Skip to main content

MISP object template format

Document Type Active Internet-Draft (individual)
Authors Alexandre Dulaunoy , Andras Iklody
Last updated 2023-12-24
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
Network Working Group                                        A. Dulaunoy
Internet-Draft                                                 A. Iklody
Intended status: Informational                                     CIRCL
Expires: 26 June 2024                                   24 December 2023

                      MISP object template format


   This document describes the MISP object template format which
   describes a simple JSON format to represent the various templates
   used to construct MISP objects.  A public directory of common
   vocabularies MISP object templates [MISP-O] is available and relies
   on the MISP object reference format.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 26 June 2024.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Dulaunoy & Iklody         Expires 26 June 2024                  [Page 1]
Internet-Draft         MISP object template format         December 2023

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Conventions and Terminology . . . . . . . . . . . . . . .   2
   2.  Format  . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   3
       2.1.1.  Object Template . . . . . . . . . . . . . . . . . . .   3
       2.1.2.  attributes  . . . . . . . . . . . . . . . . . . . . .   4
       2.1.3.  Sample Object Template object . . . . . . . . . . . .   6
       2.1.4.  Object Relationships  . . . . . . . . . . . . . . . .   9
   3.  Directory . . . . . . . . . . . . . . . . . . . . . . . . . .  10
     3.1.  Existing and public MISP object templates . . . . . . . .  10
   4.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  37
   5.  Normative References  . . . . . . . . . . . . . . . . . . . .  37
   6.  Informative References  . . . . . . . . . . . . . . . . . . .  37
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  38

1.  Introduction

   Due to the increased maturity of threat information sharing, the need
   arose for more complex and exhaustive data-points to be shared across
   the various sharing communities.  MISP's information sharing in
   general relied on a flat structure of attributes contained within an
   event, where attributes served as atomic secluded data-points with
   some commonalities as defined by the encapsulating event.  However,
   this flat structure restricted the use of more diverse and complex
   data-points described by a list of atomic values, a problem solved by
   the MISP object structure.

   MISP objects combine a list of attributes to represent a singular
   object with various facets.  In order to bootstrap the object
   creation process and to maintain uniformity among objects describing
   similar data-points, the MISP object template format serves as a
   reusable and share-able blueprint format.

   MISP object templates also include a vocabulary to describe the
   various inter object and object to attribute relationships and are
   leveraged by MISP object references.

1.1.  Conventions and Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119 [RFC2119].

Dulaunoy & Iklody         Expires 26 June 2024                  [Page 2]
Internet-Draft         MISP object template format         December 2023

2.  Format

   MISP object templates are composed of the MISP object template (MUST)
   structure itself and a list of MISP object template elements (SHOULD)
   describing the list of possible attributes belonging to the resulting
   object, along with their context and settings.

   MISP object templates themselves consist of a name (MUST), a meta-
   category (MUST) and a description (SHOULD).  They are identified by a
   uuid (MUST) and a version (MUST).  For any updates or transfer of the
   same object reference.  UUID version 4 is RECOMMENDED when assigning
   it to a new object reference.  The list of requirements when it comes
   to the contained MISP object template elements is defined in the
   requirements field (OPTIONAL).

   MISP object template elements consist of an object_relation (MUST), a
   type (MUST), an object_template_id (SHOULD), a ui_priority (SHOULD),
   a list of categories (MAY), a list of sane_default values (MAY) or a
   values_list (MAY).

2.1.  Overview

   The MISP object template format uses the JSON [RFC8259] format.  Each
   template is represented as a JSON object with meta information
   including the following fields: uuid, requiredOneOf, description,
   version, meta-category, name.

2.1.1.  Object Template  uuid

   uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
   the object template.  The uuid MUST be preserved for to keep
   consistency of the templates across instances.  UUID version 4 is
   RECOMMENDED when assigning it to a new object template.

   uuid is represented as a JSON string. uuid MUST be present.  requiredOneOf

   requiredOneOf is represented as a JSON list and contains a list of
   attribute relationships of which one must be present in the object to
   be created based on the given template.  The requiredOneOf field MAY
   be present.

Dulaunoy & Iklody         Expires 26 June 2024                  [Page 3]
Internet-Draft         MISP object template format         December 2023  required

   required is represented as a JSON list and contains a list of
   attribute relationships of which all must be present in the object to
   be created based on the given template.  The required field MAY be
   present.  description

   description is represented as a JSON string and contains the assigned
   meaning given to objects created using this template.  The
   description field MUST be present.  version

   version represents a numeric incrementing version of the object
   template.  It is used to associate the object to the correct version
   of the template and together with the uuid field forms an association
   to the correct template type and version.

   version is represented as a JSON string. version MUST be present.  meta-category

   meta-category represents the sub-category of objects that the given
   object template belongs to. meta-categories are not tied to a fixed
   list of options but can be created on the fly.

   meta-category is represented as a JSON string. meta-category MUST be
   present.  name

   name represents the human-readable name of the objects created using
   the given template, describing the intent of the object package.

   name is represented as a JSON string. name MUST be present

2.1.2.  attributes

   attributes is represented as a JSON list and contains a list of
   template elements used as a template for creating the individual
   attributes within the object that is to be created with the object.

   attributes is represented as a JSON list. attributes MUST be present.

Dulaunoy & Iklody         Expires 26 June 2024                  [Page 4]
Internet-Draft         MISP object template format         December 2023  description

   description is represented as a JSON string and contains the
   description of the given attribute in the context of the object with
   the given relationship.  The description field MUST be present.  ui-priority

   ui-priority is represented by a numeric values in JSON string format
   and is meant to provide a priority for the given element in the
   object template visualisation.  The ui-priority MAY be present.  misp-attribute

   misp-attribute is represented by a JSON string or a JSON object with
   a list of values.  The value(s) are taken from the pool of types
   defined by the MISP core format's Attribute Object's type list. type
   can contain a JSON object with a list of suggested value alternatives
   encapsulated in a list within a sane_default key or a list of
   enforced value alternatives encapsulated in a list_values key.

   The misp-attribute field MUST be present.  disable_correlation

   disable_correlation is represented by a JSON boolean.  The
   disable_correlation field flags the attribute(s) created by the given
   object template element to be marked as non correlating.

   The misp-attribute field MAY be present.  categories

   categories is represented by a JSON list containing one or several
   valid options from the list of verbs valid for the category field in
   the Attribute object within the MISP core format.

   The categories field MAY be present.  multiple

   multiple is represented by a JSON boolean value.  It marks the MISP
   object template element as a multiple input field, allowing for
   several attributes to be created by the element within the same

   The multiple field MAY be present.

Dulaunoy & Iklody         Expires 26 June 2024                  [Page 5]
Internet-Draft         MISP object template format         December 2023  sane_default

   sane_default is represented by a JSON list containing one or several
   recommended/sane values for an attribute. sane_default is mutually
   exclusive with values_list.

   The sane_default field MAY be present.  values_list

   values_list is represented by a JSON List containing one or several
   of fixed values for an attribute. values_list is mutually exclusive
   with sane_default.

   The value_list field MAY be present.

2.1.3.  Sample Object Template object

   The MISP object template directory is publicly available [MISP-O] in
   a git repository and contains more than 60 object templates.  As
   illustration, two sample objects templates are included.  credit-card object template

Dulaunoy & Iklody         Expires 26 June 2024                  [Page 6]
Internet-Draft         MISP object template format         December 2023

  "requiredOneOf": [
  "attributes": {
    "version": {
      "description": "Version of the card.",
      "ui-priority": 0,
      "misp-attribute": "text"
    "comment": {
      "description": "A description of the card.",
      "ui-priority": 0,
      "misp-attribute": "comment"
    "card-security-code": {
      "description": "Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.",
      "ui-priority": 0,
      "misp-attribute": "text"
    "name": {
      "description": "Name of the card owner.",
      "ui-priority": 0,
      "misp-attribute": "text"
    "issued": {
      "description": "Initial date of validity or issued date.",
      "ui-priority": 0,
      "misp-attribute": "datetime"
    "expiration": {
      "description": "Maximum date of validity",
      "ui-priority": 0,
      "misp-attribute": "datetime"
    "cc-number": {
      "description": "credit-card number as encoded on the card.",
      "ui-priority": 0,
      "misp-attribute": "cc-number"
  "version": 2,
  "description": "A payment card like credit card, debit card or any similar cards which can be used for financial transactions.",
  "meta-category": "financial",
  "uuid": "2b9c57aa-daba-4330-a738-56f18743b0c7",
  "name": "credit-card"

Dulaunoy & Iklody         Expires 26 June 2024                  [Page 7]
Internet-Draft         MISP object template format         December 2023  credential object template

  "requiredOneOf": [
  "attributes": {
    "text": {
      "description": "A description of the credential(s)",
      "disable_correlation": true,
      "ui-priority": 1,
      "misp-attribute": "text"
    "username": {
      "description": "Username related to the password(s)",
      "ui-priority": 1,
      "misp-attribute": "text"
    "password": {
      "description": "Password",
      "multiple": true,
      "ui-priority": 1,
      "misp-attribute": "text"
    "type": {
      "description": "Type of password(s)",
      "ui-priority": 1,
      "misp-attribute": "text",
      "values_list": [
    "origin": {
      "description": "Origin of the credential(s)",
      "ui-priority": 1,
      "misp-attribute": "text",
      "sane_default": [

Dulaunoy & Iklody         Expires 26 June 2024                  [Page 8]
Internet-Draft         MISP object template format         December 2023

    "format": {
      "description": "Format of the password(s)",
      "ui-priority": 1,
      "misp-attribute": "text",
      "values_list": [
    "notification": {
      "description": "Mention of any notification(s) towards the potential owner(s) of the credential(s)",
      "ui-priority": 1,
      "misp-attribute": "text",
      "multiple": true,
      "values_list": [
  "version": 2,
  "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
  "meta-category": "misc",
  "uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",
  "name": "credential"

2.1.4.  Object Relationships  name

   name represents the human-readable relationship type which can be
   used when creating MISP object relations.

   name is represented as a JSON string. name MUST be present.  description

   description is represented as a JSON string and contains the
   description of the object relationship type.  The description field
   MUST be present.

Dulaunoy & Iklody         Expires 26 June 2024                  [Page 9]
Internet-Draft         MISP object template format         December 2023  format

   format is represented by a JSON list containing a list of formats
   that the relationship type is valid for and can be mapped to.  The
   format field MUST be present.

3.  Directory

   The MISP object template directory is publicly available [MISP-O] in
   a git repository.  The repository contains an objects directory,
   which contains a directory per object type, containing a file named
   definition.json which contains the definition of the object template
   in the above described format.

   A relationships directory is also included, containing a
   definition.json file which contains a list of MISP object relation
   definitions.  There are more than 125 existing templates object
   documented in [MISP-O-DOC].

3.1.  Existing and public MISP object templates

   *  objects/ADS (
      objects/blob/main/objects/ADS/definition.json) - An object
      defining ADS - Alerting and Detection Strategy by PALANTIR.  Can
      be used for detection engineering.
   *  objects/abuseipdb (
      objects/blob/main/objects/abuseipdb/definition.json) - AbuseIPDB
      checks an ip address, domain name, or subnet against a central
   *  objects/ai-chat-prompt (
      objects/blob/main/objects/ai-chat-prompt/definition.json) - Object
      describing an AI prompt such as ChatGPT.
   *  objects/ail-leak (
      objects/blob/main/objects/ail-leak/definition.json) - An
      information leak as defined by the AIL Analysis Information Leak
   *  objects/ais (
      objects/blob/main/objects/ais/definition.json) - Automatic
      Identification System (AIS) is an automatic tracking system that
      uses transceivers on ships.
   *  objects/ais-info (
      objects/blob/main/objects/ais-info/definition.json) - Automated
      Indicator Sharing (AIS) Information Source Markings.
   *  objects/android-app (
      objects/blob/main/objects/android-app/definition.json) -
      Indicators related to an Android app.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 10]
Internet-Draft         MISP object template format         December 2023

   *  objects/android-permission (
      objects/blob/main/objects/android-permission/definition.json) - A
      set of android permissions - one or more permission(s) which can
      be linked to other objects (e.g. malware, app).
   *  objects/annotation (
      objects/blob/main/objects/annotation/definition.json) - An
      annotation object allowing analysts to add annotations, comments,
      executive summary to a MISP event, objects or attributes.
   *  objects/anonymisation (
      objects/blob/main/objects/anonymisation/definition.json) -
      Anonymisation object describing an anonymisation technique used to
      encode MISP attribute values.  Reference:
   *  objects/apivoid-email-verification (
      definition.json) - Apivoid email verification API result.
   *  objects/artifact (
      objects/blob/main/objects/artifact/definition.json) - The Artifact
      object permits capturing an array of bytes (8-bits), as a
      base64-encoded string, or linking to a file-like payload.  From
      STIX 2.1 (6.1).
   *  objects/asn (
      objects/blob/main/objects/asn/definition.json) - Autonomous system
      object describing an autonomous system which can include one or
      more network operators managing an entity (e.g.  ISP) along with
      their routing policy, routing prefixes or alike.
   *  objects/attack-pattern (
      objects/blob/main/objects/attack-pattern/definition.json) - Attack
      pattern describing a common attack pattern enumeration and
   *  objects/attack-step (
      objects/blob/main/objects/attack-step/definition.json) - An object
      defining a singular attack-step.  Especially useful for red/purple
      teaming, but can also be used for actual attacks.
   *  objects/authentication-failure-report (
      definition.json) - Authentication Failure Report.
   *  objects/authenticode-signerinfo (
      - Authenticode Signer Info.
   *  objects/av-signature (
      objects/blob/main/objects/av-signature/definition.json) -
      Antivirus detection signature.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 11]
Internet-Draft         MISP object template format         December 2023

   *  objects/availability-impact (
      objects/blob/main/objects/availability-impact/definition.json) -
      Availability Impact object as described in STIX 2.1 Incident
      object extension.
   *  objects/bank-account (
      objects/blob/main/objects/bank-account/definition.json) - An
      object describing bank account information based on account
      description from goAML 4.0.
   *  objects/bgp-hijack (
      objects/blob/main/objects/bgp-hijack/definition.json) - Object
      encapsulating BGP Hijack description as specified, for example, by
   *  objects/bgp-ranking (
      objects/blob/main/objects/bgp-ranking/definition.json) - BGP
      Ranking object describing the ranking of an ASN for a given day,
      along with its position, 1 being the most malicious ASN of the
      day, with the highest ranking.  This object is meant to have a
      relationship with the corresponding ASN object and represents its
      ranking for a specific date.
   *  objects/blog (
      objects/blob/main/objects/blog/definition.json) - Blog post like
      Medium or WordPress.
   *  objects/boleto (
      objects/blob/main/objects/boleto/definition.json) - A common form
      of payment used in Brazil.
   *  objects/btc-transaction (
      objects/blob/main/objects/btc-transaction/definition.json) - An
      object to describe a Bitcoin transaction.  Best to be used with
   *  objects/btc-wallet (
      objects/blob/main/objects/btc-wallet/definition.json) - An object
      to describe a Bitcoin wallet.  Best to be used with btc-
      transaction object.
   *  objects/c2-list (
      objects/blob/main/objects/c2-list/definition.json) - List of
      C2-servers with common ground, e.g. extracted from a blog post or
      ransomware analysis.
   *  objects/cap-alert (
      objects/blob/main/objects/cap-alert/definition.json) - Common
      Alerting Protocol Version (CAP) alert object.
   *  objects/cap-info (
      objects/blob/main/objects/cap-info/definition.json) - Common
      Alerting Protocol Version (CAP) info object.
   *  objects/cap-resource (
      objects/blob/main/objects/cap-resource/definition.json) - Common
      Alerting Protocol Version (CAP) resource object.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 12]
Internet-Draft         MISP object template format         December 2023

   *  objects/cloth (
      objects/blob/main/objects/cloth/definition.json) - Describes
      clothes a natural person wears.
   *  objects/coin-address (
      objects/blob/main/objects/coin-address/definition.json) - An
      address used in a cryptocurrency.
   *  objects/command (
      objects/blob/main/objects/command/definition.json) - Command
      functionalities related to specific commands executed by a
      program, whether it is malicious or not.  Command-line are
      attached to this object for the related commands.
   *  objects/command-line (
      objects/blob/main/objects/command-line/definition.json) - Command
      line and options related to a specific command executed by a
      program, whether it is malicious or not.
   *  objects/concordia-mtmf-intrusion-set (
      definition.json) - Intrusion Set - Phase Description.
   *  objects/confidentiality-impact (
      - Confidentiality Impact object as described in STIX 2.1 Incident
      object extension.
   *  objects/cookie (
      objects/blob/main/objects/cookie/definition.json) - An HTTP cookie
      (web cookie, browser cookie) is a small piece of data that a
      server sends to the user's web browser.  The browser may store it
      and send it back with the next request to the same server.
      Typically, it's used to tell if two requests came from the same
      browser — keeping a user logged-in, for example.  It remembers
      stateful information for the stateless HTTP protocol.  As defined
      by the Mozilla foundation.
   *  objects/cortex (
      objects/blob/main/objects/cortex/definition.json) - Cortex object
      describing a complete Cortex analysis.  Observables would be
      attribute with a relationship from this object.
   *  objects/cortex-taxonomy (
      objects/blob/main/objects/cortex-taxonomy/definition.json) -
      Cortex object describing a Cortex Taxonomy (or mini report).
   *  objects/course-of-action (
      objects/blob/main/objects/course-of-action/definition.json) - An
      object describing a specific measure taken to prevent or respond
      to an attack.
   *  objects/covid19-csse-daily-report (
      definition.json) - CSSE COVID-19 Daily report.
   *  objects/covid19-dxy-live-city (
      objects/blob/main/objects/covid19-dxy-live-city/definition.json) -
      COVID 19 from - Aggregation by city.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 13]
Internet-Draft         MISP object template format         December 2023

   *  objects/covid19-dxy-live-province (
      definition.json) - COVID 19 from - Aggregation by province.
   *  objects/cowrie (
      objects/blob/main/objects/cowrie/definition.json) - Cowrie
      honeypot object template.
   *  objects/cpe-asset (
      objects/blob/main/objects/cpe-asset/definition.json) - An asset
      which can be defined by a CPE.  This can be a generic asset.  CPE
      is a structured naming scheme for information technology systems,
      software, and packages.
   *  objects/credential (
      objects/blob/main/objects/credential/definition.json) - Credential
      describes one or more credential(s) including password(s), api
      key(s) or decryption key(s).
   *  objects/credit-card (
      objects/blob/main/objects/credit-card/definition.json) - A payment
      card like credit card, debit card or any similar cards which can
      be used for financial transactions.
   *  objects/crowdsec-ip-context (
      objects/blob/main/objects/crowdsec-ip-context/definition.json) -
      CrowdSec Threat Intelligence - IP CTI search.
   *  objects/crowdstrike-report (
      objects/blob/main/objects/crowdstrike-report/definition.json) - An
      Object Template to encode an Crowdstrike detection report.
   *  objects/crypto-material (
      objects/blob/main/objects/crypto-material/definition.json) -
      Cryptographic materials such as public or/and private keys.
   *  objects/cryptocurrency-transaction (
      definition.json) - An object to describe a cryptocurrency
   *  objects/cs-beacon-config (
      objects/blob/main/objects/cs-beacon-config/definition.json) -
      Cobalt Strike Beacon Config.
   *  objects/cytomic-orion-file (
      objects/blob/main/objects/cytomic-orion-file/definition.json) -
      Cytomic Orion File Detection.
   *  objects/cytomic-orion-machine (
      objects/blob/main/objects/cytomic-orion-machine/definition.json) -
      Cytomic Orion File at Machine Detection.
   *  objects/dark-pattern-item (
      objects/blob/main/objects/dark-pattern-item/definition.json) - An
      Item whose User Interface implements a dark pattern.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 14]
Internet-Draft         MISP object template format         December 2023

   *  objects/ddos (
      objects/blob/main/objects/ddos/definition.json) - DDoS object
      describes a current DDoS activity from a specific or/and to a
      specific target.  Type of DDoS can be attached to the object as a
      taxonomy or using the type field.
   *  objects/device (
      objects/blob/main/objects/device/definition.json) - An object to
      define a device.
   *  objects/diameter-attack (
      objects/blob/main/objects/diameter-attack/definition.json) -
      Attack as seen on the diameter signaling protocol supporting LTE
   *  objects/diamond-event (
      objects/blob/main/objects/diamond-event/definition.json) - A
      diamond model event object consisting of the four diamond features
      advesary, infrastructure, capability and victim, several meta-
      features and ioc attributes.
   *  objects/directory (
      objects/blob/main/objects/directory/definition.json) - Directory
      object describing a directory with meta-information.
   *  objects/dkim (
      objects/blob/main/objects/dkim/definition.json) - DomainKeys
      Identified Mail - DKIM.
   *  objects/dns-record (
      objects/blob/main/objects/dns-record/definition.json) - A set of
      DNS records observed for a specific domain.
   *  objects/domain-crawled (
      objects/blob/main/objects/domain-crawled/definition.json) - A
      domain crawled over time.
   *  objects/domain-ip (
      objects/blob/main/objects/domain-ip/definition.json) - A domain/
      hostname and IP address seen as a tuple in a specific time frame.
   *  objects/edr-report (
      objects/blob/main/objects/edr-report/definition.json) - An Object
      Template to encode an EDR detection report.
   *  objects/elf (
      objects/blob/main/objects/elf/definition.json) - Object describing
      a Executable and Linkable Format.
   *  objects/elf-section (
      objects/blob/main/objects/elf-section/definition.json) - Object
      describing a section of an Executable and Linkable Format.
   *  objects/email (
      objects/blob/main/objects/email/definition.json) - Email object
      describing an email with meta-information.
   *  objects/employee (
      objects/blob/main/objects/employee/definition.json) - An employee
      and related data points.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 15]
Internet-Draft         MISP object template format         December 2023

   *  objects/error-message (
      objects/blob/main/objects/error-message/definition.json) - An
      error message which can be related to the processing of data such
      as import, export scripts from the original MISP instance.
   *  objects/event (
      objects/blob/main/objects/event/definition.json) - Event object as
      described in STIX 2.1 Incident object extension.
   *  objects/exploit (
      objects/blob/main/objects/exploit/definition.json) - Exploit
      object describes a program in binary or source code form used to
      abuse one or more vulnerabilities.
   *  objects/exploit-poc (
      objects/blob/main/objects/exploit-poc/definition.json) - Exploit-
      poc object describing a proof of concept or exploit of a
      vulnerability.  This object has often a relationship with a
      vulnerability object.
   *  objects/external-impact (
      objects/blob/main/objects/external-impact/definition.json) -
      External Impact object as described in STIX 2.1 Incident object
   *  objects/facebook-account (
      objects/blob/main/objects/facebook-account/definition.json) -
      Facebook account.
   *  objects/facebook-group (
      objects/blob/main/objects/facebook-group/definition.json) - Public
      or private facebook group.
   *  objects/facebook-page (
      objects/blob/main/objects/facebook-page/definition.json) -
      Facebook page.
   *  objects/facebook-post (
      objects/blob/main/objects/facebook-post/definition.json) - Post on
      a Facebook wall.
   *  objects/facebook-reaction (
      objects/blob/main/objects/facebook-reaction/definition.json) -
      Reaction to facebook posts.
   *  objects/facial-composite (
      objects/blob/main/objects/facial-composite/definition.json) - An
      object which describes a facial composite.
   *  objects/fail2ban (
      objects/blob/main/objects/fail2ban/definition.json) - Fail2ban
   *  objects/favicon (
      objects/blob/main/objects/favicon/definition.json) - A favicon,
      also known as a shortcut icon, website icon, tab icon, URL icon,
      or bookmark icon, is a file containing one or more small icons,
      associated with a particular website or web page.  The object
      template can include the murmur3 hash of the favicon to facilitate

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 16]
Internet-Draft         MISP object template format         December 2023

