MISP
We welcome contributions to expand MISP support! Don’t hesitate to submit pull requests on GitHub ❤️
Entity relations
Entity relations are converted into MISP relationships.
"Event": { // Corresponds to the Colander Case
// Colander case UUID
"uuid": "25b4dae2-0ea7-46f2-9f7a-08ef3a43063e",
"info": "Name and description of the case",
"Object": [
{
"name" : "person",
"meta-category" : "misc",
"uuid" : "c9d6f815-c319-478d-b8bc-50f9f46290c5",
"Attribute" : [{
"object_relation" : "full-name",
"value" : "CellRebel",
}],
"Relationship" : [{
"related_object_uuid" : "f2e67c94-5e35-4cbd-b7b9-88b818c8acec",
"object_uuid" : "49d1b77e-765e-4cd1-858b-e2a8d7aa23de",
"relationship_type" : "acquired"
}]
}
]
}
Actors
Actors are converted into MISP objects of type person or organization.
colanderAPT mapped on misp-objectorganization
“APT group” ↦ type-of-organization
“Suspect” ↦ role
actor.name ↦ name
actor.description ↦ description
colanderCOMPANY mapped on misp-objectorganization
“private” ↦ sector
“private company” ↦ type-of-organization
actor.name ↦ name
actor.description ↦ description
colanderCYBER_CRIMINAL mapped on misp-objectperson
“cybercriminal” ↦ function
“Suspect” ↦ role
actor.name ↦ full-name
actor.description ↦ text
colanderGENERIC mapped on misp-objectorganization
“other” ↦ sector
“unknown type of organization” ↦ type-of-organization
actor.name ↦ name
actor.description ↦ description
colanderHACKTIVIST mapped on misp-objectperson
“hacktivist” ↦ function
actor.name ↦ full-name
actor.description ↦ text
colanderINDIVIDUAL mapped on misp-objectperson
“individual” ↦ function
actor.name ↦ full-name
actor.description ↦ text
colanderINSIDER mapped on misp-objectperson
“insider threat” ↦ function
“Suspect” ↦ role
actor.name ↦ full-name
actor.description ↦ text
colanderNATION_STATE mapped on misp-objectorganization
“government-national” ↦ sector
“nation state” ↦ type-of-organization
actor.name ↦ name
actor.description ↦ description
colanderNGO mapped on misp-objectorganization
actor.description ↦ description
“non-profit” ↦ sector
“non-governmental organization” ↦ type-of-organization
actor.name ↦ name
colanderPUB_INST mapped on misp-objectorganization
“government” ↦ sector
“public institution” ↦ type-of-organization
actor.description ↦ description
actor.name ↦ name
colanderTHREAT_ACTOR mapped on misp-objectperson
“unknown type of threat actor” ↦ function
“Suspect” ↦ role
actor.name ↦ full-name
actor.description ↦ text
"Event": { // Corresponds to the Colander Case
// Colander case UUID
"uuid": "25b4dae2-0ea7-46f2-9f7a-08ef3a43063e",
"info": "Name and description of the case",
"Object": [
{
"name" : "person",
"meta-category" : "misc",
"uuid" : "c9d6f815-c319-478d-b8bc-50f9f46290c5",
"Attribute" : [
{
"object_relation" : "function",
"value" : "unknown type of threat actor",
}, {
"object_relation" : "full-name",
"value" : "CellRebel",
}
]
]
}
Artifacts
Artifacts are converted into MISP objects of type file:
"Event": { // Corresponds to the Colander Case
// Colander case UUID
"uuid": "25b4dae2-0ea7-46f2-9f7a-08ef3a43063e",
"info": "Name and description of the case",
"Object": [
{
"name" : "file",
// Colander artifact UUID
"uuid" : "5a30624e-4985-4551-a3d2-6aa34a8343d1",
"Attribute" : [
{
// Colander artifact name
"object_relation" : "filename",
"value" : "malware_sample.pdf",
}, {
// Colander artifact mime_type
"object_relation" : "mimetype",
"value" : "application/pdf",
}, {
// Colander artifact sha1
"object_relation" : "sha1",
"value" : "da39a3ee5e6b4b0d3255bfef95601890afd80709",
}
]
}
]
}
colanderANDROID_BACKUP mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderANDROID_SAMPLE mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderARCHIVE mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderAUDIO mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderBACKUP mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderBINARY mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderCRYPTO_T mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderDOCUMENT mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderEMAIL mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderF_DUMP mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderGENERIC mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderHAR mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderIMAGE mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderIOS_BACKUP mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderIOS_SAMPLE mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderJSON mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderPCAP mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderREPORT mapped on misp-objectreport
artifact.name ↦ title
artifact.source_url ↦ link
colanderSAMPLE mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderSOCIAL_POST mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderSOCKET_T mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderSSLKEYLOG mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderTEXT mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderVIDEO mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
colanderWEBPAGE mapped on misp-objectfile
artifact.name ↦ filename
artifact.description ↦ text
artifact.mime_type ↦ mimetype
artifact.size_in_bytes ↦ size-in-bytes
artifact.md5 ↦ md5
artifact.sha1 ↦ sha1
artifact.sha256 ↦ sha256
Data Fragments
Data Fragments are converted into MISP objects of type colander-data-fragment.
colanderCODE mapped on misp-objectcolander-data-fragment
“Snippet of code” ↦ fragment_type
data_fragment.name ↦ name
data_fragment.description ↦ description
data_fragment.content ↦ content
colanderPATTERN mapped on misp-objectcolander-data-fragment
“Matching pattern” ↦ fragment_type
data_fragment.name ↦ name
data_fragment.description ↦ description
data_fragment.content ↦ content
colanderTEXT mapped on misp-objectcolander-data-fragment
“Piece of text” ↦ fragment_type
data_fragment.name ↦ name
data_fragment.description ↦ description
data_fragment.content ↦ content
colanderPAYLOAD mapped on misp-objectcolander-data-fragment
“Encoded payload” ↦ fragment_type
data_fragment.name ↦ name
data_fragment.description ↦ description
data_fragment.content ↦ content
colanderGENERIC mapped on misp-objectcolander-data-fragment
“Generic” ↦ fragment_type
data_fragment.name ↦ name
data_fragment.description ↦ description
data_fragment.content ↦ content
Detection Rules
Detection rules are converted into MISP objects of type yara or suricata:
"Event": { // Corresponds to the Colander Case
// Colander case UUID
"uuid": "25b4dae2-0ea7-46f2-9f7a-08ef3a43063e",
"info": "Name and description of the case",
"Object": [
{
"name" : "yara",
"yara-rule-name" : "Test Yara rules"
// Colander detection rule UUID
"uuid" : "df627dd0-ee7b-4516-bf9d-8cc51f9ea1fc",
"Attribute" : [ {
"object_relation" : "yara",
"value" : "rule YaraTest {}",
} ],
}
]
}
colanderYARA mapped on misp-objectyara
detection_rule.content ↦ yara
detection_rule.name ↦ yara-rule-name
colanderSURICATA mapped on misp-objectsuricata
detection_rule.content ↦ suricata
detection_rule.name ↦ comment
Devices
Artifacts are converted into MISP objects of type device.
