes is represented as a JSON list. attributes MUST be present. 188 2.1.2.1. description 190 description is represented as a JSON string and contains the 191 description of the given attribute in the context of the object with 192 the given relationship. The description field MUST be present. 194 2.1.2.2. ui-priority 196 ui-priority is represented by a numeric values in JSON string format 197 and is meant to provide a priority for the given element in the 198 object template visualisation. The ui-priority MAY be present. 200 2.1.2.3. misp-attribute 202 misp-attribute is represented by a JSON string or a JSON object with 203 a list of values. The value(s) are taken from the pool of types 204 defined by the MISP core format's Attribute Object's type list. type 205 can contain a JSON object with a list of suggested value alternatives 206 encapsulated in a list within a sane_default key or a list of 207 enforced value alternatives encapsulated in a list_values key. 209 The misp-attribute field MUST be present. 211 2.1.2.4. disable_correlation 213 disable_correlation is represented by a JSON boolean. The 214 disable_correlation field flags the attribute(s) created by the given 215 object template element to be marked as non correlating. 217 The misp-attribute field MAY be present. 219 2.1.2.5. categories 221 categories is represented by a JSON list containing one or several 222 valid options from the list of verbs valid for the category field in 223 the Attribute object within the MISP core format. 225 The categories field MAY be present. 227 2.1.2.6. multiple 229 multiple is represented by a JSON boolean value. It marks the MISP 230 object template element as a multiple input field, allowing for 231 several attributes to be created by the element within the same 232 object. 234 The multiple field MAY be present. 236 2.1.2.7. sane_default 238 sane_default is represented by a JSON list containing one or several 239 recommended/sane values for an attribute. sane_default is mutually 240 exclusive with values_list. 242 The sane_default field MAY be present. 244 2.1.2.8. values_list 246 values_list is represented by a JSON List containing one or several 247 of fixed values for an attribute. values_list is mutually exclusive 248 with sane_default. 250 The value_list field MAY be present. 252 2.1.3. Sample Object Template object 254 The MISP object template directory is publicly available [MISP-O] in 255 a git repository and contains more than 60 object templates. As 256 illustration, two sample objects templates are included. 258 2.1.3.1. credit-card object template 259 { 260 "requiredOneOf": [ 261 "cc-number" 262 ], 263 "attributes": { 264 "version": { 265 "description": "Version of the card.", 266 "ui-priority": 0, 267 "misp-attribute": "text" 268 }, 269 "comment": { 270 "description": "A description of the card.", 271 "ui-priority": 0, 272 "misp-attribute": "comment" 273 }, 274 "card-security-code": { 275 "description": "Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.", 276 "ui-priority": 0, 277 "misp-attribute": "text" 278 }, 279 "name": { 280 "description": "Name of the card owner.", 281 "ui-priority": 0, 282 "misp-attribute": "text" 283 }, 284 "issued": { 285 "description": "Initial date of validity or issued date.", 286 "ui-priority": 0, 287 "misp-attribute": "datetime" 288 }, 289 "expiration": { 290 "description": "Maximum date of validity", 291 "ui-priority": 0, 292 "misp-attribute": "datetime" 293 }, 294 "cc-number": { 295 "description": "credit-card number as encoded on the card.", 296 "ui-priority": 0, 297 "misp-attribute": "cc-number" 298 } 299 }, 300 "version": 2, 301 "description": "A payment card like credit card, debit card or any similar cards which can be used for financial transactions.", 302 "meta-category": "financial", 303 "uuid": "2b9c57aa-daba-4330-a738-56f18743b0c7", 304 "name": "credit-card" 305 } 306 2.1.3.2. credential object template 308 { 309 "requiredOneOf": [ 310 "password" 311 ], 312 "attributes": { 313 "text": { 314 "description": "A description of the credential(s)", 315 "disable_correlation": true, 316 "ui-priority": 1, 317 "misp-attribute": "text" 318 }, 319 "username": { 320 "description": "Username related to the password(s)", 321 "ui-priority": 1, 322 "misp-attribute": "text" 323 }, 324 "password": { 325 "description": "Password", 326 "multiple": true, 327 "ui-priority": 1, 328 "misp-attribute": "text" 329 }, 330 "type": { 331 "description": "Type of password(s)", 332 "ui-priority": 1, 333 "misp-attribute": "text", 334 "values_list": [ 335 "password", 336 "api-key", 337 "encryption-key", 338 "unknown" 339 ] 340 }, 341 "origin": { 342 "description": "Origin of the credential(s)", 343 "ui-priority": 1, 344 "misp-attribute": "text", 345 "sane_default": [ 346 "bruteforce-scanning", 347 "malware-analysis", 348 "memory-analysis", 349 "network-analysis", 350 "leak", 351 "unknown" 352 ] 353 }, 354 "format": { 355 "description": "Format of the password(s)", 356 "ui-priority": 1, 357 "misp-attribute": "text", 358 "values_list": [ 359 "clear-text", 360 "hashed", 361 "encrypted", 362 "unknown" 363 ] 364 }, 365 "notification": { 366 "description": "Mention of any notification(s) towards the potential owner(s) of the credential(s)", 367 "ui-priority": 1, 368 "misp-attribute": "text", 369 "multiple": true, 370 "values_list": [ 371 "victim-notified", 372 "service-notified", 373 "none" 374 ] 375 } 376 }, 377 "version": 2, 378 "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", 379 "meta-category": "misc", 380 "uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", 381 "name": "credential" 382 } 384 2.1.4. Object Relationships 386 2.1.4.1. name 388 name represents the human-readable relationship type which can be 389 used when creating MISP object relations. 391 name is represented as a JSON string. name MUST be present. 393 2.1.4.2. description 395 description is represented as a JSON string and contains the 396 description of the object relationship type. The description field 397 MUST be present. 399 2.1.4.3. format 401 format is represented by a JSON list containing a list of formats 402 that the relationship type is valid for and can be mapped to. The 403 format field MUST be present. 405 3. Directory 407 The MISP object template directory is publicly available [MISP-O] in 408 a git repository. The repository contains an objects directory, 409 which contains a directory per object type, containing a file named 410 definition.json which contains the definition of the object template 411 in the above described format. 413 A relationships directory is also included, containing a 414 definition.json file which contains a list of MISP object relation 415 definitions. There are more than 125 existing templates object 416 documented in [MISP-O-DOC]. 418 3.1. Existing and public MISP object templates 420 o objects/ail-leak [1] - An information leak as defined by the AIL 421 Analysis Information Leak framework. 423 o objects/ais-info [2] - Automated Indicator Sharing (AIS) 424 Information Source Markings. 426 o objects/android-app [3] - Indicators related to an Android app. 428 o objects/android-permission [4] - A set of android permissions - 429 one or more permission(s) which can be linked to other objects 430 (e.g. malware, app). 432 o objects/annotation [5] - An annotation object allowing analysts to 433 add annotations, comments, executive summary to a MISP event, 434 objects or attributes. 