MCPcopy Index your code
hub / github.com/MISP/misp-objects

github.com/MISP/misp-objects @v2.4.198

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.4.198 ↗ · + Follow
2 symbols 17 edges 4 files 0 documented · 0%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

misp-objects

Python application

MISP objects used in MISP system and can be used by other information sharing tools. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing.

Feel free to propose your own MISP objects template to be included in MISP. The system is similar to the misp-taxonomies where anyone can contribute their own objects to be included in MISP without modifying software.

Format of MISP object template

An example with 'domain-ip' of MISP object template

{
  "attributes": {
    "domain": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Domain name",
      "misp-attribute": "domain",
      "multiple": true,
      "ui-priority": 1
    },
    "first-seen": {
      "description": "First time the tuple has been seen",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "ip": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "IP Address",
      "misp-attribute": "ip-dst",
      "multiple": true,
      "ui-priority": 1
    },
    "last-seen": {
      "description": "Last time the tuple has been seen",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "port": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Associated TCP port with the domain",
      "misp-attribute": "port",
      "multiple": true,
      "ui-priority": 1
    },
    "registration-date": {
      "description": "Registration date of domain",
      "disable_correlation": false,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "text": {
      "description": "A description of the tuple",
      "disable_correlation": true,
      "misp-attribute": "text",
      "recommended": false,
      "ui-priority": 1
    }
  },
  "description": "A domain and IP address seen as a tuple in a specific time frame.",
  "meta-category": "network",
  "name": "domain-ip",
  "required": [
    "ip",
    "domain"
  ],
  "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
  "version": 8
}

A MISP object is described in a simple JSON file containing the following elements.

  • name is the name of the your object.
  • meta-category is the category where the object falls into. (such as file, network, financial, misc, internal...)
  • description is a summary of the object description.
  • version is the version number as a decimal value.
  • required is an array containing the minimal required attributes to describe the object.
  • requiredOneOf is an array containing the attributes where at least one needs to be present to describe the object.
  • attributes contains another JSON object listing all the attributes composing the object.

Each attribute must contain a reference misp-attribute to reference an existing attribute definition in MISP (MISP attributes types are case-sensitive). An array categories shall be used to describe in which categories the attribute is. The ui-priority describes the usage frequency of an attribute. This helps to only display the most frequently used attributes and allowing advanced users to show all the attributes depending of their configuration. An optional multiple field shall be set to true if multiple elements of the same key can be used in the object. An optional values_list where this list of values can be selected as a value for an attribute. An optional sane_default where this list of value recommend potential a sane default for an attribute. An optional disable_correlation boolean field to suggest the disabling of correlation for a specific attribute. An optional to_ids boolean field to disable the IDS flag of an attribute.

Existing MISP objects

  • objects/ADS - An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.
  • objects/abuseipdb - AbuseIPDB checks an ip address, domain name, or subnet against a central blacklist.
  • objects/ai-chat-prompt - Object describing an AI prompt such as ChatGPT.
  • objects/ail-leak - An information leak as defined by the AIL Analysis Information Leak framework.
  • objects/ais - Automatic Identification System (AIS) is an automatic tracking system that uses transceivers on ships.
  • objects/ais-info - Automated Indicator Sharing (AIS) Information Source Markings.
  • objects/android-app - Indicators related to an Android app.
  • objects/android-permission - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app).
  • objects/annotation - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.
  • objects/anonymisation - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml.
  • objects/apivoid-email-verification - Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/.
  • objects/artifact - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. From STIX 2.1 (6.1).
  • objects/asn - Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
  • objects/attack-pattern - Attack pattern describing a common attack pattern enumeration and classification.
  • objects/attack-step - An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.
  • objects/authentication-failure-report - Authentication Failure Report.
  • objects/authenticode-signerinfo - Authenticode Signer Info.
  • objects/av-signature - Antivirus detection signature.
  • objects/availability-impact - Availability Impact object as described in STIX 2.1 Incident object extension.
  • objects/bank-account - An object describing bank account information based on account description from goAML 4.0.
  • objects/bgp-hijack - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com.
  • objects/bgp-ranking - BGP Ranking object describing the ranking of an ASN for a given day, along with its position, 1 being the most malicious ASN of the day, with the highest ranking. This object is meant to have a relationship with the corresponding ASN object and represents its ranking for a specific date.
  • objects/blog - Blog post like Medium or WordPress.
  • objects/boleto - A common form of payment used in Brazil.
  • objects/btc-transaction - An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet.
  • objects/btc-wallet - An object to describe a Bitcoin wallet. Best to be used with btc-transaction object.
  • objects/c2-list - List of C2-servers with common ground, e.g. extracted from a blog post or ransomware analysis.
  • objects/cap-alert - Common Alerting Protocol Version (CAP) alert object.
  • objects/cap-info - Common Alerting Protocol Version (CAP) info object.
  • objects/cap-resource - Common Alerting Protocol Version (CAP) resource object.
  • objects/cert-pl-phishing - cert.pl phishing object template representing an url along with some metadata as such phash, html-structure or partial-hash.
  • objects/cloth - Describes clothes a natural person wears.
  • objects/coin-address - An address used in a cryptocurrency.
  • objects/command - Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands.
  • objects/command-line - Command line and options related to a specific command executed by a program, whether it is malicious or not.
  • objects/concordia-mtmf-intrusion-set - Intrusion Set - Phase Description.
  • objects/confidentiality-impact - Confidentiality Impact object as described in STIX 2.1 Incident object extension.
  • objects/cookie - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation.
  • objects/cortex - Cortex object describing a complete Cortex analysis. Observables would be attribute with a relationship from this object.
  • objects/cortex-taxonomy - Cortex object describing a Cortex Taxonomy (or mini report).
  • objects/course-of-action - An object describing a specific measure taken to prevent or respond to an attack.
  • objects/covid19-csse-daily-report - CSSE COVID-19 Daily report.
  • objects/covid19-dxy-live-city - COVID 19 from dxy.cn - Aggregation by city.
  • objects/covid19-dxy-live-province - COVID 19 from dxy.cn - Aggregation by province.
  • objects/cowrie - Cowrie honeypot object template.
  • objects/cpe-asset - An asset which can be defined by a CPE. This can be a generic asset. CPE is a structured naming scheme for information technology systems, software, and packages.
  • objects/credential - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).
  • [objects/credit-card](https://github.com/MISP/misp-objects/blob/main/ob

Core symbols most depended-on inside this repo

asciidoc
called by 3
tools/adoc_objects.py
header
called by 1
tools/adoc_objects.py

Shape

Function 2

Languages

Python100%

Modules by API surface

tools/adoc_objects.py2 symbols

For agents

$ claude mcp add misp-objects \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact