Network Working Group A. Dulaunoy
Internet-Draft A. Iklody
Expires: July 9, 2021 CIRCL
January 5, 2021
MISP object template format
draft-dulaunoy-misp-object-template-format-04
Abstract
This document describes the MISP object template format which
describes a simple JSON format to represent the various templates
used to construct MISP objects. A public directory of common
vocabularies MISP object templates [MISP-O] is available and relies
on the MISP object reference format.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 9, 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Dulaunoy & Iklody Expires July 9, 2021 [Page 1]
Internet-Draft MISP object template format January 2021
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2
2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1. Object Template . . . . . . . . . . . . . . . . . . . 3
2.1.2. attributes . . . . . . . . . . . . . . . . . . . . . 4
2.1.3. Sample Object Template object . . . . . . . . . . . . 6
2.1.4. Object Relationships . . . . . . . . . . . . . . . . 9
3. Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1. Existing and public MISP object templates . . . . . . . . 10
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 25
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.1. Normative References . . . . . . . . . . . . . . . . . . 25
5.2. Informative References . . . . . . . . . . . . . . . . . 26
5.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42
1. Introduction
Due to the increased maturity of threat information sharing, the need
arose for more complex and exhaustive data-points to be shared across
the various sharing communities. MISP's information sharing in
general relied on a flat structure of attributes contained within an
event, where attributes served as atomic secluded data-points with
some commonalities as defined by the encapsulating event. However,
this flat structure restricted the use of more diverse and complex
data-points described by a list of atomic values, a problem solved by
the MISP object structure.
MISP objects combine a list of attributes to represent a singular
object with various facets. In order to bootstrap the object
creation process and to maintain uniformity among objects describing
similar data-points, the MISP object template format serves as a
reusable and share-able blueprint format.
MISP object templates also include a vocabulary to describe the
various inter object and object to attribute relationships and are
leveraged by MISP object references.
1.1. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Dulaunoy & Iklody Expires July 9, 2021 [Page 2]
Internet-Draft MISP object template format January 2021
2. Format
MISP object templates are composed of the MISP object template (MUST)
structure itself and a list of MISP object template elements (SHOULD)
describing the list of possible attributes belonging to the resulting
object, along with their context and settings.
MISP object templates themselves consist of a name (MUST), a meta-
category (MUST) and a description (SHOULD). They are identified by a
uuid (MUST) and a version (MUST). For any updates or transfer of the
same object reference. UUID version 4 is RECOMMENDED when assigning
it to a new object reference. The list of requirements when it comes
to the contained MISP object template elements is defined in the
requirements field (OPTIONAL).
MISP object template elements consist of an object_relation (MUST), a
type (MUST), an object_template_id (SHOULD), a ui_priority (SHOULD),
a list of categories (MAY), a list of sane_default values (MAY) or a
values_list (MAY).
2.1. Overview
The MISP object template format uses the JSON [RFC8259] format. Each
template is represented as a JSON object with meta information
including the following fields: uuid, requiredOneOf, description,
version, meta-category, name.
2.1.1. Object Template
2.1.1.1. uuid
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
the object template. The uuid MUST be preserved for to keep
consistency of the templates across instances. UUID version 4 is
RECOMMENDED when assigning it to a new object template.
uuid is represented as a JSON string. uuid MUST be present.
2.1.1.2. requiredOneOf
requiredOneOf is represented as a JSON list and contains a list of
attribute relationships of which one must be present in the object to
be created based on the given template. The requiredOneOf field MAY
be present.
Dulaunoy & Iklody Expires July 9, 2021 [Page 3]
Internet-Draft MISP object template format January 2021
2.1.1.3. required
required is represented as a JSON list and contains a list of
attribute relationships of which all must be present in the object to
be created based on the given template. The required field MAY be
present.
2.1.1.4. description
description is represented as a JSON string and contains the assigned
meaning given to objects created using this template. The
description field MUST be present.
2.1.1.5. version
version represents a numeric incrementing version of the object
template. It is used to associate the object to the correct version
of the template and together with the uuid field forms an association
to the correct template type and version.
version is represented as a JSON string. version MUST be present.
2.1.1.6. meta-category
meta-category represents the sub-category of objects that the given
object template belongs to. meta-categories are not tied to a fixed
list of options but can be created on the fly.
meta-category is represented as a JSON string. meta-category MUST be
present.
2.1.1.7. name
name represents the human-readable name of the objects created using
the given template, describing the intent of the object package.
name is represented as a JSON string. name MUST be present
2.1.2. attributes
attributes is represented as a JSON list and contains a list of
template elements used as a template for creating the individual
attributes within the object that is to be created with the object.
attributes is represented as a JSON list. attributes MUST be present.
Dulaunoy & Iklody Expires July 9, 2021 [Page 4]
Internet-Draft MISP object template format January 2021
2.1.2.1. description
description is represented as a JSON string and contains the
description of the given attribute in the context of the object with
the given relationship. The description field MUST be present.
2.1.2.2. ui-priority
ui-priority is represented by a numeric values in JSON string format
and is meant to provide a priority for the given element in the
object template visualisation. The ui-priority MAY be present.
2.1.2.3. misp-attribute
misp-attribute is represented by a JSON string or a JSON object with
a list of values. The value(s) are taken from the pool of types
defined by the MISP core format's Attribute Object's type list. type
can contain a JSON object with a list of suggested value alternatives
encapsulated in a list within a sane_default key or a list of
enforced value alternatives encapsulated in a list_values key.
The misp-attribute field MUST be present.
2.1.2.4. disable_correlation
disable_correlation is represented by a JSON boolean. The
disable_correlation field flags the attribute(s) created by the given
object template element to be marked as non correlating.
The misp-attribute field MAY be present.
2.1.2.5. categories
categories is represented by a JSON list containing one or several
valid options from the list of verbs valid for the category field in
the Attribute object within the MISP core format.
The categories field MAY be present.
2.1.2.6. multiple
multiple is represented by a JSON boolean value. It marks the MISP
object template element as a multiple input field, allowing for
several attributes to be created by the element within the same
object.
The multiple field MAY be present.
Dulaunoy & Iklody Expires July 9, 2021 [Page 5]
Internet-Draft MISP object template format January 2021
2.1.2.7. sane_default
sane_default is represented by a JSON list containing one or several
recommended/sane values for an attribute. sane_default is mutually
exclusive with values_list.
The sane_default field MAY be present.
2.1.2.8. values_list
values_list is represented by a JSON List containing one or several
of fixed values for an attribute. values_list is mutually exclusive
with sane_default.
The value_list field MAY be present.
2.1.3. Sample Object Template object
The MISP object template directory is publicly available [MISP-O] in
a git repository and contains more than 60 object templates. As
illustration, two sample objects templates are included.
2.1.3.1. credit-card object template
Dulaunoy & Iklody Expires July 9, 2021 [Page 6]
Internet-Draft MISP object template format January 2021
{
"requiredOneOf": [
"cc-number"
],
"attributes": {
"version": {
"description": "Version of the card.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comment": {
"description": "A description of the card.",
"ui-priority": 0,
"misp-attribute": "comment"
},
"card-security-code": {
"description": "Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.",
"ui-priority": 0,
"misp-attribute": "text"
},
"name": {
"description": "Name of the card owner.",
"ui-priority": 0,
"misp-attribute": "text"
},
"issued": {
"description": "Initial date of validity or issued date.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"expiration": {
"description": "Maximum date of validity",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"cc-number": {
"description": "credit-card number as encoded on the card.",
"ui-priority": 0,
"misp-attribute": "cc-number"
}
},
"version": 2,
"description": "A payment card like credit card, debit card or any similar cards which can be used for financial transactions.",
"meta-category": "financial",
"uuid": "2b9c57aa-daba-4330-a738-56f18743b0c7",
"name": "credit-card"
}
Dulaunoy & Iklody Expires July 9, 2021 [Page 7]
Internet-Draft MISP object template format January 2021
2.1.3.2. credential object template
{
"requiredOneOf": [
"password"
],
"attributes": {
"text": {
"description": "A description of the credential(s)",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"username": {
"description": "Username related to the password(s)",
"ui-priority": 1,
"misp-attribute": "text"
},
"password": {
"description": "Password",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"type": {
"description": "Type of password(s)",
"ui-priority": 1,
"misp-attribute": "text",
"values_list": [
"password",
"api-key",
"encryption-key",
"unknown"
]
},
"origin": {
"description": "Origin of the credential(s)",
"ui-priority": 1,
"misp-attribute": "text",
"sane_default": [
"bruteforce-scanning",
"malware-analysis",
"memory-analysis",
"network-analysis",
"leak",
"unknown"
]
},
Dulaunoy & Iklody Expires July 9, 2021 [Page 8]
Internet-Draft MISP object template format January 2021
"format": {
"description": "Format of the password(s)",
"ui-priority": 1,
"misp-attribute": "text",
"values_list": [
"clear-text",
"hashed",
"encrypted",
"unknown"
]
},
"notification": {
"description": "Mention of any notification(s) towards the potential owner(s) of the credential(s)",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true,
"values_list": [
"victim-notified",
"service-notified",
"none"
]
}
},
"version": 2,
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
"meta-category": "misc",
"uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",
"name": "credential"
}
2.1.4. Object Relationships
2.1.4.1. name
name represents the human-readable relationship type which can be
used when creating MISP object relations.
name is represented as a JSON string. name MUST be present.
2.1.4.2. description
description is represented as a JSON string and contains the
description of the object relationship type. The description field
MUST be present.
Dulaunoy & Iklody Expires July 9, 2021 [Page 9]
Internet-Draft MISP object template format January 2021
2.1.4.3. format
format is represented by a JSON list containing a list of formats
that the relationship type is valid for and can be mapped to. The
format field MUST be present.
3. Directory
The MISP object template directory is publicly available [MISP-O] in
a git repository. The repository contains an objects directory,
which contains a directory per object type, containing a file named
definition.json which contains the definition of the object template
in the above described format.
A relationships directory is also included, containing a
definition.json file which contains a list of MISP object relation
definitions. There are more than 125 existing templates object
documented in [MISP-O-DOC].
3.1. Existing and public MISP object templates
o objects/ail-leak [1] - An information leak as defined by the AIL
Analysis Information Leak framework.
o objects/ais-info [2] - Automated Indicator Sharing (AIS)
Information Source Markings.
o objects/android-app [3] - Indicators related to an Android app.
o objects/android-permission [4] - A set of android permissions -
one or more permission(s) which can be linked to other objects
(e.g. malware, app).
o objects/annotation [5] - An annotation object allowing analysts to
add annotations, comments, executive summary to a MISP event,
objects or attributes.
o objects/anonymisation [6] - Anonymisation object describing an
anonymisation technique used to encode MISP attribute values.
Reference: https://www.caida.org/tools/taxonomy/anonymization.xml
[7].
o objects/asn [8] - Autonomous system object describing an
autonomous system which can include one or more network operators
management an entity (e.g. ISP) along with their routing policy,
routing prefixes or alike.
Dulaunoy & Iklody Expires July 9, 2021 [Page 10]
Internet-Draft MISP object template format January 2021
o objects/attack-pattern [9] - Attack pattern describing a common
attack pattern enumeration and classification.
o objects/authentication-failure-report [10] - Authentication
Failure Report.
o objects/authenticode-signerinfo [11] - Authenticode Signer Info.
o objects/av-signature [12] - Antivirus detection signature.
o objects/bank-account [13] - An object describing bank account
information based on account description from goAML 4.0.
o objects/bgp-hijack [14] - Object encapsulating BGP Hijack
description as specified, for example, by bgpstream.com.
o objects/bgp-ranking [15] - BGP Ranking object describing the
ranking of an ASN for a given day, along with its position, 1
being the most malicious ASN of the day, with the highest ranking.
This object is meant to have a relationship with the corresponding
ASN object and represents its ranking for a specific date.
o objects/blog [16] - Blog post like Medium or WordPress.
o objects/boleto [17] - A common form of payment used in Brazil.
o objects/btc-transaction [18] - An object to describe a Bitcoin
transaction. Best to be used with bitcoin-wallet.
o objects/btc-wallet [19] - An object to describe a Bitcoin wallet.
Best to be used with bitcoin-transactions.
o objects/cap-alert [20] - Common Alerting Protocol Version (CAP)
alert object.
o objects/cap-info [21] - Common Alerting Protocol Version (CAP)
info object.
o objects/cap-resource [22] - Common Alerting Protocol Version (CAP)
resource object.
o objects/coin-address [23] - An address used in a cryptocurrency.
o objects/command [24] - Command functionalities related to specific
commands executed by a program, whether it is malicious or not.
Command-line are attached to this object for the related commands.
Dulaunoy & Iklody Expires July 9, 2021 [Page 11]
Internet-Draft MISP object template format January 2021
o objects/command-line [25] - Command line and options related to a
specific command executed by a program, whether it is malicious or
not.
o objects/cookie [26] - An HTTP cookie (web cookie, browser cookie)
is a small piece of data that a server sends to the user's web
browser. The browser may store it and send it back with the next
request to the same server. Typically, it's used to tell if two
requests came from the same browser -- keeping a user logged-in,
for example. It remembers stateful information for the stateless
HTTP protocol. (as defined by the Mozilla foundation.
o objects/cortex [27] - Cortex object describing a complete cortex
analysis. Observables would be attribute with a relationship from
this object.
o objects/cortex-taxonomy [28] - Cortex object describing an Cortex
Taxonomy (or mini report).
o objects/course-of-action [29] - An object describing a specific
measure taken to prevent or respond to an attack.
o objects/covid19-csse-daily-report [30] - CSSE COVID-19 Daily
report.
o objects/covid19-dxy-live-city [31] - COVID 19 from dxy.cn -
Aggregation by city.
o objects/covid19-dxy-live-province [32] - COVID 19 from dxy.cn -
Aggregation by province.
o objects/cowrie [33] - Cowrie honeypot object template.
o objects/cpe-asset [34] - An asset which can be defined by a CPE.
This can be a generic asset. CPE is a structured naming scheme
for information technology systems, software, and packages.
o objects/credential [35] - Credential describes one or more
credential(s) including password(s), api key(s) or decryption
key(s).
o objects/credit-card [36] - A payment card like credit card, debit
card or any similar cards which can be used for financial
transactions.
o objects/crypto-material [37] - Cryptographic materials such as
public or/and private keys.
Dulaunoy & Iklody Expires July 9, 2021 [Page 12]
Internet-Draft MISP object template format January 2021
o objects/cytomic-orion-file [38] - Cytomic Orion File Detection.
o objects/cytomic-orion-machine [39] - Cytomic Orion File at Machine
Detection.
o objects/dark-pattern-item [40] - An Item whose User Interface
implements a dark pattern.
o objects/ddos [41] - DDoS object describes a current DDoS activity
from a specific or/and to a specific target. Type of DDoS can be
attached to the object as a taxonomy.
o objects/device [42] - An object to define a device.
o objects/diameter-attack [43] - Attack as seen on diameter
authentication against a GSM, UMTS or LTE network.
o objects/dns-record [44] - A set of DNS records observed for a
specific domain.
o objects/domain-crawled [45] - A domain crawled over time.
o objects/domain-ip [46] - A domain/hostname and IP address seen as
a tuple in a specific time frame.
o objects/elf [47] - Object describing a Executable and Linkable
Format.
o objects/elf-section [48] - Object describing a section of an
Executable and Linkable Format.
o objects/email [49] - Email object describing an email with meta-
information.
o objects/employee [50] - An employee and related data points.
o objects/exploit-poc [51] - Exploit-poc object describing a proof
of concept or exploit of a vulnerability. This object has often a
relationship with a vulnerability object.
o objects/facebook-account [52] - Facebook account.
o objects/facebook-group [53] - Public or private facebook group.
o objects/facebook-page [54] - Facebook page.
o objects/facebook-post [55] - Post on a Facebook wall.
Dulaunoy & Iklody Expires July 9, 2021 [Page 13]
Internet-Draft MISP object template format January 2021
o objects/facial-composite [56] - An object which describes a facial
composite.
o objects/fail2ban [57] - Fail2ban event.
o objects/favicon [58] - A favicon, also known as a shortcut icon,
website icon, tab icon, URL icon, or bookmark icon, is a file
containing one or more small icons, associated with a particular
website or web page. The object template can include the murmur3
hash of the favicon to facilitate correlation.
o objects/file [59] - File object describing a file with meta-
information.
o objects/forensic-case [60] - An object template to describe a
digital forensic case.
o objects/forensic-evidence [61] - An object template to describe a
digital forensic evidence.
o objects/forged-document [62] - Object describing a forged
document.
o objects/ftm-Airplane [63] - .
o objects/ftm-Assessment [64] - .
o objects/ftm-Asset [65] - .
o objects/ftm-Associate [66] - Non-family association between two
people.
o objects/ftm-Audio [67] - .
o objects/ftm-BankAccount [68] - .
o objects/ftm-Call [69] - .
o objects/ftm-Company [70] - .
o objects/ftm-Contract [71] - An contract or contract lot issued by
an authority. Multiple lots may be awarded to different suppliers
(see ContractAward). .
o objects/ftm-ContractAward [72] - A contract or contract lot as
awarded to a supplier.
o objects/ftm-CourtCase [73] - .
Dulaunoy & Iklody Expires July 9, 2021 [Page 14]
Internet-Draft MISP object template format January 2021
o objects/ftm-CourtCaseParty [74] - .
o objects/ftm-Debt [75] - A monetary debt between two parties.
o objects/ftm-Directorship [76] - .
o objects/ftm-Document [77] - .
o objects/ftm-Documentation [78] - .
o objects/ftm-EconomicActivity [79] - A foreign economic activity.
o objects/ftm-Email [80] - .
o objects/ftm-Event [81] - .
o objects/ftm-Family [82] - Family relationship between two people.
o objects/ftm-Folder [83] - .
o objects/ftm-HyperText [84] - .
o objects/ftm-Image [85] - .
o objects/ftm-Land [86] - .
o objects/ftm-LegalEntity [87] - A legal entity may be a person or a
company.
o objects/ftm-License [88] - A grant of land, rights or property. A
type of Contract.
o objects/ftm-Membership [89] - .
o objects/ftm-Message [90] - .
o objects/ftm-Organization [91] - .
o objects/ftm-Ownership [92] - .
o objects/ftm-Package [93] - .
o objects/ftm-Page [94] - .
o objects/ftm-Pages [95] - .
o objects/ftm-Passport [96] - Passport.
Dulaunoy & Iklody Expires July 9, 2021 [Page 15]
Internet-Draft MISP object template format January 2021
o objects/ftm-Payment [97] - A monetary payment between two parties.
o objects/ftm-Person [98] - An individual.
o objects/ftm-PlainText [99] - .
o objects/ftm-PublicBody [100] - A public body, such as a ministry,
department or state company.
o objects/ftm-RealEstate [101] - A piece of land or property.
o objects/ftm-Representation [102] - A mediatory, intermediary,
middleman, or broker acting on behalf of a legal entity.
o objects/ftm-Row [103] - .
o objects/ftm-Sanction [104] - A sanction designation.
o objects/ftm-Succession [105] - Two entities that legally succeed
each other.
o objects/ftm-Table [106] - .
o objects/ftm-TaxRoll [107] - A tax declaration of an individual.
o objects/ftm-UnknownLink [108] - .
o objects/ftm-UserAccount [109] - .
o objects/ftm-Vehicle [110] - .
o objects/ftm-Vessel [111] - A boat or ship.
o objects/ftm-Video [112] - .
o objects/ftm-Workbook [113] - .
o objects/geolocation [114] - An object to describe a geographic
location.
o objects/git-vuln-finder [115] - Export from git-vuln-finder.
o objects/github-user [116] - GitHub user.
o objects/gitlab-user [117] - GitLab user. Gitlab.com user or self-
hosted GitLab instance.
Dulaunoy & Iklody Expires July 9, 2021 [Page 16]
Internet-Draft MISP object template format January 2021
o objects/gtp-attack [118] - GTP attack object as seen on a GSM,
UMTS or LTE network.
o objects/http-request [119] - A single HTTP request header.
o objects/ilr-impact [120] - Institut Luxembourgeois de Regulation -
Impact.
o objects/ilr-notification-incident [121] - Institut Luxembourgeois
de Regulation - Notification d'incident.
o objects/image [122] - Object describing an image file.
o objects/impersonation [123] - Represent an impersonating account.
o objects/imsi-catcher [124] - IMSI Catcher entry object based on
the open source IMSI cather.
o objects/instant-message [125] - Instant Message (IM) object
template describing one or more IM message.
o objects/instant-message-group [126] - Instant Message (IM) group
object template describing a public or private IM group, channel
or conversation.
o objects/intel471-vulnerability-intelligence [127] - Intel 471
vulnerability intelligence object.
o objects/intelmq_event [128] - IntelMQ Event.
o objects/intelmq_report [129] - IntelMQ Report.
o objects/internal-reference [130] - Internal reference.
o objects/interpol-notice [131] - An object which describes a
Interpol notice.
o objects/iot-device [132] - An IoT device.
o objects/iot-firmware [133] - A firmware for an IoT device.
o objects/ip-api-address [134] - IP Address information. Useful if
you are pulling your ip information from ip-api.com.
o objects/ip-port [135] - An IP address (or domain or hostname) and
a port seen as a tuple (or as a triple) in a specific time frame.