436 o objects/anonymisation [6] - Anonymisation object describing an 437 anonymisation technique used to encode MISP attribute values. 438 Reference: https://www.caida.org/tools/taxonomy/anonymization.xml 439 [7]. 441 o objects/asn [8] - Autonomous system object describing an 442 autonomous system which can include one or more network operators 443 management an entity (e.g. ISP) along with their routing policy, 444 routing prefixes or alike. 446 o objects/attack-pattern [9] - Attack pattern describing a common 447 attack pattern enumeration and classification. 449 o objects/authentication-failure-report [10] - Authentication 450 Failure Report. 452 o objects/authenticode-signerinfo [11] - Authenticode Signer Info. 454 o objects/av-signature [12] - Antivirus detection signature. 456 o objects/bank-account [13] - An object describing bank account 457 information based on account description from goAML 4.0. 459 o objects/bgp-hijack [14] - Object encapsulating BGP Hijack 460 description as specified, for example, by bgpstream.com. 462 o objects/bgp-ranking [15] - BGP Ranking object describing the 463 ranking of an ASN for a given day, along with its position, 1 464 being the most malicious ASN of the day, with the highest ranking. 465 This object is meant to have a relationship with the corresponding 466 ASN object and represents its ranking for a specific date. 468 o objects/blog [16] - Blog post like Medium or WordPress. 470 o objects/boleto [17] - A common form of payment used in Brazil. 472 o objects/btc-transaction [18] - An object to describe a Bitcoin 473 transaction. Best to be used with bitcoin-wallet. 475 o objects/btc-wallet [19] - An object to describe a Bitcoin wallet. 476 Best to be used with bitcoin-transactions. 478 o objects/cap-alert [20] - Common Alerting Protocol Version (CAP) 479 alert object. 481 o objects/cap-info [21] - Common Alerting Protocol Version (CAP) 482 info object. 484 o objects/cap-resource [22] - Common Alerting Protocol Version (CAP) 485 resource object. 487 o objects/coin-address [23] - An address used in a cryptocurrency. 489 o objects/command [24] - Command functionalities related to specific 490 commands executed by a program, whether it is malicious or not. 491 Command-line are attached to this object for the related commands. 493 o objects/command-line [25] - Command line and options related to a 494 specific command executed by a program, whether it is malicious or 495 not. 497 o objects/cookie [26] - An HTTP cookie (web cookie, browser cookie) 498 is a small piece of data that a server sends to the user's web 499 browser. The browser may store it and send it back with the next 500 request to the same server. Typically, it's used to tell if two 501 requests came from the same browser -- keeping a user logged-in, 502 for example. It remembers stateful information for the stateless 503 HTTP protocol. (as defined by the Mozilla foundation. 505 o objects/cortex [27] - Cortex object describing a complete cortex 506 analysis. Observables would be attribute with a relationship from 507 this object. 509 o objects/cortex-taxonomy [28] - Cortex object describing an Cortex 510 Taxonomy (or mini report). 512 o objects/course-of-action [29] - An object describing a specific 513 measure taken to prevent or respond to an attack. 515 o objects/covid19-csse-daily-report [30] - CSSE COVID-19 Daily 516 report. 518 o objects/covid19-dxy-live-city [31] - COVID 19 from dxy.cn - 519 Aggregation by city. 521 o objects/covid19-dxy-live-province [32] - COVID 19 from dxy.cn - 522 Aggregation by province. 524 o objects/cowrie [33] - Cowrie honeypot object template. 526 o objects/cpe-asset [34] - An asset which can be defined by a CPE. 527 This can be a generic asset. CPE is a structured naming scheme 528 for information technology systems, software, and packages. 530 o objects/credential [35] - Credential describes one or more 531 credential(s) including password(s), api key(s) or decryption 532 key(s). 534 o objects/credit-card [36] - A payment card like credit card, debit 535 card or any similar cards which can be used for financial 536 transactions. 538 o objects/crypto-material [37] - Cryptographic materials such as 539 public or/and private keys. 541 o objects/cytomic-orion-file [38] - Cytomic Orion File Detection. 543 o objects/cytomic-orion-machine [39] - Cytomic Orion File at Machine 544 Detection. 546 o objects/dark-pattern-item [40] - An Item whose User Interface 547 implements a dark pattern. 549 o objects/ddos [41] - DDoS object describes a current DDoS activity 550 from a specific or/and to a specific target. Type of DDoS can be 551 attached to the object as a taxonomy. 553 o objects/device [42] - An object to define a device. 555 o objects/diameter-attack [43] - Attack as seen on diameter 556 authentication against a GSM, UMTS or LTE network. 558 o objects/dns-record [44] - A set of DNS records observed for a 559 specific domain. 561 o objects/domain-crawled [45] - A domain crawled over time. 563 o objects/domain-ip [46] - A domain/hostname and IP address seen as 564 a tuple in a specific time frame. 566 o objects/elf [47] - Object describing a Executable and Linkable 567 Format. 569 o objects/elf-section [48] - Object describing a section of an 570 Executable and Linkable Format. 572 o objects/email [49] - Email object describing an email with meta- 573 information. 575 o objects/employee [50] - An employee and related data points. 577 o objects/exploit-poc [51] - Exploit-poc object describing a proof 578 of concept or exploit of a vulnerability. This object has often a 579 relationship with a vulnerability object. 581 o objects/facebook-account [52] - Facebook account. 583 o objects/facebook-group [53] - Public or private facebook group. 585 o objects/facebook-page [54] - Facebook page. 587 o objects/facebook-post [55] - Post on a Facebook wall. 589 o objects/facial-composite [56] - An object which describes a facial 590 composite. 592 o objects/fail2ban [57] - Fail2ban event. 594 o objects/favicon [58] - A favicon, also known as a shortcut icon, 595 website icon, tab icon, URL icon, or bookmark icon, is a file 596 containing one or more small icons, associated with a particular 597 website or web page. The object template can include the murmur3 598 hash of the favicon to facilitate correlation. 600 o objects/file [59] - File object describing a file with meta- 601 information. 603 o objects/forensic-case [60] - An object template to describe a 604 digital forensic case. 606 o objects/forensic-evidence [61] - An object template to describe a 607 digital forensic evidence. 609 o objects/forged-document [62] - Object describing a forged 610 document. 612 o objects/ftm-Airplane [63] - . 614 o objects/ftm-Assessment [64] - . 616 o objects/ftm-Asset [65] - . 618 o objects/ftm-Associate [66] - Non-family association between two 619 people. 621 o objects/ftm-Audio [67] - . 623 o objects/ftm-BankAccount [68] - . 625 o objects/ftm-Call [69] - . 627 o objects/ftm-Company [70] - . 629 o objects/ftm-Contract [71] - An contract or contract lot issued by 630 an authority. Multiple lots may be awarded to different suppliers 631 (see ContractAward). . 633 o objects/ftm-ContractAward [72] - A contract or contract lot as 634 awarded to a supplier. 636 o objects/ftm-CourtCase [73] - . 638 o objects/ftm-CourtCaseParty [74] - . 640 o objects/ftm-Debt [75] - A monetary debt between two parties. 642 o objects/ftm-Directorship [76] - . 644 o objects/ftm-Document [77] - . 646 o objects/ftm-Documentation [78] - . 648 o objects/ftm-EconomicActivity [79] - A foreign economic activity. 650 o objects/ftm-Email [80] - . 652 o objects/ftm-Event [81] - . 654 o objects/ftm-Family [82] - Family relationship between two people. 656 o objects/ftm-Folder [83] - . 658 o objects/ftm-HyperText [84] - . 660 o objects/ftm-Image [85] - . 662 o objects/ftm-Land [86] - . 664 o objects/ftm-LegalEntity [87] - A legal entity may be a person or a 665 company. 667 o objects/ftm-License [88] - A grant of land, rights or property. A 668 type of Contract. 670 o objects/ftm-Membership [89] - . 672 o objects/ftm-Message [90] - . 674 o objects/ftm-Organization [91] - . 676 o objects/ftm-Ownership [92] - . 678 o objects/ftm-Package [93] - . 680 o objects/ftm-Page [94] - . 682 o objects/ftm-Pages [95] - . 684 o objects/ftm-Passport [96] - Passport. 686 o objects/ftm-Payment [97] - A monetary payment between two parties. 688 o objects/ftm-Person [98] - An individual. 690 o objects/ftm-PlainText [99] - . 692 o objects/ftm-PublicBody [100] - A public body, such as a ministry, 693 department or state company. 695 o objects/ftm-RealEstate [101] - A piece of land or property. 697 o objects/ftm-Representation [102] - A mediatory, intermediary, 698 middleman, or broker acting on behalf of a legal entity. 700 o objects/ftm-Row [103] - . 702 o objects/ftm-Sanction [104] - A sanction designation. 704 o objects/ftm-Succession [105] - Two entities that legally succeed 705 each other. 707 o objects/ftm-Table [106] - . 709 o objects/ftm-TaxRoll [107] - A tax declaration of an individual. 711 o objects/ftm-UnknownLink [108] - . 713 o objects/ftm-UserAccount [109] - . 715 o objects/ftm-Vehicle [110] - . 717 o objects/ftm-Vessel [111] - A boat or ship. 719 o objects/ftm-Video [112] - . 721 o objects/ftm-Workbook [113] - . 723 o objects/geolocation [114] - An object to describe a geographic 724 location. 726 o objects/git-vuln-finder [115] - Export from git-vuln-finder. 728 o objects/github-user [116] - GitHub user. 730 o objects/gitlab-user [117] - GitLab user. Gitlab.com user or self- 731 hosted GitLab instance. 733 o objects/gtp-attack [118] - GTP attack object as seen on a GSM, 734 UMTS or LTE network. 736 o objects/http-request [119] - A single HTTP request header. 738 o objects/ilr-impact [120] - Institut Luxembourgeois de Regulation - 739 Impact. 741 o objects/ilr-notification-incident [121] - Institut Luxembourgeois 742 de Regulation - Notification d'incident. 744 o objects/image [122] - Object describing an image file. 746 o objects/impersonation [123] - Represent an impersonating account. 748 o objects/imsi-catcher [124] - IMSI Catcher entry object based on 749 the open source IMSI cather. 751 o objects/instant-message [125] - Instant Message (IM) object 752 template describing one or more IM message. 754 o objects/instant-message-group [126] - Instant Message (IM) group 755 object template describing a public or private IM group, channel 756 or conversation. 758 o objects/intel471-vulnerability-intelligence [127] - Intel 471 759 vulnerability intelligence object. 761 o objects/intelmq_event [128] - IntelMQ Event. 763 o objects/intelmq_report [129] - IntelMQ Report. 765 o objects/internal-reference [130] - Internal reference. 767 o objects/interpol-notice [131] - An object which describes a 768 Interpol notice. 770 o objects/iot-device [132] - An IoT device. 772 o objects/iot-firmware [133] - A firmware for an IoT device. 774 o objects/ip-api-address [134] - IP Address information. Useful if 775 you are pulling your ip information from ip-api.com. 777 o objects/ip-port [135] - An IP address (or domain or hostname) and 778 a port seen as a tuple (or as a triple) in a specific time frame. 780 o objects/irc [136] - An IRC object to describe an IRC server and 781 the associated channels. 783 o objects/ja3 [137] - JA3 is a new technique for creating SSL client 784 fingerprints that are easy to produce and can be easily shared for 785 threat intelligence. Fingerprints are composed of Client Hello 786 packet; SSL Version, Accepted Ciphers, List of Extensions, 787 Elliptic Curves, and Elliptic Curve Formats. 788 https://github.com/salesforce/ja3 [138]. 790 o objects/keybase-account [139] - Information related to a keybase 791 account, from API Users Object. 793 o objects/leaked-document [140] - Object describing a leaked 794 document. 796 o objects/legal-entity [141] - An object to describe a legal entity. 798 o objects/lnk [142] - LNK object describing a Windows LNK binary 799 file (aka Windows shortcut). 801 o objects/macho [143] - Object describing a file in Mach-O format. 803 o objects/macho-section [144] - Object describing a section of a 804 file in Mach-O format. 806 o objects/mactime-timeline-analysis [145] - Mactime template, used 807 in forensic investigations to describe the timeline of a file 808 activity. 810 o objects/malware-config [146] - Malware configuration recovered or 811 extracted from a malicious binary. 813 o objects/meme-image [147] - Object describing a meme (image). 815 o objects/microblog [148] - Microblog post like a Twitter tweet or a 816 post on a Facebook wall. 818 o objects/mutex [149] - Object to describe mutual exclusion locks 819 (mutex) as seen in memory or computer program. 821 o objects/narrative [150] - Object describing a narrative. 823 o objects/netflow [151] - Netflow object describes an network object 824 based on the Netflowv5/v9 minimal definition. 826 o objects/network-connection [152] - A local or remote network 827 connection. 829 o objects/network-socket [153] - Network socket object describes a 830 local or remote network connections based on the socket data 831 structure. 833 o objects/news-agency [154] - News agencies compile news and 834 disseminate news in bulk. 836 o objects/news-media [155] - News media are forms of mass media 837 delivering news to the general public. 839 o objects/organization [156] - An object which describes an 840 organization. 842 o objects/original-imported-file [157] - Object describing the 843 original file used to import data in MISP. 845 o objects/parler-account [158] - Parler account. 847 o objects/parler-comment [159] - Parler comment. 849 o objects/parler-post [160] - Parler post (parley). 851 o objects/passive-dns [161] - Passive DNS records as expressed in 852 draft-dulaunoy-dnsop-passive-dns-cof-01. 854 o objects/paste [162] - Paste or similar post from a website 855 allowing to share privately or publicly posts. 857 o objects/pcap-metadata [163] - Network packet capture metadata. 859 o objects/pe [164] - Object describing a Portable Executable. 861 o objects/pe-section [165] - Object describing a section of a 862 Portable Executable. 864 o objects/person [166] - An object which describes a person or an 865 identity. 867 o objects/pgp-meta [167] - Metadata extracted from a PGP keyblock, 868 message or signature. 870 o objects/phishing [168] - Phishing template to describe a phishing 871 website and its analysis. 873 o objects/phishing-kit [169] - Object to describe a phishing-kit. 875 o objects/phone [170] - A phone or mobile phone object which 876 describe a phone. 878 o objects/process [171] - Object describing a system process. 880 o objects/publication [172] - An object to describe a book, journal, 881 or academic publication. 883 o objects/python-etvx-event-log [173] - Event log object template to 884 share information of the activities conducted on a system. . 