   *  objects/file (
      objects/blob/main/objects/file/definition.json) - File object
      describing a file with meta-information.
   *  objects/flowintel-cm-case (
      objects/blob/main/objects/flowintel-cm-case/definition.json) - A
      case as defined by flowintel-cm.
   *  objects/flowintel-cm-task (
      objects/blob/main/objects/flowintel-cm-task/definition.json) - A
      task as defined by flowintel-cm.
   *  objects/forensic-case (
      objects/blob/main/objects/forensic-case/definition.json) - An
      object template to describe a digital forensic case.
   *  objects/forensic-evidence (
      objects/blob/main/objects/forensic-evidence/definition.json) - An
      object template to describe a digital forensic evidence.
   *  objects/forged-document (
      objects/blob/main/objects/forged-document/definition.json) -
      Object describing a forged document.
   *  objects/ftm-Airplane (
      objects/blob/main/objects/ftm-Airplane/definition.json) - An
      airplane, helicopter or other flying vehicle.
   *  objects/ftm-Assessment (
      objects/blob/main/objects/ftm-Assessment/definition.json) -
      Assessment with meta-data.
   *  objects/ftm-Asset (
      objects/blob/main/objects/ftm-Asset/definition.json) - A piece of
      property which can be owned and assigned a monetary value.
   *  objects/ftm-Associate (
      objects/blob/main/objects/ftm-Associate/definition.json) - Non-
      family association between two people.
   *  objects/ftm-Audio (
      objects/blob/main/objects/ftm-Audio/definition.json) - Audio with
   *  objects/ftm-BankAccount (
      objects/blob/main/objects/ftm-BankAccount/definition.json) - An
      account held at a bank and controlled by an owner.  This may also
      be used to describe more complex arrangements like correspondent
      bank settlement accounts.
   *  objects/ftm-Call (
      objects/blob/main/objects/ftm-Call/definition.json) - Phone call
      object template including the call and all associated meta-data.
   *  objects/ftm-Company (
      objects/blob/main/objects/ftm-Company/definition.json) - A legal
      entity representing an association of people, whether natural,
      legal or a mixture of both, with a specific objective.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 17]
Internet-Draft         MISP object template format         December 2023

   *  objects/ftm-Contract (
      objects/blob/main/objects/ftm-Contract/definition.json) - An
      contract or contract lot issued by an authority.  Multiple lots
      may be awarded to different suppliers (see ContractAward). .
   *  objects/ftm-ContractAward (
      objects/blob/main/objects/ftm-ContractAward/definition.json) - A
      contract or contract lot as awarded to a supplier.
   *  objects/ftm-CourtCase (
      objects/blob/main/objects/ftm-CourtCase/definition.json) - Court
   *  objects/ftm-CourtCaseParty (
      objects/blob/main/objects/ftm-CourtCaseParty/definition.json) -
      Court Case Party.
   *  objects/ftm-Debt (
      objects/blob/main/objects/ftm-Debt/definition.json) - A monetary
      debt between two parties.
   *  objects/ftm-Directorship (
      objects/blob/main/objects/ftm-Directorship/definition.json) -
   *  objects/ftm-Document (
      objects/blob/main/objects/ftm-Document/definition.json) -
   *  objects/ftm-Documentation (
      objects/blob/main/objects/ftm-Documentation/definition.json) -
   *  objects/ftm-EconomicActivity (
      objects/blob/main/objects/ftm-EconomicActivity/definition.json) -
      A foreign economic activity.
   *  objects/ftm-Email (
      objects/blob/main/objects/ftm-Email/definition.json) - Email.
   *  objects/ftm-Event (
      objects/blob/main/objects/ftm-Event/definition.json) - Event.
   *  objects/ftm-Family (
      objects/blob/main/objects/ftm-Family/definition.json) - Family
      relationship between two people.
   *  objects/ftm-Folder (
      objects/blob/main/objects/ftm-Folder/definition.json) - Folder.
   *  objects/ftm-HyperText (
      objects/blob/main/objects/ftm-HyperText/definition.json) -
   *  objects/ftm-Image (
      objects/blob/main/objects/ftm-Image/definition.json) - Image.
   *  objects/ftm-Land (
      objects/blob/main/objects/ftm-Land/definition.json) - Land.
   *  objects/ftm-LegalEntity (
      objects/blob/main/objects/ftm-LegalEntity/definition.json) - A
      legal entity may be a person or a company.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 18]
Internet-Draft         MISP object template format         December 2023

   *  objects/ftm-License (
      objects/blob/main/objects/ftm-License/definition.json) - A grant
      of land, rights or property.  A type of Contract.
   *  objects/ftm-Membership (
      objects/blob/main/objects/ftm-Membership/definition.json) -
   *  objects/ftm-Message (
      objects/blob/main/objects/ftm-Message/definition.json) - Message.
   *  objects/ftm-Organization (
      objects/blob/main/objects/ftm-Organization/definition.json) -
   *  objects/ftm-Ownership (
      objects/blob/main/objects/ftm-Ownership/definition.json) -
   *  objects/ftm-Package (
      objects/blob/main/objects/ftm-Package/definition.json) - Package.
   *  objects/ftm-Page (
      objects/blob/main/objects/ftm-Page/definition.json) - Page.
   *  objects/ftm-Pages (
      objects/blob/main/objects/ftm-Pages/definition.json) - Pages.
   *  objects/ftm-Passport (
      objects/blob/main/objects/ftm-Passport/definition.json) -
   *  objects/ftm-Payment (
      objects/blob/main/objects/ftm-Payment/definition.json) - A
      monetary payment between two parties.
   *  objects/ftm-Person (
      objects/blob/main/objects/ftm-Person/definition.json) - An
   *  objects/ftm-PlainText (
      objects/blob/main/objects/ftm-PlainText/definition.json) -
   *  objects/ftm-PublicBody (
      objects/blob/main/objects/ftm-PublicBody/definition.json) - A
      public body, such as a ministry, department or state company.
   *  objects/ftm-RealEstate (
      objects/blob/main/objects/ftm-RealEstate/definition.json) - A
      piece of land or property.
   *  objects/ftm-Representation (
      objects/blob/main/objects/ftm-Representation/definition.json) - A
      mediatory, intermediary, middleman, or broker acting on behalf of
      a legal entity.
   *  objects/ftm-Row (
      objects/blob/main/objects/ftm-Row/definition.json) - Row.
   *  objects/ftm-Sanction (
      objects/blob/main/objects/ftm-Sanction/definition.json) - A
      sanction designation.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 19]
Internet-Draft         MISP object template format         December 2023

   *  objects/ftm-Succession (
      objects/blob/main/objects/ftm-Succession/definition.json) - Two
      entities that legally succeed each other.
   *  objects/ftm-Table (
      objects/blob/main/objects/ftm-Table/definition.json) - Table.
   *  objects/ftm-TaxRoll (
      objects/blob/main/objects/ftm-TaxRoll/definition.json) - A tax
      declaration of an individual.
   *  objects/ftm-UnknownLink (
      objects/blob/main/objects/ftm-UnknownLink/definition.json) -
      Unknown Link.
   *  objects/ftm-UserAccount (
      objects/blob/main/objects/ftm-UserAccount/definition.json) - User
   *  objects/ftm-Vehicle (
      objects/blob/main/objects/ftm-Vehicle/definition.json) - Vehicle.
   *  objects/ftm-Vessel (
      objects/blob/main/objects/ftm-Vessel/definition.json) - A boat or
   *  objects/ftm-Video (
      objects/blob/main/objects/ftm-Video/definition.json) - Video.
   *  objects/ftm-Workbook (
      objects/blob/main/objects/ftm-Workbook/definition.json) -
   *  objects/game-cheat (
      objects/blob/main/objects/game-cheat/definition.json) - Describes
      a game cheat or a cheatware.
   *  objects/geolocation (
      objects/blob/main/objects/geolocation/definition.json) - An object
      to describe a geographic location.
   *  objects/git-vuln-finder (
      objects/blob/main/objects/git-vuln-finder/definition.json) -
      Export from git-vuln-finder.
   *  objects/github-user (
      objects/blob/main/objects/github-user/definition.json) - GitHub
   *  objects/gitlab-user (
      objects/blob/main/objects/gitlab-user/definition.json) - GitLab
      user. user or self-hosted GitLab instance.
   *  objects/google-safe-browsing (
      objects/blob/main/objects/google-safe-browsing/definition.json) -
      Google Safe checks a URL against Google's constantly updated list
      of unsafe web resources.
   *  objects/greynoise-ip (
      objects/blob/main/objects/greynoise-ip/definition.json) -
      GreyNoise IP Information.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 20]
Internet-Draft         MISP object template format         December 2023

   *  objects/gtp-attack (
      objects/blob/main/objects/gtp-attack/definition.json) - GTP attack
      object as attack as seen on the GTP signaling protocol supporting
      GPRS/LTE networks.
   *  objects/hashlookup (
      objects/blob/main/objects/hashlookup/definition.json) - hashlookup
      object as described on hashlookup services from -
   *  objects/hhhash (
      objects/blob/main/objects/hhhash/definition.json) - An object
      describing a HHHash object with the hash value along with the
      crawling parameters.  For more information:
   *  objects/http-request (
      objects/blob/main/objects/http-request/definition.json) - A single
      HTTP request header.
   *  objects/identity (
      objects/blob/main/objects/identity/definition.json) - Identities
      can represent actual individuals, organizations, or groups (e.g.,
      ACME, Inc.) as well as classes of individuals, organizations,
      systems or groups (e.g., the finance sector).  The Identity SDO
      can capture basic identifying information, contact information,
      and the sectors that the Identity belongs to.  Identity is used in
      STIX to represent, among other things, targets of attacks,
      information sources, object creators, and threat actor identities.
      (ref.  STIX 2.1 - 4.5).
   *  objects/ilr-impact (
      objects/blob/main/objects/ilr-impact/definition.json) - Institut
      Luxembourgeois de Regulation - Impact.
   *  objects/ilr-notification-incident (
      definition.json) - Institut Luxembourgeois de Regulation -
      Notification d'incident.
   *  objects/image (
      objects/blob/main/objects/image/definition.json) - Object
      describing an image file.
   *  objects/impersonation (
      objects/blob/main/objects/impersonation/definition.json) -
      Represent an impersonating account.
   *  objects/imsi-catcher (
      objects/blob/main/objects/imsi-catcher/definition.json) - IMSI
      Catcher entry object based on the open source IMSI cather.
   *  objects/incident (
      objects/blob/main/objects/incident/definition.json) - Incident
      object template as described in STIX 2.1 Incident object and its
      core extension.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 21]
Internet-Draft         MISP object template format         December 2023

   *  objects/infrastructure (
      objects/blob/main/objects/infrastructure/definition.json) - The
      Infrastructure object represents a type of TTP and describes any
      systems, software services and any associated physical or virtual
      resources intended to support some purpose (e.g., C2 servers used
      as part of an attack, device or server that are part of defense,
      database servers targeted by an attack, etc.).  While elements of
      an attack can be represented by other objects, the Infrastructure
      object represents a named group of related data that constitutes
      the infrastructure.  STIX 2.1 - 4.8.
   *  objects/instant-message (
      objects/blob/main/objects/instant-message/definition.json) -
      Instant Message (IM) object template describing one or more IM
   *  objects/instant-message-group (
      objects/blob/main/objects/instant-message-group/definition.json) -
      Instant Message (IM) group object template describing a public or
      private IM group, channel or conversation.
   *  objects/integrity-impact (
      objects/blob/main/objects/integrity-impact/definition.json) -
      Integrity Impact object as described in STIX 2.1 Incident object
   *  objects/intel471-vulnerability-intelligence
      vulnerability-intelligence/definition.json) - Intel 471
      vulnerability intelligence object.
   *  objects/intelmq_event (
      objects/blob/main/objects/intelmq_event/definition.json) - IntelMQ
   *  objects/intelmq_report (
      objects/blob/main/objects/intelmq_report/definition.json) -
      IntelMQ Report.
   *  objects/internal-reference (
      objects/blob/main/objects/internal-reference/definition.json) -
      Internal reference.
   *  objects/interpol-notice (
      objects/blob/main/objects/interpol-notice/definition.json) - An
      object which describes a Interpol notice.
   *  objects/intrusion-set (
      objects/blob/main/objects/intrusion-set/definition.json) - A
      object template describing an Intrusion Set as defined in STIX
      2.1.  An Intrusion Set is a grouped set of adversarial behaviors
      and resources with common properties that is believed to be
      orchestrated by a single organization.  An Intrusion Set may
      capture multiple Campaigns or other activities that are all tied
      together by shared attributes indicating a commonly known or
      unknown Threat Actor.  New activity can be attributed to an
      Intrusion Set even if the Threat Actors behind the attack are not

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 22]
Internet-Draft         MISP object template format         December 2023

      known.  Threat Actors can move from supporting one Intrusion Set
      to supporting another, or they may support multiple Intrusion
      Sets.  Where a Campaign is a set of attacks over a period of time
      against a specific set of targets to achieve some objective, an
      Intrusion Set is the entire attack package and may be used over a
      very long period of time in multiple Campaigns to achieve
      potentially multiple purposes.  While sometimes an Intrusion Set
      is not active, or changes focus, it is usually difficult to know
      if it has truly disappeared or ended.  Analysts may have varying
      level of fidelity on attributing an Intrusion Set back to Threat
      Actors and may be able to only attribute it back to a nation state
      or perhaps back to an organization within that nation state.
   *  objects/iot-device (
      objects/blob/main/objects/iot-device/definition.json) - An IoT
   *  objects/iot-firmware (
      objects/blob/main/objects/iot-firmware/definition.json) - A
      firmware for an IoT device.
   *  objects/ip-api-address (
      objects/blob/main/objects/ip-api-address/definition.json) - IP
      Address information.  Useful if you are pulling your ip
      information from
   *  objects/ip-port (
      objects/blob/main/objects/ip-port/definition.json) - An IP address
      (or domain or hostname) and a port seen as a tuple (or as a
      triple) in a specific time frame.
   *  objects/irc (
      objects/blob/main/objects/irc/definition.json) - An IRC object to
      describe an IRC server and the associated channels.
   *  objects/ja3 (
      objects/blob/main/objects/ja3/definition.json) - JA3 is a new
      technique for creating SSL client fingerprints that are easy to
      produce and can be easily shared for threat intelligence.
      Fingerprints are composed of Client Hello packet; SSL Version,
      Accepted Ciphers, List of Extensions, Elliptic Curves, and
      Elliptic Curve Formats.
   *  objects/ja3s (
      objects/blob/main/objects/ja3s/definition.json) - JA3S is JA3 for
      the Server side of the SSL/TLS communication and fingerprints how
      servers respond to particular clients.  JA3S fingerprints are
      composed of Server Hello packet; SSL Version, Cipher,
   *  objects/jarm (
      objects/blob/main/objects/jarm/definition.json) - Jarm object to
      describe an TLS/SSL implementation used for malicious or
      legitimate use-case.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 23]
Internet-Draft         MISP object template format         December 2023

   *  objects/keybase-account (
      objects/blob/main/objects/keybase-account/definition.json) -
      Information related to a keybase account, from API Users Object.
   *  objects/language-content (
      objects/blob/main/objects/language-content/definition.json) - The
      Language Content object represents text content for objects
      represented in languages other than that of the original object.
      Language content may be a translation of the original object by a
      third-party, a first-source translation by the original publisher,
      or additional official language content provided at the time of
      creation.  STIX 2.1 ref 7.1.
   *  objects/leaked-document (
      objects/blob/main/objects/leaked-document/definition.json) -
      Object describing a leaked document.
   *  objects/legal-entity (
      objects/blob/main/objects/legal-entity/definition.json) - An
      object to describe a legal entity.
   *  objects/lnk (
      objects/blob/main/objects/lnk/definition.json) - LNK object
      describing a Windows LNK binary file (aka Windows shortcut).
   *  objects/macho (
      objects/blob/main/objects/macho/definition.json) - Object
      describing a file in Mach-O format.
   *  objects/macho-section (
      objects/blob/main/objects/macho-section/definition.json) - Object
      describing a section of a file in Mach-O format.
   *  objects/mactime-timeline-analysis (
      definition.json) - Mactime template, used in forensic
      investigations to describe the timeline of a file activity.
   *  objects/malware (
      objects/blob/main/objects/malware/definition.json) - Malware is a
      type of TTP that represents malicious code.
   *  objects/malware-analysis (
      objects/blob/main/objects/malware-analysis/definition.json) -
      Malware Analysis captures the metadata and results of a particular
      static or dynamic analysis performed on a malware instance or
   *  objects/malware-config (
      objects/blob/main/objects/malware-config/definition.json) -
      Malware configuration recovered or extracted from a malicious
   *  objects/meme-image (
      objects/blob/main/objects/meme-image/definition.json) - Object
      describing a meme (image).
   *  objects/microblog (
      objects/blob/main/objects/microblog/definition.json) - Microblog
      post like a Twitter tweet or a post on a Facebook wall.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 24]
Internet-Draft         MISP object template format         December 2023

   *  objects/monetary-impact (
      objects/blob/main/objects/monetary-impact/definition.json) -
      Monetary Impact object as described in STIX 2.1 Incident object
   *  objects/mutex (
      objects/blob/main/objects/mutex/definition.json) - Object to
      describe mutual exclusion locks (mutex) as seen in memory or
      computer program.
   *  objects/narrative (
      objects/blob/main/objects/narrative/definition.json) - Object
      describing a narrative.
   *  objects/netflow (
      objects/blob/main/objects/netflow/definition.json) - Netflow
      object describes an network object based on the Netflowv5/v9
      minimal definition.
   *  objects/network-connection (
      objects/blob/main/objects/network-connection/definition.json) - A
      local or remote network connection.
   *  objects/network-profile (
      objects/blob/main/objects/network-profile/definition.json) -
      Elements that can be used to profile, pivot or identify a network
      infrastructure, including domains, ip and urls.
   *  objects/network-socket (
      objects/blob/main/objects/network-socket/definition.json) -
      Network socket object describes a local or remote network
      connections based on the socket data structure.
   *  objects/news-agency (
      objects/blob/main/objects/news-agency/definition.json) - News
      agencies compile news and disseminate news in bulk.
   *  objects/news-media (
      objects/blob/main/objects/news-media/definition.json) - News media
      are forms of mass media delivering news to the general public.
   *  objects/open-data-security (
      objects/blob/main/objects/open-data-security/definition.json) - An
      object describing an open dataset available and described under
      the open data security model. ref.
      data-security (
   *  objects/organization (
      objects/blob/main/objects/organization/definition.json) - An
      object which describes an organization.
   *  objects/original-imported-file (
      - Object describing the original file used to import data in MISP.
   *  objects/paloalto-threat-event (
      objects/blob/main/objects/paloalto-threat-event/definition.json) -
      Palo Alto Threat Log Event.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 25]
Internet-Draft         MISP object template format         December 2023

   *  objects/parler-account (
      objects/blob/main/objects/parler-account/definition.json) - Parler
   *  objects/parler-comment (
      objects/blob/main/objects/parler-comment/definition.json) - Parler
   *  objects/parler-post (
      objects/blob/main/objects/parler-post/definition.json) - Parler
      post (parley).
   *  objects/passive-dns (
      objects/blob/main/objects/passive-dns/definition.json) - Passive
      DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-
      07.  See
      dns-cof-07.html (
   *  objects/passive-dns-dnsdbflex (
      objects/blob/main/objects/passive-dns-dnsdbflex/definition.json) -
      DNSDBFLEX object.  This object is used at farsight security.
      Roughly based on Passive DNS records as expressed in draft-
      dulaunoy-dnsop-passive-dns-cof-07.  See
   *  objects/passive-ssh (
      objects/blob/main/objects/passive-ssh/definition.json) - Passive-
      ssh object as described on passive-ssh services from - (
   *  objects/paste (
      objects/blob/main/objects/paste/definition.json) - Paste or
      similar post from a website allowing to share privately or
      publicly posts.
   *  objects/pcap-metadata (
      objects/blob/main/objects/pcap-metadata/definition.json) - Network
      packet capture metadata.
   *  objects/pe (
      objects/blob/main/objects/pe/definition.json) - Object describing
      a Portable Executable.
   *  objects/pe-section (
      objects/blob/main/objects/pe-section/definition.json) - Object
      describing a section of a Portable Executable.
   *  objects/Deception PersNOna (
      objects/blob/main/objects/Deception PersNOna/definition.json) -
      Fake persona with tasks.
   *  objects/person (
      objects/blob/main/objects/person/definition.json) - An object
      which describes a person or an identity.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 26]
Internet-Draft         MISP object template format         December 2023

   *  objects/personification (
      objects/blob/main/objects/personification/definition.json) - An
      object which describes a person or an identity.
   *  objects/pgp-meta (
      objects/blob/main/objects/pgp-meta/definition.json) - Metadata
      extracted from a PGP keyblock, message or signature.
   *  objects/phishing (
      objects/blob/main/objects/phishing/definition.json) - Phishing
      template to describe a phishing website and its analysis.
   *  objects/phishing-kit (
      objects/blob/main/objects/phishing-kit/definition.json) - Object
      to describe a phishing-kit.
   *  objects/phone (
      objects/blob/main/objects/phone/definition.json) - A phone or
      mobile phone object which describe a phone.
   *  objects/physical-impact (
      objects/blob/main/objects/physical-impact/definition.json) -
      Physical Impact object as described in STIX 2.1 Incident object
   *  objects/postal-address (
      objects/blob/main/objects/postal-address/definition.json) - A
      postal address.
   *  objects/probabilistic-data-structure (
      definition.json) - Probabilistic data structure object describe a
      space-efficient data structure such as Bloom filter or similar
   *  objects/process (
      objects/blob/main/objects/process/definition.json) - Object
      describing a system process.
   *  objects/publication (
      objects/blob/main/objects/publication/definition.json) - An object
      to describe a book, journal, or academic publication.
   *  objects/python-etvx-event-log (
      objects/blob/main/objects/python-etvx-event-log/definition.json) -
      Event log object template to share information of the activities
      conducted on a system. .
   *  objects/query (
      objects/blob/main/objects/query/definition.json) - An object
      describing a query, along with its format.
   *  objects/r2graphity (
      objects/blob/main/objects/r2graphity/definition.json) - Indicators
      extracted from files using radare2 and graphml.
   *  objects/ransom-negotiation (
      objects/blob/main/objects/ransom-negotiation/definition.json) - An
      object to describe ransom negotiations, as seen in ransomware

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 27]
Internet-Draft         MISP object template format         December 2023

   *  objects/ransomware-group-post (
      objects/blob/main/objects/ransomware-group-post/definition.json) -
      Ransomware group post as monitored by
   *  objects/reddit-account (
      objects/blob/main/objects/reddit-account/definition.json) - Reddit
   *  objects/reddit-comment (
      objects/blob/main/objects/reddit-comment/definition.json) - A
      Reddit post comment.
   *  objects/reddit-post (
      objects/blob/main/objects/reddit-post/definition.json) - A Reddit
   *  objects/reddit-subreddit (
      objects/blob/main/objects/reddit-subreddit/definition.json) -
      Public or private subreddit.
   *  objects/regexp (
      objects/blob/main/objects/regexp/definition.json) - An object
      describing a regular expression (regex or regexp).  The object can
      be linked via a relationship to other attributes or objects to
      describe how it can be represented as a regular expression.
   *  objects/registry-key (
      objects/blob/main/objects/registry-key/definition.json) - Registry
      key object describing a Windows registry key with value and last-
      modified timestamp.
   *  objects/registry-key-value (
      objects/blob/main/objects/registry-key-value/definition.json) -
      Registry key value object describing a Windows registry key value,
      with its data, data type and name values.  To be used when a
      registry key has multiple values.
   *  objects/regripper-NTUser (
      objects/blob/main/objects/regripper-NTUser/definition.json) -
      Regripper Object template designed to present user specific
      configuration details extracted from the NTUSER.dat hive.
   *  objects/regripper-sam-hive-single-user (
      definition.json) - Regripper Object template designed to present
      user profile details extracted from the SAM hive.
   *  objects/regripper-sam-hive-user-group (
      definition.json) - Regripper Object template designed to present
      group profile details extracted from the SAM hive.
   *  objects/regripper-software-hive-BHO (
      definition.json) - Regripper Object template designed to gather
      information of the browser helper objects installed on the system.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 28]
Internet-Draft         MISP object template format         December 2023