Dulaunoy & Iklody Expires July 9, 2021 [Page 17]
Internet-Draft MISP object template format January 2021
o objects/irc [136] - An IRC object to describe an IRC server and
the associated channels.
o objects/ja3 [137] - JA3 is a new technique for creating SSL client
fingerprints that are easy to produce and can be easily shared for
threat intelligence. Fingerprints are composed of Client Hello
packet; SSL Version, Accepted Ciphers, List of Extensions,
Elliptic Curves, and Elliptic Curve Formats.
https://github.com/salesforce/ja3 [138].
o objects/keybase-account [139] - Information related to a keybase
account, from API Users Object.
o objects/leaked-document [140] - Object describing a leaked
document.
o objects/legal-entity [141] - An object to describe a legal entity.
o objects/lnk [142] - LNK object describing a Windows LNK binary
file (aka Windows shortcut).
o objects/macho [143] - Object describing a file in Mach-O format.
o objects/macho-section [144] - Object describing a section of a
file in Mach-O format.
o objects/mactime-timeline-analysis [145] - Mactime template, used
in forensic investigations to describe the timeline of a file
activity.
o objects/malware-config [146] - Malware configuration recovered or
extracted from a malicious binary.
o objects/meme-image [147] - Object describing a meme (image).
o objects/microblog [148] - Microblog post like a Twitter tweet or a
post on a Facebook wall.
o objects/mutex [149] - Object to describe mutual exclusion locks
(mutex) as seen in memory or computer program.
o objects/narrative [150] - Object describing a narrative.
o objects/netflow [151] - Netflow object describes an network object
based on the Netflowv5/v9 minimal definition.
o objects/network-connection [152] - A local or remote network
connection.
Dulaunoy & Iklody Expires July 9, 2021 [Page 18]
Internet-Draft MISP object template format January 2021
o objects/network-socket [153] - Network socket object describes a
local or remote network connections based on the socket data
structure.
o objects/news-agency [154] - News agencies compile news and
disseminate news in bulk.
o objects/news-media [155] - News media are forms of mass media
delivering news to the general public.
o objects/organization [156] - An object which describes an
organization.
o objects/original-imported-file [157] - Object describing the
original file used to import data in MISP.
o objects/parler-account [158] - Parler account.
o objects/parler-comment [159] - Parler comment.
o objects/parler-post [160] - Parler post (parley).
o objects/passive-dns [161] - Passive DNS records as expressed in
draft-dulaunoy-dnsop-passive-dns-cof-01.
o objects/paste [162] - Paste or similar post from a website
allowing to share privately or publicly posts.
o objects/pcap-metadata [163] - Network packet capture metadata.
o objects/pe [164] - Object describing a Portable Executable.
o objects/pe-section [165] - Object describing a section of a
Portable Executable.
o objects/person [166] - An object which describes a person or an
identity.
o objects/pgp-meta [167] - Metadata extracted from a PGP keyblock,
message or signature.
o objects/phishing [168] - Phishing template to describe a phishing
website and its analysis.
o objects/phishing-kit [169] - Object to describe a phishing-kit.
o objects/phone [170] - A phone or mobile phone object which
describe a phone.
Dulaunoy & Iklody Expires July 9, 2021 [Page 19]
Internet-Draft MISP object template format January 2021
o objects/process [171] - Object describing a system process.
o objects/publication [172] - An object to describe a book, journal,
or academic publication.
o objects/python-etvx-event-log [173] - Event log object template to
share information of the activities conducted on a system. .
o objects/r2graphity [174] - Indicators extracted from files using
radare2 and graphml.
o objects/reddit-account [175] - Reddit account.
o objects/reddit-comment [176] - A Reddit post comment.
o objects/reddit-post [177] - A Reddit post.
o objects/reddit-subreddit [178] - Public or private subreddit.
o objects/regexp [179] - An object describing a regular expression
(regex or regexp). The object can be linked via a relationship to
other attributes or objects to describe how it can be represented
as a regular expression.
o objects/registry-key [180] - Registry key object describing a
Windows registry key with value and last-modified timestamp.
o objects/regripper-NTUser [181] - Regripper Object template
designed to present user specific configuration details extracted
from the NTUSER.dat hive.
o objects/regripper-sam-hive-single-user [182] - Regripper Object
template designed to present user profile details extracted from
the SAM hive.
o objects/regripper-sam-hive-user-group [183] - Regripper Object
template designed to present group profile details extracted from
the SAM hive.
o objects/regripper-software-hive-BHO [184] - Regripper Object
template designed to gather information of the browser helper
objects installed on the system.
o objects/regripper-software-hive-appInit-DLLS [185] - Regripper
Object template designed to gather information of the DLL files
installed on the system.
Dulaunoy & Iklody Expires July 9, 2021 [Page 20]
Internet-Draft MISP object template format January 2021
o objects/regripper-software-hive-application-paths [186] -
Regripper Object template designed to gather information of the
application paths.
o objects/regripper-software-hive-applications-installed [187] -
Regripper Object template designed to gather information of the
applications installed on the system.
o objects/regripper-software-hive-command-shell [188] - Regripper
Object template designed to gather information of the shell
commands executed on the system.
o objects/regripper-software-hive-software-run [189] - Regripper
Object template designed to gather information of the applications
set to run on the system.
o objects/regripper-software-hive-userprofile-winlogon [190] -
Regripper Object template designed to gather user profile
information when the user logs onto the system, gathered from the
software hive.
o objects/regripper-software-hive-windows-general-info [191] -
Regripper Object template designed to gather general windows
information extracted from the software-hive.
o objects/regripper-system-hive-firewall-configuration [192] -
Regripper Object template designed to present firewall
configuration information extracted from the system-hive.
o objects/regripper-system-hive-general-configuration [193] -
Regripper Object template designed to present general system
properties extracted from the system-hive.
o objects/regripper-system-hive-network-information [194] -
Regripper object template designed to gather network information
from the system-hive.
o objects/regripper-system-hive-services-drivers [195] - Regripper
Object template designed to gather information regarding the
services/drivers from the system-hive.
o objects/report [196] - Metadata used to generate an executive
level report.
o objects/research-scanner [197] - Information related to known
scanning activity (e.g. from research projects).
o objects/rogue-dns [198] - Rogue DNS as defined by CERT.br.
Dulaunoy & Iklody Expires July 9, 2021 [Page 21]
Internet-Draft MISP object template format January 2021
o objects/rtir [199] - RTIR - Request Tracker for Incident Response.
o objects/sandbox-report [200] - Sandbox report.
o objects/sb-signature [201] - Sandbox detection signature.
o objects/scheduled-event [202] - Event object template describing a
gathering of individuals in meatspace.
o objects/scrippsco2-c13-daily [203] - Daily average C13
concentrations (ppm) derived from flask air samples.
o objects/scrippsco2-c13-monthly [204] - Monthly average C13
concentrations (ppm) derived from flask air samples.
o objects/scrippsco2-co2-daily [205] - Daily average CO2
concentrations (ppm) derived from flask air samples.
o objects/scrippsco2-co2-monthly [206] - Monthly average CO2
concentrations (ppm) derived from flask air samples.
o objects/scrippsco2-o18-daily [207] - Daily average O18
concentrations (ppm) derived from flask air samples.
o objects/scrippsco2-o18-monthly [208] - Monthly average O18
concentrations (ppm) derived from flask air samples.
o objects/script [209] - Object describing a computer program
written to be run in a special run-time environment. The script
or shell script can be used for malicious activities but also as
support tools for threat analysts.
o objects/shell-commands [210] - Object describing a series of shell
commands executed. This object can be linked with malicious files
in order to describe a specific execution of shell commands.
o objects/shodan-report [211] - Shodan Report for a given IP.
o objects/short-message-service [212] - Short Message Service (SMS)
object template describing one or more SMS message. Restriction
of the initial format 3GPP 23.038 GSM character set doesn't apply.
o objects/shortened-link [213] - Shortened link and its redirect
target.
o objects/social-media-group [214] - Social media group object
template describing a public or private group or channel.
Dulaunoy & Iklody Expires July 9, 2021 [Page 22]
Internet-Draft MISP object template format January 2021
o objects/splunk [215] - Splunk / Splunk ES object.
o objects/ss7-attack [216] - SS7 object of an attack seen on a GSM,
UMTS or LTE network via SS7 logging.
o objects/ssh-authorized-keys [217] - An object to store ssh
authorized keys file.
o objects/stix2-pattern [218] - An object describing a STIX pattern.
The object can be linked via a relationship to other attributes or
objects to describe how it can be represented as a STIX pattern.
o objects/suricata [219] - An object describing one or more Suricata
rule(s) along with version and contextual information.
o objects/target-system [220] - Description about an targeted
system, this could potentially be a compromissed internal system.
o objects/threatgrid-report [221] - ThreatGrid report.
o objects/timecode [222] - Timecode object to describe a start of
video sequence (e.g. CCTV evidence) and the end of the video
sequence.
o objects/timesketch-timeline [223] - A timesketch timeline object
based on mandatory field in timesketch to describe a log entry.
o objects/timesketch_message [224] - A timesketch message entry.
o objects/timestamp [225] - A generic timestamp object to represent
time including first time and last time seen. Relationship will
then define the kind of time relationship.
o objects/tor-hiddenservice [226] - Tor hidden service (onion
service) object.
o objects/tor-node [227] - Tor node (which protects your privacy on
the internet by hiding the connection between users Internet
address and the services used by the users) description which are
part of the Tor network at a time.
o objects/tracking-id [228] - Analytics and tracking ID such as used
in Google Analytics or other analytic platform.
o objects/transaction [229] - An object to describe a financial
transaction.
Dulaunoy & Iklody Expires July 9, 2021 [Page 23]
Internet-Draft MISP object template format January 2021
o objects/translation [230] - Used to keep a text and its
translation.
o objects/trustar_report [231] - TruStar Report.
o objects/tsk-chats [232] - An Object Template to gather information
from evidential or interesting exchange of messages identified
during a digital forensic investigation.
o objects/tsk-web-bookmark [233] - An Object Template to add
evidential bookmarks identified during a digital forensic
investigation.
o objects/tsk-web-cookie [234] - An TSK-Autopsy Object Template to
represent cookies identified during a forensic investigation.
o objects/tsk-web-downloads [235] - An Object Template to add web-
downloads.
o objects/tsk-web-history [236] - An Object Template to share web
history information.
o objects/tsk-web-search-query [237] - An Object Template to share
web search query information.
o objects/twitter-account [238] - Twitter account.
o objects/twitter-list [239] - Twitter list.
o objects/twitter-post [240] - Twitter post (tweet).
o objects/url [241] - url object describes an url along with its
normalized field (like extracted using faup parsing library) and
its metadata.
o objects/user-account [242] - .
o objects/vehicle [243] - Vehicle object template to describe a
vehicle information and registration.
o objects/victim [244] - Victim object describes the target of an
attack or abuse.
o objects/virustotal-graph [245] - VirusTotal graph.
o objects/virustotal-report [246] - VirusTotal report.
Dulaunoy & Iklody Expires July 9, 2021 [Page 24]
Internet-Draft MISP object template format January 2021
o objects/vulnerability [247] - Vulnerability object describing a
common vulnerability enumeration which can describe published,
unpublished, under review or embargo vulnerability for software,
equipments or hardware.
o objects/weakness [248] - Weakness object describing a common
weakness enumeration which can describe usable, incomplete, draft
or deprecated weakness for software, equipment of hardware.
o objects/whois [249] - Whois records information for a domain name
or an IP address.
o objects/x509 [250] - x509 object describing a X.509 certificate.
o objects/yabin [251] - yabin.py generates Yara rules from function
prologs, for matching and hunting binaries. ref:
https://github.com/AlienVault-OTX/yabin [252].
o objects/yara [253] - An object describing a YARA rule (or a YARA
rule name) along with its version.
o objects/youtube-channel [254] - A YouTube channel.
o objects/youtube-comment [255] - A YouTube video comment.
o objects/youtube-playlist [256] - A YouTube playlist.
o objects/youtube-video [257] - A YouTube video.
4. Acknowledgements
The authors wish to thank all the MISP community who are supporting
the creation of open standards in threat intelligence sharing.
5. References
5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>.
Dulaunoy & Iklody Expires July 9, 2021 [Page 25]
Internet-Draft MISP object template format January 2021
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>.
5.2. Informative References
[MISP-O] Community, M., "MISP Objects - shared and common object
templates", <https://github.com/MISP/misp-objects>.
[MISP-O-DOC]
community, M., "MISP objects directory", 2018,
<https://www.misp-project.org/objects.html>.