886 o objects/r2graphity [174] - Indicators extracted from files using 887 radare2 and graphml. 889 o objects/reddit-account [175] - Reddit account. 891 o objects/reddit-comment [176] - A Reddit post comment. 893 o objects/reddit-post [177] - A Reddit post. 895 o objects/reddit-subreddit [178] - Public or private subreddit. 897 o objects/regexp [179] - An object describing a regular expression 898 (regex or regexp). The object can be linked via a relationship to 899 other attributes or objects to describe how it can be represented 900 as a regular expression. 902 o objects/registry-key [180] - Registry key object describing a 903 Windows registry key with value and last-modified timestamp. 905 o objects/regripper-NTUser [181] - Regripper Object template 906 designed to present user specific configuration details extracted 907 from the NTUSER.dat hive. 909 o objects/regripper-sam-hive-single-user [182] - Regripper Object 910 template designed to present user profile details extracted from 911 the SAM hive. 913 o objects/regripper-sam-hive-user-group [183] - Regripper Object 914 template designed to present group profile details extracted from 915 the SAM hive. 917 o objects/regripper-software-hive-BHO [184] - Regripper Object 918 template designed to gather information of the browser helper 919 objects installed on the system. 921 o objects/regripper-software-hive-appInit-DLLS [185] - Regripper 922 Object template designed to gather information of the DLL files 923 installed on the system. 925 o objects/regripper-software-hive-application-paths [186] - 926 Regripper Object template designed to gather information of the 927 application paths. 929 o objects/regripper-software-hive-applications-installed [187] - 930 Regripper Object template designed to gather information of the 931 applications installed on the system. 933 o objects/regripper-software-hive-command-shell [188] - Regripper 934 Object template designed to gather information of the shell 935 commands executed on the system. 937 o objects/regripper-software-hive-software-run [189] - Regripper 938 Object template designed to gather information of the applications 939 set to run on the system. 941 o objects/regripper-software-hive-userprofile-winlogon [190] - 942 Regripper Object template designed to gather user profile 943 information when the user logs onto the system, gathered from the 944 software hive. 946 o objects/regripper-software-hive-windows-general-info [191] - 947 Regripper Object template designed to gather general windows 948 information extracted from the software-hive. 950 o objects/regripper-system-hive-firewall-configuration [192] - 951 Regripper Object template designed to present firewall 952 configuration information extracted from the system-hive. 954 o objects/regripper-system-hive-general-configuration [193] - 955 Regripper Object template designed to present general system 956 properties extracted from the system-hive. 958 o objects/regripper-system-hive-network-information [194] - 959 Regripper object template designed to gather network information 960 from the system-hive. 962 o objects/regripper-system-hive-services-drivers [195] - Regripper 963 Object template designed to gather information regarding the 964 services/drivers from the system-hive. 966 o objects/report [196] - Metadata used to generate an executive 967 level report. 969 o objects/research-scanner [197] - Information related to known 970 scanning activity (e.g. from research projects). 972 o objects/rogue-dns [198] - Rogue DNS as defined by CERT.br. 974 o objects/rtir [199] - RTIR - Request Tracker for Incident Response. 976 o objects/sandbox-report [200] - Sandbox report. 978 o objects/sb-signature [201] - Sandbox detection signature. 980 o objects/scheduled-event [202] - Event object template describing a 981 gathering of individuals in meatspace. 983 o objects/scrippsco2-c13-daily [203] - Daily average C13 984 concentrations (ppm) derived from flask air samples. 986 o objects/scrippsco2-c13-monthly [204] - Monthly average C13 987 concentrations (ppm) derived from flask air samples. 989 o objects/scrippsco2-co2-daily [205] - Daily average CO2 990 concentrations (ppm) derived from flask air samples. 992 o objects/scrippsco2-co2-monthly [206] - Monthly average CO2 993 concentrations (ppm) derived from flask air samples. 995 o objects/scrippsco2-o18-daily [207] - Daily average O18 996 concentrations (ppm) derived from flask air samples. 998 o objects/scrippsco2-o18-monthly [208] - Monthly average O18 999 concentrations (ppm) derived from flask air samples. 1001 o objects/script [209] - Object describing a computer program 1002 written to be run in a special run-time environment. The script 1003 or shell script can be used for malicious activities but also as 1004 support tools for threat analysts. 1006 o objects/shell-commands [210] - Object describing a series of shell 1007 commands executed. This object can be linked with malicious files 1008 in order to describe a specific execution of shell commands. 1010 o objects/shodan-report [211] - Shodan Report for a given IP. 1012 o objects/short-message-service [212] - Short Message Service (SMS) 1013 object template describing one or more SMS message. Restriction 1014 of the initial format 3GPP 23.038 GSM character set doesn't apply. 1016 o objects/shortened-link [213] - Shortened link and its redirect 1017 target. 1019 o objects/social-media-group [214] - Social media group object 1020 template describing a public or private group or channel. 1022 o objects/splunk [215] - Splunk / Splunk ES object. 1024 o objects/ss7-attack [216] - SS7 object of an attack seen on a GSM, 1025 UMTS or LTE network via SS7 logging. 1027 o objects/ssh-authorized-keys [217] - An object to store ssh 1028 authorized keys file. 1030 o objects/stix2-pattern [218] - An object describing a STIX pattern. 1031 The object can be linked via a relationship to other attributes or 1032 objects to describe how it can be represented as a STIX pattern. 1034 o objects/suricata [219] - An object describing one or more Suricata 1035 rule(s) along with version and contextual information. 1037 o objects/target-system [220] - Description about an targeted 1038 system, this could potentially be a compromissed internal system. 1040 o objects/threatgrid-report [221] - ThreatGrid report. 1042 o objects/timecode [222] - Timecode object to describe a start of 1043 video sequence (e.g. CCTV evidence) and the end of the video 1044 sequence. 1046 o objects/timesketch-timeline [223] - A timesketch timeline object 1047 based on mandatory field in timesketch to describe a log entry. 1049 o objects/timesketch_message [224] - A timesketch message entry. 1051 o objects/timestamp [225] - A generic timestamp object to represent 1052 time including first time and last time seen. Relationship will 1053 then define the kind of time relationship. 1055 o objects/tor-hiddenservice [226] - Tor hidden service (onion 1056 service) object. 1058 o objects/tor-node [227] - Tor node (which protects your privacy on 1059 the internet by hiding the connection between users Internet 1060 address and the services used by the users) description which are 1061 part of the Tor network at a time. 1063 o objects/tracking-id [228] - Analytics and tracking ID such as used 1064 in Google Analytics or other analytic platform. 1066 o objects/transaction [229] - An object to describe a financial 1067 transaction. 1069 o objects/translation [230] - Used to keep a text and its 1070 translation. 1072 o objects/trustar_report [231] - TruStar Report. 1074 o objects/tsk-chats [232] - An Object Template to gather information 1075 from evidential or interesting exchange of messages identified 1076 during a digital forensic investigation. 1078 o objects/tsk-web-bookmark [233] - An Object Template to add 1079 evidential bookmarks identified during a digital forensic 1080 investigation. 1082 o objects/tsk-web-cookie [234] - An TSK-Autopsy Object Template to 1083 represent cookies identified during a forensic investigation. 1085 o objects/tsk-web-downloads [235] - An Object Template to add web- 1086 downloads. 1088 o objects/tsk-web-history [236] - An Object Template to share web 1089 history information. 1091 o objects/tsk-web-search-query [237] - An Object Template to share 1092 web search query information. 1094 o objects/twitter-account [238] - Twitter account. 1096 o objects/twitter-list [239] - Twitter list. 1098 o objects/twitter-post [240] - Twitter post (tweet). 1100 o objects/url [241] - url object describes an url along with its 1101 normalized field (like extracted using faup parsing library) and 1102 its metadata. 1104 o objects/user-account [242] - . 1106 o objects/vehicle [243] - Vehicle object template to describe a 1107 vehicle information and registration. 1109 o objects/victim [244] - Victim object describes the target of an 1110 attack or abuse. 1112 o objects/virustotal-graph [245] - VirusTotal graph. 1114 o objects/virustotal-report [246] - VirusTotal report. 1116 o objects/vulnerability [247] - Vulnerability object describing a 1117 common vulnerability enumeration which can describe published, 1118 unpublished, under review or embargo vulnerability for software, 1119 equipments or hardware. 1121 o objects/weakness [248] - Weakness object describing a common 1122 weakness enumeration which can describe usable, incomplete, draft 1123 or deprecated weakness for software, equipment of hardware. 1125 o objects/whois [249] - Whois records information for a domain name 1126 or an IP address. 1128 o objects/x509 [250] - x509 object describing a X.509 certificate. 1130 o objects/yabin [251] - yabin.py generates Yara rules from function 1131 prologs, for matching and hunting binaries. ref: 1132 https://github.com/AlienVault-OTX/yabin [252]. 1134 o objects/yara [253] - An object describing a YARA rule (or a YARA 1135 rule name) along with its version. 1137 o objects/youtube-channel [254] - A YouTube channel. 1139 o objects/youtube-comment [255] - A YouTube video comment. 1141 o objects/youtube-playlist [256] - A YouTube playlist. 1143 o objects/youtube-video [257] - A YouTube video. 1145 4. Acknowledgements 1147 The authors wish to thank all the MISP community who are supporting 1148 the creation of open standards in threat intelligence sharing. 1150 5. References 1152 5.1. Normative References 1154 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1155 Requirement Levels", BCP 14, RFC 2119, 1156 DOI 10.17487/RFC2119, March 1997, 1157 . 1159 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 1160 Unique IDentifier (UUID) URN Namespace", RFC 4122, 1161 DOI 10.17487/RFC4122, July 2005, 1162 . 1164 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 1165 Interchange Format", STD 90, RFC 8259, 1166 DOI 10.17487/RFC8259, December 2017, 1167 . 1169 5.2. Informative References 1171 [MISP-O] Community, M., "MISP Objects - shared and common object 1172 templates", . 1174 [MISP-O-DOC] 1175 community, M., "MISP objects directory", 2018, 1176 . 1178 5.3. URIs 1180 [1] https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/ 1181 definition.json 1183 [2] https://github.com/MISP/misp-objects/blob/main/objects/ais-info/ 1184 definition.json 1186 [3] https://github.com/MISP/misp-objects/blob/main/objects/android- 1187 app/definition.json 1189 [4] https://github.com/MISP/misp-objects/blob/main/objects/android- 1190 permission/definition.json 1192 [5] https://github.com/MISP/misp- 1193 objects/blob/main/objects/annotation/definition.json 1195 [6] https://github.com/MISP/misp- 1196 objects/blob/main/objects/anonymisation/definition.json 1198 [7] https://www.caida.org/tools/taxonomy/anonymization.xml 1200 [8] https://github.com/MISP/misp-objects/blob/main/objects/asn/ 1201 definition.json 1203 [9] https://github.com/MISP/misp-objects/blob/main/objects/attack- 1204 pattern/definition.json 1206 [10] https://github.com/MISP/misp-objects/blob/main/objects/ 1207 authentication-failure-report/definition.json 1209 [11] https://github.com/MISP/misp-objects/blob/main/objects/ 1210 authenticode-signerinfo/definition.json 1212 [12] https://github.com/MISP/misp-objects/blob/main/objects/av- 1213 signature/definition.json 1215 [13] https://github.com/MISP/misp-objects/blob/main/objects/bank- 1216 account/definition.json 1218 [14] https://github.com/MISP/misp-objects/blob/main/objects/bgp- 1219 hijack/definition.json 1221 [15] https://github.com/MISP/misp-objects/blob/main/objects/bgp- 1222 ranking/definition.json 1224 [16] https://github.com/MISP/misp-objects/blob/main/objects/blog/ 1225 definition.json 1227 [17] https://github.com/MISP/misp-objects/blob/main/objects/boleto/ 1228 definition.json 1230 [18] https://github.com/MISP/misp-objects/blob/main/objects/btc- 1231 transaction/definition.json 1233 [19] https://github.com/MISP/misp-objects/blob/main/objects/btc- 1234 wallet/definition.json 1236 [20] https://github.com/MISP/misp-objects/blob/main/objects/cap- 1237 alert/definition.json 1239 [21] https://github.com/MISP/misp-objects/blob/main/objects/cap-info/ 1240 definition.json 1242 [22] https://github.com/MISP/misp-objects/blob/main/objects/cap- 1243 resource/definition.json 1245 [23] https://github.com/MISP/misp-objects/blob/main/objects/coin- 1246 address/definition.json 1248 [24] https://github.com/MISP/misp-objects/blob/main/objects/command/ 1249 definition.json 1251 [25] https://github.com/MISP/misp-objects/blob/main/objects/command- 1252 line/definition.json 1254 [26] https://github.com/MISP/misp-objects/blob/main/objects/cookie/ 1255 definition.json 1257 [27] https://github.com/MISP/misp-objects/blob/main/objects/cortex/ 1258 definition.json 1260 [28] https://github.com/MISP/misp-objects/blob/main/objects/cortex- 1261 taxonomy/definition.json 1263 [29] https://github.com/MISP/misp-objects/blob/main/objects/course- 1264 of-action/definition.json 1266 [30] https://github.com/MISP/misp-objects/blob/main/objects/covid19- 1267 csse-daily-report/definition.json 1269 [31] https://github.com/MISP/misp-objects/blob/main/objects/covid19- 1270 dxy-live-city/definition.json 1272 [32] https://github.com/MISP/misp-objects/blob/main/objects/covid19- 1273 dxy-live-province/definition.json 1275 [33] https://github.com/MISP/misp-objects/blob/main/objects/cowrie/ 1276 definition.json 1278 [34] https://github.com/MISP/misp-objects/blob/main/objects/cpe- 1279 asset/definition.json 1281 [35] https://github.com/MISP/misp- 1282 objects/blob/main/objects/credential/definition.json 1284 [36] https://github.com/MISP/misp-objects/blob/main/objects/credit- 1285 card/definition.json 1287 [37] https://github.com/MISP/misp-objects/blob/main/objects/crypto- 1288 material/definition.json 1290 [38] https://github.com/MISP/misp-objects/blob/main/objects/cytomic- 1291 orion-file/definition.json 1293 [39] https://github.com/MISP/misp-objects/blob/main/objects/cytomic- 1294 orion-machine/definition.json 1296 [40] https://github.com/MISP/misp-objects/blob/main/objects/dark- 1297 pattern-item/definition.json 1299 [41] https://github.com/MISP/misp-objects/blob/main/objects/ddos/ 1300 definition.json 1302 [42] https://github.com/MISP/misp-objects/blob/main/objects/device/ 1303 definition.json 1305 [43] https://github.com/MISP/misp-objects/blob/main/objects/diameter- 1306 attack/definition.json 1308 [44] https://github.com/MISP/misp-objects/blob/main/objects/dns- 1309 record/definition.json 1311 [45] https://github.com/MISP/misp-objects/blob/main/objects/domain- 1312 crawled/definition.json 1314 [46] https://github.com/MISP/misp-objects/blob/main/objects/domain- 1315 ip/definition.json 1317 [47] https://github.com/MISP/misp-objects/blob/main/objects/elf/ 1318 definition.json 1320 [48] https://github.com/MISP/misp-objects/blob/main/objects/elf- 1321 section/definition.json 1323 [49] https://github.com/MISP/misp-objects/blob/main/objects/email/ 1324 definition.json 1326 [50] https://github.com/MISP/misp-objects/blob/main/objects/employee/ 1327 definition.json 1329 [51] https://github.com/MISP/misp-objects/blob/main/objects/exploit- 1330 poc/definition.json 1332 [52] https://github.com/MISP/misp-objects/blob/main/objects/facebook- 1333 account/definition.json 1335 [53] https://github.com/MISP/misp-objects/blob/main/objects/facebook- 1336 group/definition.json 1338 [54] https://github.com/MISP/misp-objects/blob/main/objects/facebook- 1339 page/definition.json 1341 [55] https://github.com/MISP/misp-objects/blob/main/objects/facebook- 1342 post/definition.json 1344 [56] https://github.com/MISP/misp-objects/blob/main/objects/facial- 1345 composite/definition.json 1347 [57] https://github.com/MISP/misp-objects/blob/main/objects/fail2ban/ 1348 definition.json 1350 [58] https://github.com/MISP/misp-objects/blob/main/objects/favicon/ 1351 definition.json 1353 [59] https://github.com/MISP/misp-objects/blob/main/objects/file/ 1354 definition.json 1356 [60] https://github.com/MISP/misp-objects/blob/main/objects/forensic- 1357 case/definition.json 1359 [61] https://github.com/MISP/misp-objects/blob/main/objects/forensic- 1360 evidence/definition.json 1362 [62] https://github.com/MISP/misp-objects/blob/main/objects/forged- 1363 document/definition.json 1365 [63] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1366 Airplane/definition.json 1368 [64] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1369 Assessment/definition.json 1371 [65] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1372 Asset/definition.json 1374 [66] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1375 Associate/definition.json 1377 [67] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1378 Audio/definition.json 1380 [68] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1381 BankAccount/definition.json 1383 [69] https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/ 1384 definition.json 1386 [70] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1387 Company/definition.json 1389 [71] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1390 Contract/definition.json 1392 [72] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1393 ContractAward/definition.json 1395 [73] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1396 CourtCase/definition.json 1398 [74] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1399 CourtCaseParty/definition.json 1401 [75] https://github.com/MISP/misp-objects/blob/main/objects/ftm-Debt/ 1402 definition.json 1404 [76] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1405 Directorship/definition.json 1407 [77] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1408 Document/definition.json 1410 [78] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1411 Documentation/definition.json 1413 [79] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1414 EconomicActivity/definition.json 1416 [80] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1417 Email/definition.json 1419 [81] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1420 Event/definition.json 1422 [82] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1423 Family/definition.json 1425 [83] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1426 Folder/definition.json 1428 [84] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1429 HyperText/definition.json 1431 [85] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1432 Image/definition.json 1434 [86] https://github.com/MISP/misp-objects/blob/main/objects/ftm-Land/ 1435 definition.json 1437 [87] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1438 LegalEntity/definition.json 1440 [88] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1441 License/definition.json 1443 [89] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1444 Membership/definition.json 1446 [90] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1447 Message/definition.json 1449 [91] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1450 Organization/definition.json 1452 [92] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1453 Ownership/definition.json 1455 [93] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1456 Package/definition.json 1458 [94] https://github.com/MISP/misp-objects/blob/main/objects/ftm-Page/ 1459 definition.json 1461 [95] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1462 Pages/definition.json 1464 [96] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1465 Passport/definition.json 1467 [97] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1468 Payment/definition.json 1470 [98] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1471 Person/definition.json 1473 [99] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1474 PlainText/definition.json 1476 [100] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1477 PublicBody/definition.json 1479 [101] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1480 RealEstate/definition.json 1482 [102] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1483 Representation/definition.json 1485 [103] https://github.com/MISP/misp-objects/blob/main/objects/ftm-Row/ 1486 definition.json 1488 [104] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1489 Sanction/definition.json 1491 [105] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1492 Succession/definition.json 1494 [106] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1495 Table/definition.json 1497 [107] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1498 TaxRoll/definition.json 1500 [108] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1501 UnknownLink/definition.json 1503 [109] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1504 UserAccount/definition.json 1506 [110] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1507 Vehicle/definition.json 1509 [111] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1510 Vessel/definition.json 1512 [112] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1513 Video/definition.json 1515 [113] https://github.com/MISP/misp-objects/blob/main/objects/ftm- 1516 Workbook/definition.json 1518 [114] https://github.com/MISP/misp- 1519 objects/blob/main/objects/geolocation/definition.json 1521 [115] https://github.com/MISP/misp-objects/blob/main/objects/git- 1522 vuln-finder/definition.json 1524 [116] https://github.com/MISP/misp-objects/blob/main/objects/github- 1525 user/definition.json 1527 [117] https://github.com/MISP/misp-objects/blob/main/objects/gitlab- 1528 user/definition.json 1530 [118] https://github.com/MISP/misp-objects/blob/main/objects/gtp- 1531 attack/definition.json 1533 [119] https://github.com/MISP/misp-objects/blob/main/objects/http- 1534 request/definition.json 1536 [120] https://github.com/MISP/misp-objects/blob/main/objects/ilr- 1537 impact/definition.json 1539 [121] https://github.com/MISP/misp-objects/blob/main/objects/ilr- 1540 notification-incident/definition.json 1542 [122] https://github.com/MISP/misp-objects/blob/main/objects/image/ 1543 definition.json 1545 [123] https://github.com/MISP/misp- 1546 objects/blob/main/objects/impersonation/definition.json 1548 [124] https://github.com/MISP/misp-objects/blob/main/objects/imsi- 1549 catcher/definition.json 1551 [125] https://github.com/MISP/misp-objects/blob/main/objects/instant- 1552 message/definition.json 1554 [126] https://github.com/MISP/misp-objects/blob/main/objects/instant- 1555 message-group/definition.json 1557 [127] https://github.com/MISP/misp-objects/blob/main/objects/ 1558 intel471-vulnerability-intelligence/definition.json 1560 [128] https://github.com/MISP/misp- 1561 objects/blob/main/objects/intelmq_event/definition.json 1563 [129] https://github.com/MISP/misp- 1564 objects/blob/main/objects/intelmq_report/definition.json 1566 [130] https://github.com/MISP/misp-objects/blob/main/objects/ 1567 internal-reference/definition.json 1569 [131] https://github.com/MISP/misp-objects/blob/main/objects/ 1570 interpol-notice/definition.json 1572 [132] https://github.com/MISP/misp-objects/blob/main/objects/iot- 1573 device/definition.json 1575 [133] https://github.com/MISP/misp-objects/blob/main/objects/iot- 1576 firmware/definition.json 1578 [134] https://github.com/MISP/misp-objects/blob/main/objects/ip-api- 1579 address/definition.json 1581 [135] https://github.com/MISP/misp-objects/blob/main/objects/ip-port/ 1582 definition.json 1584 [136] https://github.com/MISP/misp-objects/blob/main/objects/irc/ 1585 definition.json 1587 [137] https://github.com/MISP/misp-objects/blob/main/objects/ja3/ 1588 definition.json 1590 [138] https://github.com/salesforce/ja3 1592 [139] https://github.com/MISP/misp-objects/blob/main/objects/keybase- 1593 account/definition.json 1595 [140] https://github.com/MISP/misp-objects/blob/main/objects/leaked- 1596 document/definition.json 1598 [141] https://github.com/MISP/misp-objects/blob/main/objects/legal- 1599 entity/definition.json 1601 [142] https://github.com/MISP/misp-objects/blob/main/objects/lnk/ 1602 definition.json 1604 [143] https://github.com/MISP/misp-objects/blob/main/objects/macho/ 1605 definition.json 1607 [144] https://github.com/MISP/misp-objects/blob/main/objects/macho- 1608 section/definition.json 1610 [145] https://github.com/MISP/misp-objects/blob/main/objects/mactime- 1611 timeline-analysis/definition.json 1613 [146] https://github.com/MISP/misp-objects/blob/main/objects/malware- 1614 config/definition.json 1616 [147] https://github.com/MISP/misp-objects/blob/main/objects/meme- 1617 image/definition.json 1619 [148] https://github.com/MISP/misp- 1620 objects/blob/main/objects/microblog/definition.json 1622 [149] https://github.com/MISP/misp-objects/blob/main/objects/mutex/ 1623 definition.json 1625 [150] https://github.com/MISP/misp- 1626 objects/blob/main/objects/narrative/definition.json 1628 [151] https://github.com/MISP/misp-objects/blob/main/objects/netflow/ 1629 definition.json 1631 [152] https://github.com/MISP/misp-objects/blob/main/objects/network- 1632 connection/definition.json 1634 [153] https://github.com/MISP/misp-objects/blob/main/objects/network- 1635 socket/definition.json 1637 [154] https://github.com/MISP/misp-objects/blob/main/objects/news- 1638 agency/definition.json 1640 [155] https://github.com/MISP/misp-objects/blob/main/objects/news- 1641 media/definition.json 1643 [156] https://github.com/MISP/misp- 1644 objects/blob/main/objects/organization/definition.json 1646 [157] https://github.com/MISP/misp-objects/blob/main/objects/ 1647 original-imported-file/definition.json 1649 [158] https://github.com/MISP/misp-objects/blob/main/objects/parler- 1650 account/definition.json 1652 [159] https://github.com/MISP/misp-objects/blob/main/objects/parler- 1653 comment/definition.json 1655 [160] https://github.com/MISP/misp-objects/blob/main/objects/parler- 1656 post/definition.json 1658 [161] https://github.com/MISP/misp-objects/blob/main/objects/passive- 1659 dns/definition.json 1661 [162] https://github.com/MISP/misp-objects/blob/main/objects/paste/ 1662 definition.json 1664 [163] https://github.com/MISP/misp-objects/blob/main/objects/pcap- 1665 metadata/definition.json 1667 [164] https://github.com/MISP/misp-objects/blob/main/objects/pe/ 1668 definition.json 1670 [165] https://github.com/MISP/misp-objects/blob/main/objects/pe- 1671 section/definition.json 1673 [166] https://github.com/MISP/misp-objects/blob/main/objects/person/ 1674 definition.json 1676 [167] https://github.com/MISP/misp-objects/blob/main/objects/pgp- 1677 meta/definition.json 1679 [168] https://github.com/MISP/misp- 1680 objects/blob/main/objects/phishing/definition.json 1682 [169] https://github.com/MISP/misp-objects/blob/main/objects/ 1683 phishing-kit/definition.json 1685 [170] https://github.com/MISP/misp-objects/blob/main/objects/phone/ 1686 definition.json 1688 [171] https://github.com/MISP/misp-objects/blob/main/objects/process/ 1689 definition.json 1691 [172] https://github.com/MISP/misp- 1692 objects/blob/main/objects/publication/definition.json 1694 [173] https://github.com/MISP/misp-objects/blob/main/objects/python- 1695 etvx-event-log/definition.json 1697 [174] https://github.com/MISP/misp- 1698 objects/blob/main/objects/r2graphity/definition.json 1700 [175] https://github.com/MISP/misp-objects/blob/main/objects/reddit- 1701 account/definition.json 1703 [176] https://github.com/MISP/misp-objects/blob/main/objects/reddit- 1704 comment/definition.json 1706 [177] https://github.com/MISP/misp-objects/blob/main/objects/reddit- 1707 post/definition.json 1709 [178] https://github.com/MISP/misp-objects/blob/main/objects/reddit- 1710 subreddit/definition.json 1712 [179] https://github.com/MISP/misp-objects/blob/main/objects/regexp/ 1713 definition.json 1715 [180] https://github.com/MISP/misp-objects/blob/main/objects/ 1716 registry-key/definition.json 1718 [181] https://github.com/MISP/misp-objects/blob/main/objects/ 1719 regripper-NTUser/definition.json 1721 [182] https://github.com/MISP/misp-objects/blob/main/objects/ 1722 regripper-sam-hive-single-user/definition.json 1724 [183] https://github.com/MISP/misp-objects/blob/main/objects/ 1725 regripper-sam-hive-user-group/definition.json 1727 [184] https://github.com/MISP/misp-objects/blob/main/objects/ 1728 regripper-software-hive-BHO/definition.json 1730 [185] https://github.com/MISP/misp-objects/blob/main/objects/ 1731 regripper-software-hive-appInit-DLLS/definition.json 1733 [186] https://github.com/MISP/misp-objects/blob/main/objects/ 1734 regripper-software-hive-application-paths/definition.json 1736 [187] https://github.com/MISP/misp-objects/blob/main/objects/ 1737 regripper-software-hive-applications-installed/definition.json 1739 [188] https://github.com/MISP/misp-objects/blob/main/objects/ 1740 regripper-software-hive-command-shell/definition.json 1742 [189] https://github.com/MISP/misp-objects/blob/main/objects/ 1743 regripper-software-hive-software-run/definition.json 1745 [190] https://github.com/MISP/misp-objects/blob/main/objects/ 1746 regripper-software-hive-userprofile-winlogon/definition.json 1748 [191] https://github.com/MISP/misp-objects/blob/main/objects/ 1749 regripper-software-hive-windows-general-info/definition.json 1751 [192] https://github.com/MISP/misp-objects/blob/main/objects/ 1752 regripper-system-hive-firewall-configuration/definition.json 1754 [193] https://github.com/MISP/misp-objects/blob/main/objects/ 1755 regripper-system-hive-general-configuration/definition.json 1757 [194] https://github.com/MISP/misp-objects/blob/main/objects/ 1758 regripper-system-hive-network-information/definition.json 1760 [195] https://github.com/MISP/misp-objects/blob/main/objects/ 1761 regripper-system-hive-services-drivers/definition.json 1763 [196] https://github.com/MISP/misp-objects/blob/main/objects/report/ 1764 definition.json 1766 [197] https://github.com/MISP/misp-objects/blob/main/objects/ 1767 research-scanner/definition.json 1769 [198] https://github.com/MISP/misp-objects/blob/main/objects/rogue- 1770 dns/definition.json 1772 [199] https://github.com/MISP/misp-objects/blob/main/objects/rtir/ 1773 definition.json 1775 [200] https://github.com/MISP/misp-objects/blob/main/objects/sandbox- 1776 report/definition.json 1778 [201] https://github.com/MISP/misp-objects/blob/main/objects/sb- 1779 signature/definition.json 1781 [202] https://github.com/MISP/misp-objects/blob/main/objects/ 1782 scheduled-event/definition.json 1784 [203] https://github.com/MISP/misp-objects/blob/main/objects/ 1785 scrippsco2-c13-daily/definition.json 1787 [204] https://github.com/MISP/misp-objects/blob/main/objects/ 1788 scrippsco2-c13-monthly/definition.json 1790 [205] https://github.com/MISP/misp-objects/blob/main/objects/ 1791 scrippsco2-co2-daily/definition.json 1793 [206] https://github.com/MISP/misp-objects/blob/main/objects/ 1794 scrippsco2-co2-monthly/definition.json 1796 [207] https://github.com/MISP/misp-objects/blob/main/objects/ 1797 scrippsco2-o18-daily/definition.json 1799 [208] https://github.com/MISP/misp-objects/blob/main/objects/ 1800 scrippsco2-o18-monthly/definition.json 1802 [209] https://github.com/MISP/misp-objects/blob/main/objects/script/ 1803 definition.json 1805 [210] https://github.com/MISP/misp-objects/blob/main/objects/shell- 1806 commands/definition.json 1808 [211] https://github.com/MISP/misp-objects/blob/main/objects/shodan- 1809 report/definition.json 1811 [212] https://github.com/MISP/misp-objects/blob/main/objects/short- 1812 message-service/definition.json 1814 [213] https://github.com/MISP/misp-objects/blob/main/objects/ 1815 shortened-link/definition.json 1817 [214] https://github.com/MISP/misp-objects/blob/main/objects/social- 1818 media-group/definition.json 1820 [215] https://github.com/MISP/misp-objects/blob/main/objects/splunk/ 1821 definition.json 1823 [216] https://github.com/MISP/misp-objects/blob/main/objects/ss7- 1824 attack/definition.json 1826 [217] https://github.com/MISP/misp-objects/blob/main/objects/ssh- 1827 authorized-keys/definition.json 1829 [218] https://github.com/MISP/misp-objects/blob/main/objects/stix2- 1830 pattern/definition.json 1832 [219] https://github.com/MISP/misp- 1833 objects/blob/main/objects/suricata/definition.json 1835 [220] https://github.com/MISP/misp-objects/blob/main/objects/target- 1836 system/definition.json 1838 [221] https://github.com/MISP/misp-objects/blob/main/objects/ 1839 threatgrid-report/definition.json 1841 [222] https://github.com/MISP/misp- 1842 objects/blob/main/objects/timecode/definition.json 1844 [223] https://github.com/MISP/misp-objects/blob/main/objects/ 1845 timesketch-timeline/definition.json 1847 [224] https://github.com/MISP/misp- 1848 objects/blob/main/objects/timesketch_message/definition.json 1850 [225] https://github.com/MISP/misp- 1851 objects/blob/main/objects/timestamp/definition.json 1853 [226] https://github.com/MISP/misp-objects/blob/main/objects/tor- 1854 hiddenservice/definition.json 1856 [227] https://github.com/MISP/misp-objects/blob/main/objects/tor- 1857 node/definition.json 1859 [228] https://github.com/MISP/misp-objects/blob/main/objects/ 1860 tracking-id/definition.json 1862 [229] https://github.com/MISP/misp- 1863 objects/blob/main/objects/transaction/definition.json 1865 [230] https://github.com/MISP/misp- 1866 objects/blob/main/objects/translation/definition.json 1868 [231] https://github.com/MISP/misp- 1869 objects/blob/main/objects/trustar_report/definition.json 1871 [232] https://github.com/MISP/misp-objects/blob/main/objects/tsk- 1872 chats/definition.json 1874 [233] https://github.com/MISP/misp-objects/blob/main/objects/tsk-web- 1875 bookmark/definition.json 1877 [234] https://github.com/MISP/misp-objects/blob/main/objects/tsk-web- 1878 cookie/definition.json 1880 [235] https://github.com/MISP/misp-objects/blob/main/objects/tsk-web- 1881 downloads/definition.json 1883 [236] https://github.com/MISP/misp-objects/blob/main/objects/tsk-web- 1884 history/definition.json 1886 [237] https://github.com/MISP/misp-objects/blob/main/objects/tsk-web- 1887 search-query/definition.json 1889 [238] https://github.com/MISP/misp-objects/blob/main/objects/twitter- 1890 account/definition.json 1892 [239] https://github.com/MISP/misp-objects/blob/main/objects/twitter- 1893 list/definition.json 1895 [240] https://github.com/MISP/misp-objects/blob/main/objects/twitter- 1896 post/definition.json 1898 [241] https://github.com/MISP/misp-objects/blob/main/objects/url/ 1899 definition.json 1901 [242] https://github.com/MISP/misp-objects/blob/main/objects/user- 1902 account/definition.json 1904 [243] https://github.com/MISP/misp-objects/blob/main/objects/vehicle/ 1905 definition.json 1907 [244] https://github.com/MISP/misp-objects/blob/main/objects/victim/ 1908 definition.json 1910 [245] https://github.com/MISP/misp-objects/blob/main/objects/ 1911 virustotal-graph/definition.json 1913 [246] https://github.com/MISP/misp-objects/blob/main/objects/ 1914 virustotal-report/definition.json 1916 [247] https://github.com/MISP/misp- 1917 objects/blob/main/objects/vulnerability/definition.json 1919 [248] https://github.com/MISP/misp- 1920 objects/blob/main/objects/weakness/definition.json 1922 [249] https://github.com/MISP/misp-objects/blob/main/objects/whois/ 1923 definition.json 1925 [250] https://github.com/MISP/misp-objects/blob/main/objects/x509/ 1926 definition.json 1928 [251] https://github.com/MISP/misp-objects/blob/main/objects/yabin/ 1929 definition.json 1931 [252] https://github.com/AlienVault-OTX/yabin 1933 [253] https://github.com/MISP/misp-objects/blob/main/objects/yara/ 1934 definition.json 1936 [254] https://github.com/MISP/misp-objects/blob/main/objects/youtube- 1937 channel/definition.json 1939 [255] https://github.com/MISP/misp-objects/blob/main/objects/youtube- 1940 comment/definition.json 1942 [256] https://github.com/MISP/misp-objects/blob/main/objects/youtube- 1943 playlist/definition.json 1945 [257] https://github.com/MISP/misp-objects/blob/main/objects/youtube- 1946 video/definition.json 1948 Authors' Addresses 1950 Alexandre Dulaunoy 1951 Computer Incident Response Center Luxembourg 1952 16, bd d'Avranches 1953 Luxembourg L-1611 1954 Luxembourg 1956 Phone: +352 247 88444 1957 Email: alexandre.dulaunoy@circl.lu 1959 Andras Iklody 1960 Computer Incident Response Center Luxembourg 1961 16, bd d'Avranches 1962 Luxembourg L-1611 1963 Luxembourg 1965 Phone: +352 247 88444 1966 Email: andras.iklody@circl.lu