   *  objects/regripper-software-hive-appInit-DLLS
      software-hive-appInit-DLLS/definition.json) - Regripper Object
      template designed to gather information of the DLL files installed
      on the system.
   *  objects/regripper-software-hive-application-paths
      software-hive-application-paths/definition.json) - Regripper
      Object template designed to gather information of the application
   *  objects/regripper-software-hive-applications-installed
      software-hive-applications-installed/definition.json) - Regripper
      Object template designed to gather information of the applications
      installed on the system.
   *  objects/regripper-software-hive-command-shell
      software-hive-command-shell/definition.json) - Regripper Object
      template designed to gather information of the shell commands
      executed on the system.
   *  objects/regripper-software-hive-software-run
      software-hive-software-run/definition.json) - Regripper Object
      template designed to gather information of the applications set to
      run on the system.
   *  objects/regripper-software-hive-userprofile-winlogon
      software-hive-userprofile-winlogon/definition.json) - Regripper
      Object template designed to gather user profile information when
      the user logs onto the system, gathered from the software hive.
   *  objects/regripper-software-hive-windows-general-info
      software-hive-windows-general-info/definition.json) - Regripper
      Object template designed to gather general windows information
      extracted from the software-hive.
   *  objects/regripper-system-hive-firewall-configuration
      system-hive-firewall-configuration/definition.json) - Regripper
      Object template designed to present firewall configuration
      information extracted from the system-hive.
   *  objects/regripper-system-hive-general-configuration
      system-hive-general-configuration/definition.json) - Regripper
      Object template designed to present general system properties
      extracted from the system-hive.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 29]
Internet-Draft         MISP object template format         December 2023

   *  objects/regripper-system-hive-network-information
      system-hive-network-information/definition.json) - Regripper
      object template designed to gather network information from the
   *  objects/regripper-system-hive-services-drivers
      system-hive-services-drivers/definition.json) - Regripper Object
      template designed to gather information regarding the services/
      drivers from the system-hive.
   *  objects/report (
      objects/blob/main/objects/report/definition.json) - Report object
      to describe a report along with its metadata.
   *  objects/research-scanner (
      objects/blob/main/objects/research-scanner/definition.json) -
      Information related to known scanning activity (e.g. from research
   *  objects/risk-assessment-report (
      - Risk assessment report object which includes the assessment
      report from a risk assessment platform such as MONARC.
   *  objects/rogue-dns (
      objects/blob/main/objects/rogue-dns/definition.json) - Rogue DNS
      as defined by
   *  objects/rtir (
      objects/blob/main/objects/rtir/definition.json) - RTIR - Request
      Tracker for Incident Response.
   *  objects/sandbox-report (
      objects/blob/main/objects/sandbox-report/definition.json) -
      Sandbox report.
   *  objects/sb-signature (
      objects/blob/main/objects/sb-signature/definition.json) - Sandbox
      detection signature.
   *  objects/scan-result (
      objects/blob/main/objects/scan-result/definition.json) - Scan
      result object to add meta-data and the output of the scan result
      by itself.
   *  objects/scheduled-event (
      objects/blob/main/objects/scheduled-event/definition.json) - Event
      object template describing a gathering of individuals in
   *  objects/scheduled-task (
      objects/blob/main/objects/scheduled-task/definition.json) -
      Windows scheduled task description.
   *  objects/scrippsco2-c13-daily (
      objects/blob/main/objects/scrippsco2-c13-daily/definition.json) -
      Daily average C13 concentrations (ppm) derived from flask air

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 30]
Internet-Draft         MISP object template format         December 2023

   *  objects/scrippsco2-c13-monthly (
      - Monthly average C13 concentrations (ppm) derived from flask air
   *  objects/scrippsco2-co2-daily (
      objects/blob/main/objects/scrippsco2-co2-daily/definition.json) -
      Daily average CO2 concentrations (ppm) derived from flask air
   *  objects/scrippsco2-co2-monthly (
      - Monthly average CO2 concentrations (ppm) derived from flask air
   *  objects/scrippsco2-o18-daily (
      objects/blob/main/objects/scrippsco2-o18-daily/definition.json) -
      Daily average O18 concentrations (ppm) derived from flask air
   *  objects/scrippsco2-o18-monthly (
      - Monthly average O18 concentrations (ppm) derived from flask air
   *  objects/script (
      objects/blob/main/objects/script/definition.json) - Object
      describing a computer program written to be run in a special run-
      time environment.  The script or shell script can be used for
      malicious activities but also as support tools for threat
   *  objects/security-playbook (
      objects/blob/main/objects/security-playbook/definition.json) - The
      security-playbook object provides meta-information and allows
      managing, storing, and sharing cybersecurity playbooks and
      orchestration workflows.
   *  objects/shadowserver-malware-url-report (
      definition.json) - This report identifies URLs that were observed
      in exploitation attempts in the last 24 hours.  They are assumed
      to contain a malware payload or serve as C2 controllers.  If a
      payload was successfully downloaded in the last 24 hours, it’s
      SHA256 hash will also be published.  The data is primarily sourced
      from honeypots (in which case they will often be IoT related), but
      other sources are possible.  As always, you only receive
      information on IPs found on your network/constituency or in the
      case of a National CSIRT, your country.  Ref:
      url-report/ (

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 31]
Internet-Draft         MISP object template format         December 2023

   *  objects/shell-commands (
      objects/blob/main/objects/shell-commands/definition.json) - Object
      describing a series of shell commands executed.  This object can
      be linked with malicious files in order to describe a specific
      execution of shell commands.
   *  objects/shodan-report (
      objects/blob/main/objects/shodan-report/definition.json) - Shodan
      Report for a given IP.
   *  objects/short-message-service (
      objects/blob/main/objects/short-message-service/definition.json) -
      Short Message Service (SMS) object template describing one or more
      SMS message.  Restriction of the initial format 3GPP 23.038 GSM
      character set doesn't apply.
   *  objects/shortened-link (
      objects/blob/main/objects/shortened-link/definition.json) -
      Shortened link and its redirect target.
   *  objects/sigma (
      objects/blob/main/objects/sigma/definition.json) - An object
      describing a Sigma rule (or a Sigma rule name).
   *  objects/sigmf-archive (
      objects/blob/main/objects/sigmf-archive/definition.json) - An
      object representing an archive containing one or multiple
      recordings in the Signal Metadata Format Specification (SigMF).
   *  objects/sigmf-expanded-recording (
      definition.json) - An object representing a single IQ/RF sample in
      the Signal Metadata Format Specification (SigMF).
   *  objects/sigmf-recording (
      objects/blob/main/objects/sigmf-recording/definition.json) - An
      object representing a single IQ/RF sample in the Signal Metadata
      Format Specification (SigMF).
   *  objects/social-media-group (
      objects/blob/main/objects/social-media-group/definition.json) -
      Social media group object template describing a public or private
      group or channel.
   *  objects/software (
      objects/blob/main/objects/software/definition.json) - The Software
      object represents high-level properties associated with software,
      including software products.  STIX 2.1 - 6.14.
   *  objects/spearphishing-attachment (
      definition.json) - Spearphishing Attachment.
   *  objects/spearphishing-link (
      objects/blob/main/objects/spearphishing-link/definition.json) -
      Spearphishing Link.
   *  objects/splunk (
      objects/blob/main/objects/splunk/definition.json) - Splunk /
      Splunk ES object.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 32]
Internet-Draft         MISP object template format         December 2023

   *  objects/ss7-attack (
      objects/blob/main/objects/ss7-attack/definition.json) - SS7 object
      of an attack as seen on the SS7 signaling protocol supporting
      GSM/GPRS/UMTS networks.
   *  objects/ssh-authorized-keys (
      objects/blob/main/objects/ssh-authorized-keys/definition.json) -
      An object to store ssh authorized keys file.
   *  objects/stix2-pattern (
      objects/blob/main/objects/stix2-pattern/definition.json) - An
      object describing a STIX pattern.  The object can be linked via a
      relationship to other attributes or objects to describe how it can
      be represented as a STIX pattern.
   *  objects/stock (
      objects/blob/main/objects/stock/definition.json) - Object to
      describe stock market.
   *  objects/submarine (
      objects/blob/main/objects/submarine/definition.json) - Submarine
   *  objects/suricata (
      objects/blob/main/objects/suricata/definition.json) - An object
      describing one or more Suricata rule(s) along with version and
      contextual information.
   *  objects/target-system (
      objects/blob/main/objects/target-system/definition.json) -
      Description about an targeted system, this could potentially be a
      compromissed internal system.
   *  objects/task (
      objects/blob/main/objects/task/definition.json) - Task object as
      described in STIX 2.1 Incident object extension.
   *  objects/tattoo (
      objects/blob/main/objects/tattoo/definition.json) - Describes
      tattoos on a natural person's body.
   *  objects/telegram-account (
      objects/blob/main/objects/telegram-account/definition.json) -
      Information related to a telegram account.
   *  objects/telegram-bot (
      objects/blob/main/objects/telegram-bot/definition.json) -
      Information related to a telegram bot.
   *  objects/temporal-event (
      objects/blob/main/objects/temporal-event/definition.json) - A
      temporal event consists of some temporal and spacial boundaries.
      Spacial boundaries can be physical, virtual or hybrid.
   *  objects/thaicert-group-cards (
      objects/blob/main/objects/thaicert-group-cards/definition.json) -
      Adversary group cards inspired by ThaiCERT.
   *  objects/threatgrid-report (
      objects/blob/main/objects/threatgrid-report/definition.json) -
      ThreatGrid report.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 33]
Internet-Draft         MISP object template format         December 2023

   *  objects/timecode (
      objects/blob/main/objects/timecode/definition.json) - Timecode
      object to describe a start of video sequence (e.g.  CCTV evidence)
      and the end of the video sequence.
   *  objects/timesketch-timeline (
      objects/blob/main/objects/timesketch-timeline/definition.json) - A
      timesketch timeline object based on mandatory field in timesketch
      to describe a log entry.
   *  objects/timesketch_message (
      objects/blob/main/objects/timesketch_message/definition.json) - A
      timesketch message entry.
   *  objects/timestamp (
      objects/blob/main/objects/timestamp/definition.json) - A generic
      timestamp object to represent time including first time and last
      time seen.  Relationship will then define the kind of time
   *  objects/tor-hiddenservice (
      objects/blob/main/objects/tor-hiddenservice/definition.json) - Tor
      hidden service (onion service) object.
   *  objects/tor-node (
      objects/blob/main/objects/tor-node/definition.json) - Tor node
      (which protects your privacy on the internet by hiding the
      connection between users Internet address and the services used by
      the users) description which are part of the Tor network at a
   *  objects/traceability-impact (
      objects/blob/main/objects/traceability-impact/definition.json) -
      Traceability Impact object as described in STIX 2.1 Incident
      object extension.
   *  objects/tracking-id (
      objects/blob/main/objects/tracking-id/definition.json) - Analytics
      and tracking ID such as used in Google Analytics or other analytic
   *  objects/transaction (
      objects/blob/main/objects/transaction/definition.json) - An object
      to describe a financial transaction.
   *  objects/translation (
      objects/blob/main/objects/translation/definition.json) - Used to
      keep a text and its translation.
   *  objects/transport-ticket (
      objects/blob/main/objects/transport-ticket/definition.json) - A
      transport ticket.
   *  objects/trustar_report (
      objects/blob/main/objects/trustar_report/definition.json) -
      TruStar Report.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 34]
Internet-Draft         MISP object template format         December 2023

   *  objects/tsk-chats (
      objects/blob/main/objects/tsk-chats/definition.json) - An Object
      Template to gather information from evidential or interesting
      exchange of messages identified during a digital forensic
   *  objects/tsk-web-bookmark (
      objects/blob/main/objects/tsk-web-bookmark/definition.json) - An
      Object Template to add evidential bookmarks identified during a
      digital forensic investigation.
   *  objects/tsk-web-cookie (
      objects/blob/main/objects/tsk-web-cookie/definition.json) - An
      TSK-Autopsy Object Template to represent cookies identified during
      a forensic investigation.
   *  objects/tsk-web-downloads (
      objects/blob/main/objects/tsk-web-downloads/definition.json) - An
      Object Template to add web-downloads.
   *  objects/tsk-web-history (
      objects/blob/main/objects/tsk-web-history/definition.json) - An
      Object Template to share web history information.
   *  objects/tsk-web-search-query (
      objects/blob/main/objects/tsk-web-search-query/definition.json) -
      An Object Template to share web search query information.
   *  objects/twitter-account (
      objects/blob/main/objects/twitter-account/definition.json) -
      Twitter account.
   *  objects/twitter-list (
      objects/blob/main/objects/twitter-list/definition.json) - Twitter
   *  objects/twitter-post (
      objects/blob/main/objects/twitter-post/definition.json) - Twitter
      post (tweet).
   *  objects/typosquatting-finder (
      objects/blob/main/objects/typosquatting-finder/definition.json) -
      Typosquatting info.
   *  objects/typosquatting-finder-result (
      definition.json) - Typosquatting result.
   *  objects/url (
      objects/blob/main/objects/url/definition.json) - url object
      describes an url along with its normalized field (like extracted
      using faup parsing library) and its metadata.
   *  objects/user-account (
      objects/blob/main/objects/user-account/definition.json) - User-
      account object, defining aspects of user identification,
      authentication, privileges and other relevant data points.

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 35]
Internet-Draft         MISP object template format         December 2023

   *  objects/vehicle (
      objects/blob/main/objects/vehicle/definition.json) - Vehicle
      object template to describe a vehicle information and
   *  objects/victim (
      objects/blob/main/objects/victim/definition.json) - Victim object
      describes the target of an attack or abuse.
   *  objects/virustotal-graph (
      objects/blob/main/objects/virustotal-graph/definition.json) -
      VirusTotal graph.
   *  objects/virustotal-report (
      objects/blob/main/objects/virustotal-report/definition.json) -
      VirusTotal report.
   *  objects/virustotal-submission (
      objects/blob/main/objects/virustotal-submission/definition.json) -
      VirusTotal Submission.
   *  objects/vulnerability (
      objects/blob/main/objects/vulnerability/definition.json) -
      Vulnerability object describing a common vulnerability enumeration
      which can describe published, unpublished, under review or embargo
      vulnerability for software, equipments or hardware.
   *  objects/weakness (
      objects/blob/main/objects/weakness/definition.json) - Weakness
      object describing a common weakness enumeration which can describe
      usable, incomplete, draft or deprecated weakness for software,
      equipment of hardware.
   *  objects/whois (
      objects/blob/main/objects/whois/definition.json) - Whois records
      information for a domain name or an IP address.
   *  objects/windows-service (
      objects/blob/main/objects/windows-service/definition.json) -
      Windows service and detailed about a service running a Windows
      operating system.
   *  objects/x-header (
      objects/blob/main/objects/x-header/definition.json) - X header
      generic object for SMTP, HTTP or any other protocols using X
   *  objects/x509 (
      objects/blob/main/objects/x509/definition.json) - x509 object
      describing a X.509 certificate.
   *  objects/yabin (
      objects/blob/main/objects/yabin/definition.json) -
      generates Yara rules from function prologs, for matching and
      hunting binaries. ref:

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 36]
Internet-Draft         MISP object template format         December 2023

   *  objects/yara (
      objects/blob/main/objects/yara/definition.json) - An object
      describing a YARA rule (or a YARA rule name) along with its
   *  objects/youtube-channel (
      objects/blob/main/objects/youtube-channel/definition.json) - A
      YouTube channel.
   *  objects/youtube-comment (
      objects/blob/main/objects/youtube-comment/definition.json) - A
      YouTube video comment.
   *  objects/youtube-playlist (
      objects/blob/main/objects/youtube-playlist/definition.json) - A
      YouTube playlist.
   *  objects/youtube-video (
      objects/blob/main/objects/youtube-video/definition.json) - A
      YouTube video.

4.  Acknowledgements

   The authors wish to thank all the MISP community who are supporting
   the creation of open standards in threat intelligence sharing.

5.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

   [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
              Unique IDentifier (UUID) URN Namespace", RFC 4122,
              DOI 10.17487/RFC4122, July 2005,

   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", STD 90, RFC 8259,
              DOI 10.17487/RFC8259, December 2017,

6.  Informative References

   [MISP-O]   Community, M., "MISP Objects - shared and common object
              templates", <>.

              community, M., "MISP objects directory", 2018,

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 37]
Internet-Draft         MISP object template format         December 2023

Authors' Addresses

   Alexandre Dulaunoy
   Computer Incident Response Center Luxembourg
   122, rue Adolphe Fischer
   L-L-1521 Luxembourg
   Phone: +352 247 88444

   Andras Iklody
   Computer Incident Response Center Luxembourg
   122, rue Adolphe Fischer
   L-L-1521 Luxembourg
   Phone: +352 247 88444

Dulaunoy & Iklody         Expires 26 June 2024                 [Page 38]