5.3. URIs
[1] https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/
definition.json
[2] https://github.com/MISP/misp-objects/blob/main/objects/ais-info/
definition.json
[3] https://github.com/MISP/misp-objects/blob/main/objects/android-
app/definition.json
[4] https://github.com/MISP/misp-objects/blob/main/objects/android-
permission/definition.json
[5] https://github.com/MISP/misp-
objects/blob/main/objects/annotation/definition.json
[6] https://github.com/MISP/misp-
objects/blob/main/objects/anonymisation/definition.json
[7] https://www.caida.org/tools/taxonomy/anonymization.xml
[8] https://github.com/MISP/misp-objects/blob/main/objects/asn/
definition.json
[9] https://github.com/MISP/misp-objects/blob/main/objects/attack-
pattern/definition.json
[10] https://github.com/MISP/misp-objects/blob/main/objects/
authentication-failure-report/definition.json
[11] https://github.com/MISP/misp-objects/blob/main/objects/
authenticode-signerinfo/definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 26]
Internet-Draft MISP object template format January 2021
[12] https://github.com/MISP/misp-objects/blob/main/objects/av-
signature/definition.json
[13] https://github.com/MISP/misp-objects/blob/main/objects/bank-
account/definition.json
[14] https://github.com/MISP/misp-objects/blob/main/objects/bgp-
hijack/definition.json
[15] https://github.com/MISP/misp-objects/blob/main/objects/bgp-
ranking/definition.json
[16] https://github.com/MISP/misp-objects/blob/main/objects/blog/
definition.json
[17] https://github.com/MISP/misp-objects/blob/main/objects/boleto/
definition.json
[18] https://github.com/MISP/misp-objects/blob/main/objects/btc-
transaction/definition.json
[19] https://github.com/MISP/misp-objects/blob/main/objects/btc-
wallet/definition.json
[20] https://github.com/MISP/misp-objects/blob/main/objects/cap-
alert/definition.json
[21] https://github.com/MISP/misp-objects/blob/main/objects/cap-info/
definition.json
[22] https://github.com/MISP/misp-objects/blob/main/objects/cap-
resource/definition.json
[23] https://github.com/MISP/misp-objects/blob/main/objects/coin-
address/definition.json
[24] https://github.com/MISP/misp-objects/blob/main/objects/command/
definition.json
[25] https://github.com/MISP/misp-objects/blob/main/objects/command-
line/definition.json
[26] https://github.com/MISP/misp-objects/blob/main/objects/cookie/
definition.json
[27] https://github.com/MISP/misp-objects/blob/main/objects/cortex/
definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 27]
Internet-Draft MISP object template format January 2021
[28] https://github.com/MISP/misp-objects/blob/main/objects/cortex-
taxonomy/definition.json
[29] https://github.com/MISP/misp-objects/blob/main/objects/course-
of-action/definition.json
[30] https://github.com/MISP/misp-objects/blob/main/objects/covid19-
csse-daily-report/definition.json
[31] https://github.com/MISP/misp-objects/blob/main/objects/covid19-
dxy-live-city/definition.json
[32] https://github.com/MISP/misp-objects/blob/main/objects/covid19-
dxy-live-province/definition.json
[33] https://github.com/MISP/misp-objects/blob/main/objects/cowrie/
definition.json
[34] https://github.com/MISP/misp-objects/blob/main/objects/cpe-
asset/definition.json
[35] https://github.com/MISP/misp-
objects/blob/main/objects/credential/definition.json
[36] https://github.com/MISP/misp-objects/blob/main/objects/credit-
card/definition.json
[37] https://github.com/MISP/misp-objects/blob/main/objects/crypto-
material/definition.json
[38] https://github.com/MISP/misp-objects/blob/main/objects/cytomic-
orion-file/definition.json
[39] https://github.com/MISP/misp-objects/blob/main/objects/cytomic-
orion-machine/definition.json
[40] https://github.com/MISP/misp-objects/blob/main/objects/dark-
pattern-item/definition.json
[41] https://github.com/MISP/misp-objects/blob/main/objects/ddos/
definition.json
[42] https://github.com/MISP/misp-objects/blob/main/objects/device/
definition.json
[43] https://github.com/MISP/misp-objects/blob/main/objects/diameter-
attack/definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 28]
Internet-Draft MISP object template format January 2021
[44] https://github.com/MISP/misp-objects/blob/main/objects/dns-
record/definition.json
[45] https://github.com/MISP/misp-objects/blob/main/objects/domain-
crawled/definition.json
[46] https://github.com/MISP/misp-objects/blob/main/objects/domain-
ip/definition.json
[47] https://github.com/MISP/misp-objects/blob/main/objects/elf/
definition.json
[48] https://github.com/MISP/misp-objects/blob/main/objects/elf-
section/definition.json
[49] https://github.com/MISP/misp-objects/blob/main/objects/email/
definition.json
[50] https://github.com/MISP/misp-objects/blob/main/objects/employee/
definition.json
[51] https://github.com/MISP/misp-objects/blob/main/objects/exploit-
poc/definition.json
[52] https://github.com/MISP/misp-objects/blob/main/objects/facebook-
account/definition.json
[53] https://github.com/MISP/misp-objects/blob/main/objects/facebook-
group/definition.json
[54] https://github.com/MISP/misp-objects/blob/main/objects/facebook-
page/definition.json
[55] https://github.com/MISP/misp-objects/blob/main/objects/facebook-
post/definition.json
[56] https://github.com/MISP/misp-objects/blob/main/objects/facial-
composite/definition.json
[57] https://github.com/MISP/misp-objects/blob/main/objects/fail2ban/
definition.json
[58] https://github.com/MISP/misp-objects/blob/main/objects/favicon/
definition.json
[59] https://github.com/MISP/misp-objects/blob/main/objects/file/
definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 29]
Internet-Draft MISP object template format January 2021
[60] https://github.com/MISP/misp-objects/blob/main/objects/forensic-
case/definition.json
[61] https://github.com/MISP/misp-objects/blob/main/objects/forensic-
evidence/definition.json
[62] https://github.com/MISP/misp-objects/blob/main/objects/forged-
document/definition.json
[63] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Airplane/definition.json
[64] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Assessment/definition.json
[65] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Asset/definition.json
[66] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Associate/definition.json
[67] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Audio/definition.json
[68] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
BankAccount/definition.json
[69] https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/
definition.json
[70] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Company/definition.json
[71] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Contract/definition.json
[72] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
ContractAward/definition.json
[73] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
CourtCase/definition.json
[74] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
CourtCaseParty/definition.json
[75] https://github.com/MISP/misp-objects/blob/main/objects/ftm-Debt/
definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 30]
Internet-Draft MISP object template format January 2021
[76] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Directorship/definition.json
[77] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Document/definition.json
[78] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Documentation/definition.json
[79] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
EconomicActivity/definition.json
[80] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Email/definition.json
[81] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Event/definition.json
[82] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Family/definition.json
[83] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Folder/definition.json
[84] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
HyperText/definition.json
[85] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Image/definition.json
[86] https://github.com/MISP/misp-objects/blob/main/objects/ftm-Land/
definition.json
[87] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
LegalEntity/definition.json
[88] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
License/definition.json
[89] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Membership/definition.json
[90] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Message/definition.json
[91] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Organization/definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 31]
Internet-Draft MISP object template format January 2021
[92] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Ownership/definition.json
[93] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Package/definition.json
[94] https://github.com/MISP/misp-objects/blob/main/objects/ftm-Page/
definition.json
[95] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Pages/definition.json
[96] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Passport/definition.json
[97] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Payment/definition.json
[98] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Person/definition.json
[99] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
PlainText/definition.json
[100] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
PublicBody/definition.json
[101] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
RealEstate/definition.json
[102] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Representation/definition.json
[103] https://github.com/MISP/misp-objects/blob/main/objects/ftm-Row/
definition.json
[104] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Sanction/definition.json
[105] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Succession/definition.json
[106] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Table/definition.json
[107] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
TaxRoll/definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 32]
Internet-Draft MISP object template format January 2021
[108] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
UnknownLink/definition.json
[109] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
UserAccount/definition.json
[110] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Vehicle/definition.json
[111] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Vessel/definition.json
[112] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Video/definition.json
[113] https://github.com/MISP/misp-objects/blob/main/objects/ftm-
Workbook/definition.json
[114] https://github.com/MISP/misp-
objects/blob/main/objects/geolocation/definition.json
[115] https://github.com/MISP/misp-objects/blob/main/objects/git-
vuln-finder/definition.json
[116] https://github.com/MISP/misp-objects/blob/main/objects/github-
user/definition.json
[117] https://github.com/MISP/misp-objects/blob/main/objects/gitlab-
user/definition.json
[118] https://github.com/MISP/misp-objects/blob/main/objects/gtp-
attack/definition.json
[119] https://github.com/MISP/misp-objects/blob/main/objects/http-
request/definition.json
[120] https://github.com/MISP/misp-objects/blob/main/objects/ilr-
impact/definition.json
[121] https://github.com/MISP/misp-objects/blob/main/objects/ilr-
notification-incident/definition.json
[122] https://github.com/MISP/misp-objects/blob/main/objects/image/
definition.json
[123] https://github.com/MISP/misp-
objects/blob/main/objects/impersonation/definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 33]
Internet-Draft MISP object template format January 2021
[124] https://github.com/MISP/misp-objects/blob/main/objects/imsi-
catcher/definition.json
[125] https://github.com/MISP/misp-objects/blob/main/objects/instant-
message/definition.json
[126] https://github.com/MISP/misp-objects/blob/main/objects/instant-
message-group/definition.json
[127] https://github.com/MISP/misp-objects/blob/main/objects/
intel471-vulnerability-intelligence/definition.json
[128] https://github.com/MISP/misp-
objects/blob/main/objects/intelmq_event/definition.json
[129] https://github.com/MISP/misp-
objects/blob/main/objects/intelmq_report/definition.json
[130] https://github.com/MISP/misp-objects/blob/main/objects/
internal-reference/definition.json
[131] https://github.com/MISP/misp-objects/blob/main/objects/
interpol-notice/definition.json
[132] https://github.com/MISP/misp-objects/blob/main/objects/iot-
device/definition.json
[133] https://github.com/MISP/misp-objects/blob/main/objects/iot-
firmware/definition.json
[134] https://github.com/MISP/misp-objects/blob/main/objects/ip-api-
address/definition.json
[135] https://github.com/MISP/misp-objects/blob/main/objects/ip-port/
definition.json
[136] https://github.com/MISP/misp-objects/blob/main/objects/irc/
definition.json
[137] https://github.com/MISP/misp-objects/blob/main/objects/ja3/
definition.json
[138] https://github.com/salesforce/ja3
[139] https://github.com/MISP/misp-objects/blob/main/objects/keybase-
account/definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 34]
Internet-Draft MISP object template format January 2021
[140] https://github.com/MISP/misp-objects/blob/main/objects/leaked-
document/definition.json
[141] https://github.com/MISP/misp-objects/blob/main/objects/legal-
entity/definition.json
[142] https://github.com/MISP/misp-objects/blob/main/objects/lnk/
definition.json
[143] https://github.com/MISP/misp-objects/blob/main/objects/macho/
definition.json
[144] https://github.com/MISP/misp-objects/blob/main/objects/macho-
section/definition.json
[145] https://github.com/MISP/misp-objects/blob/main/objects/mactime-
timeline-analysis/definition.json
[146] https://github.com/MISP/misp-objects/blob/main/objects/malware-
config/definition.json
[147] https://github.com/MISP/misp-objects/blob/main/objects/meme-
image/definition.json
[148] https://github.com/MISP/misp-
objects/blob/main/objects/microblog/definition.json
[149] https://github.com/MISP/misp-objects/blob/main/objects/mutex/
definition.json
[150] https://github.com/MISP/misp-
objects/blob/main/objects/narrative/definition.json
[151] https://github.com/MISP/misp-objects/blob/main/objects/netflow/
definition.json
[152] https://github.com/MISP/misp-objects/blob/main/objects/network-
connection/definition.json
[153] https://github.com/MISP/misp-objects/blob/main/objects/network-
socket/definition.json
[154] https://github.com/MISP/misp-objects/blob/main/objects/news-
agency/definition.json
[155] https://github.com/MISP/misp-objects/blob/main/objects/news-
media/definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 35]
Internet-Draft MISP object template format January 2021
[156] https://github.com/MISP/misp-
objects/blob/main/objects/organization/definition.json
[157] https://github.com/MISP/misp-objects/blob/main/objects/
original-imported-file/definition.json
[158] https://github.com/MISP/misp-objects/blob/main/objects/parler-
account/definition.json
[159] https://github.com/MISP/misp-objects/blob/main/objects/parler-
comment/definition.json
[160] https://github.com/MISP/misp-objects/blob/main/objects/parler-
post/definition.json
[161] https://github.com/MISP/misp-objects/blob/main/objects/passive-
dns/definition.json
[162] https://github.com/MISP/misp-objects/blob/main/objects/paste/
definition.json
[163] https://github.com/MISP/misp-objects/blob/main/objects/pcap-
metadata/definition.json
[164] https://github.com/MISP/misp-objects/blob/main/objects/pe/
definition.json
[165] https://github.com/MISP/misp-objects/blob/main/objects/pe-
section/definition.json
[166] https://github.com/MISP/misp-objects/blob/main/objects/person/
definition.json
[167] https://github.com/MISP/misp-objects/blob/main/objects/pgp-
meta/definition.json
[168] https://github.com/MISP/misp-
objects/blob/main/objects/phishing/definition.json
[169] https://github.com/MISP/misp-objects/blob/main/objects/
phishing-kit/definition.json
[170] https://github.com/MISP/misp-objects/blob/main/objects/phone/
definition.json
[171] https://github.com/MISP/misp-objects/blob/main/objects/process/
definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 36]
Internet-Draft MISP object template format January 2021
[172] https://github.com/MISP/misp-
objects/blob/main/objects/publication/definition.json
[173] https://github.com/MISP/misp-objects/blob/main/objects/python-
etvx-event-log/definition.json
[174] https://github.com/MISP/misp-
objects/blob/main/objects/r2graphity/definition.json
[175] https://github.com/MISP/misp-objects/blob/main/objects/reddit-
account/definition.json
[176] https://github.com/MISP/misp-objects/blob/main/objects/reddit-
comment/definition.json
[177] https://github.com/MISP/misp-objects/blob/main/objects/reddit-
post/definition.json
[178] https://github.com/MISP/misp-objects/blob/main/objects/reddit-
subreddit/definition.json
[179] https://github.com/MISP/misp-objects/blob/main/objects/regexp/
definition.json
[180] https://github.com/MISP/misp-objects/blob/main/objects/
registry-key/definition.json
[181] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-NTUser/definition.json
[182] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-sam-hive-single-user/definition.json
[183] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-sam-hive-user-group/definition.json
[184] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-software-hive-BHO/definition.json
[185] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-software-hive-appInit-DLLS/definition.json
[186] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-software-hive-application-paths/definition.json
[187] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-software-hive-applications-installed/definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 37]
Internet-Draft MISP object template format January 2021
[188] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-software-hive-command-shell/definition.json
[189] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-software-hive-software-run/definition.json
[190] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-software-hive-userprofile-winlogon/definition.json
[191] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-software-hive-windows-general-info/definition.json
[192] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-system-hive-firewall-configuration/definition.json
[193] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-system-hive-general-configuration/definition.json
[194] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-system-hive-network-information/definition.json
[195] https://github.com/MISP/misp-objects/blob/main/objects/
regripper-system-hive-services-drivers/definition.json
[196] https://github.com/MISP/misp-objects/blob/main/objects/report/
definition.json
[197] https://github.com/MISP/misp-objects/blob/main/objects/
research-scanner/definition.json
[198] https://github.com/MISP/misp-objects/blob/main/objects/rogue-
dns/definition.json
[199] https://github.com/MISP/misp-objects/blob/main/objects/rtir/
definition.json
[200] https://github.com/MISP/misp-objects/blob/main/objects/sandbox-
report/definition.json
[201] https://github.com/MISP/misp-objects/blob/main/objects/sb-
signature/definition.json
[202] https://github.com/MISP/misp-objects/blob/main/objects/
scheduled-event/definition.json
[203] https://github.com/MISP/misp-objects/blob/main/objects/
scrippsco2-c13-daily/definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 38]
Internet-Draft MISP object template format January 2021
[204] https://github.com/MISP/misp-objects/blob/main/objects/
scrippsco2-c13-monthly/definition.json
[205] https://github.com/MISP/misp-objects/blob/main/objects/
scrippsco2-co2-daily/definition.json
[206] https://github.com/MISP/misp-objects/blob/main/objects/
scrippsco2-co2-monthly/definition.json
[207] https://github.com/MISP/misp-objects/blob/main/objects/
scrippsco2-o18-daily/definition.json
[208] https://github.com/MISP/misp-objects/blob/main/objects/
scrippsco2-o18-monthly/definition.json
[209] https://github.com/MISP/misp-objects/blob/main/objects/script/
definition.json
[210] https://github.com/MISP/misp-objects/blob/main/objects/shell-
commands/definition.json
[211] https://github.com/MISP/misp-objects/blob/main/objects/shodan-
report/definition.json
[212] https://github.com/MISP/misp-objects/blob/main/objects/short-
message-service/definition.json
[213] https://github.com/MISP/misp-objects/blob/main/objects/
shortened-link/definition.json
[214] https://github.com/MISP/misp-objects/blob/main/objects/social-
media-group/definition.json
[215] https://github.com/MISP/misp-objects/blob/main/objects/splunk/
definition.json
[216] https://github.com/MISP/misp-objects/blob/main/objects/ss7-
attack/definition.json
[217] https://github.com/MISP/misp-objects/blob/main/objects/ssh-
authorized-keys/definition.json
[218] https://github.com/MISP/misp-objects/blob/main/objects/stix2-
pattern/definition.json
[219] https://github.com/MISP/misp-
objects/blob/main/objects/suricata/definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 39]
Internet-Draft MISP object template format January 2021
[220] https://github.com/MISP/misp-objects/blob/main/objects/target-
system/definition.json
[221] https://github.com/MISP/misp-objects/blob/main/objects/
threatgrid-report/definition.json
[222] https://github.com/MISP/misp-
objects/blob/main/objects/timecode/definition.json
[223] https://github.com/MISP/misp-objects/blob/main/objects/
timesketch-timeline/definition.json
[224] https://github.com/MISP/misp-
objects/blob/main/objects/timesketch_message/definition.json
[225] https://github.com/MISP/misp-
objects/blob/main/objects/timestamp/definition.json
[226] https://github.com/MISP/misp-objects/blob/main/objects/tor-
hiddenservice/definition.json
[227] https://github.com/MISP/misp-objects/blob/main/objects/tor-
node/definition.json
[228] https://github.com/MISP/misp-objects/blob/main/objects/
tracking-id/definition.json
[229] https://github.com/MISP/misp-
objects/blob/main/objects/transaction/definition.json
[230] https://github.com/MISP/misp-
objects/blob/main/objects/translation/definition.json
[231] https://github.com/MISP/misp-
objects/blob/main/objects/trustar_report/definition.json
[232] https://github.com/MISP/misp-objects/blob/main/objects/tsk-
chats/definition.json
[233] https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-
bookmark/definition.json
[234] https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-
cookie/definition.json
[235] https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-
downloads/definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 40]
Internet-Draft MISP object template format January 2021
[236] https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-
history/definition.json
[237] https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-
search-query/definition.json
[238] https://github.com/MISP/misp-objects/blob/main/objects/twitter-
account/definition.json
[239] https://github.com/MISP/misp-objects/blob/main/objects/twitter-
list/definition.json
[240] https://github.com/MISP/misp-objects/blob/main/objects/twitter-
post/definition.json
[241] https://github.com/MISP/misp-objects/blob/main/objects/url/
definition.json
[242] https://github.com/MISP/misp-objects/blob/main/objects/user-
account/definition.json
[243] https://github.com/MISP/misp-objects/blob/main/objects/vehicle/
definition.json
[244] https://github.com/MISP/misp-objects/blob/main/objects/victim/
definition.json
[245] https://github.com/MISP/misp-objects/blob/main/objects/
virustotal-graph/definition.json
[246] https://github.com/MISP/misp-objects/blob/main/objects/
virustotal-report/definition.json
[247] https://github.com/MISP/misp-
objects/blob/main/objects/vulnerability/definition.json
[248] https://github.com/MISP/misp-
objects/blob/main/objects/weakness/definition.json
[249] https://github.com/MISP/misp-objects/blob/main/objects/whois/
definition.json
[250] https://github.com/MISP/misp-objects/blob/main/objects/x509/
definition.json
[251] https://github.com/MISP/misp-objects/blob/main/objects/yabin/
definition.json
Dulaunoy & Iklody Expires July 9, 2021 [Page 41]
Internet-Draft MISP object template format January 2021
[252] https://github.com/AlienVault-OTX/yabin
[253] https://github.com/MISP/misp-objects/blob/main/objects/yara/
definition.json
[254] https://github.com/MISP/misp-objects/blob/main/objects/youtube-
channel/definition.json
[255] https://github.com/MISP/misp-objects/blob/main/objects/youtube-
comment/definition.json
[256] https://github.com/MISP/misp-objects/blob/main/objects/youtube-
playlist/definition.json
[257] https://github.com/MISP/misp-objects/blob/main/objects/youtube-
video/definition.json
Authors' Addresses
Alexandre Dulaunoy
Computer Incident Response Center Luxembourg
16, bd d'Avranches
Luxembourg L-1611
Luxembourg
Phone: +352 247 88444
Email: alexandre.dulaunoy@circl.lu
Andras Iklody
Computer Incident Response Center Luxembourg
16, bd d'Avranches
Luxembourg L-1611
Luxembourg
Phone: +352 247 88444
Email: andras.iklody@circl.lu
Dulaunoy & Iklody Expires July 9, 2021 [Page 42]