colanderDESKTOP mapped on misp-objectdevice
“PC” ↦ device-type
device.name ↦ name
device.description ↦ description
device.attributes.ip ↦ ip-address
device.attributes.os ↦ OS
device.attributes.mac_address ↦ mac-address
colanderGENERIC mapped on misp-objectdevice
“Other” ↦ device-type
device.name ↦ name
device.description ↦ description
device.attributes.ip ↦ ip-address
device.attributes.os ↦ OS
device.attributes.mac_address ↦ mac-address
colanderIOT mapped on misp-objectdevice
“IoT” ↦ device-type
device.name ↦ name
device.description ↦ description
device.attributes.ip ↦ ip-address
device.attributes.os ↦ OS
device.attributes.mac_address ↦ mac-address
colanderLAPTOP mapped on misp-objectdevice
“Laptop” ↦ device-type
device.name ↦ name
device.description ↦ description
device.attributes.ip ↦ ip-address
device.attributes.os ↦ OS
device.attributes.mac_address ↦ mac-address
colanderMOBILE mapped on misp-objectdevice
“Mobile” ↦ device-type
device.name ↦ name
device.description ↦ description
device.attributes.ip ↦ ip-address
device.attributes.os ↦ OS
device.attributes.mac_address ↦ mac-address
colanderROUTER mapped on misp-objectdevice
“Router” ↦ device-type
device.name ↦ name
device.description ↦ description
device.attributes.ip ↦ ip-address
device.attributes.os ↦ OS
device.attributes.mac_address ↦ mac-address
colanderSERVER mapped on misp-objectdevice
“Server” ↦ device-type
device.name ↦ name
device.description ↦ description
device.attributes.ip ↦ ip-address
device.attributes.os ↦ OS
device.attributes.mac_address ↦ mac-address
Events
Events are converted into MISP objects of type colander-event.
colanderALERT mapped on misp-objectcolander-event
“Alert” ↦ event_type
event.name ↦ name
event.description ↦ description
event.count ↦ count
event.first_seen ↦ first_seen
event.last_seen ↦ last_seen
colanderATTACK mapped on misp-objectcolander-event
“Attack” ↦ event_type
event.name ↦ name
event.description ↦ description
event.count ↦ count
event.first_seen ↦ first_seen
event.last_seen ↦ last_seen
colanderTARGETED_ATTACK mapped on misp-objectcolander-event
“Targeted attack” ↦ event_type
event.name ↦ name
event.description ↦ description
event.count ↦ count
event.first_seen ↦ first_seen
event.last_seen ↦ last_seen
colanderAV_DETECTION mapped on misp-objectcolander-event
“Antivirus detection” ↦ event_type
event.name ↦ name
event.description ↦ description
event.count ↦ count
event.first_seen ↦ first_seen
event.last_seen ↦ last_seen
colanderCOMMUNICATION mapped on misp-objectcolander-event
“Communication” ↦ event_type
event.name ↦ name
event.description ↦ description
event.count ↦ count
event.first_seen ↦ first_seen
event.last_seen ↦ last_seen
colanderCOMPROMISE mapped on misp-objectcolander-event
“Compromise” ↦ event_type
event.name ↦ name
event.description ↦ description
event.count ↦ count
event.first_seen ↦ first_seen
event.last_seen ↦ last_seen
colanderGENERIC mapped on misp-objectcolander-event
“Generic” ↦ event_type
event.name ↦ name
event.description ↦ description
event.count ↦ count
event.first_seen ↦ first_seen
event.last_seen ↦ last_seen
colanderHIT mapped on misp-objectcolander-event
“Hit” ↦ event_type
event.name ↦ name
event.description ↦ description
event.count ↦ count
event.first_seen ↦ first_seen
event.last_seen ↦ last_seen
colanderINFECTION mapped on misp-objectcolander-event
“Infection” ↦ event_type
event.name ↦ name
event.description ↦ description
event.count ↦ count
event.first_seen ↦ first_seen
event.last_seen ↦ last_seen
colanderPASSIVE_DNS mapped on misp-objectcolander-event
“Passive DNS” ↦ event_type
event.name ↦ name
event.description ↦ description
event.count ↦ count
event.first_seen ↦ first_seen
event.last_seen ↦ last_seen
colanderRESOLVE mapped on misp-objectcolander-event
“Resolve” ↦ event_type
event.name ↦ name
event.description ↦ description
event.count ↦ count
event.first_seen ↦ first_seen
event.last_seen ↦ last_seen
Observables
Observables are converted into attribute of a MISP event:
"Event": { // Corresponds to the Colander Case
// Colander case UUID
"uuid": "25b4dae2-0ea7-46f2-9f7a-08ef3a43063e",
"info": "Name and description of the case",
"Attribute": [
{ // Corresponds to the first observable
"type": "url",
// Colander observable UUID
"uuid": "478fbf8b-1e3c-47e9-97a6-7620d27ef6a4",
"comment": "Test comment",
"value": "https://pts-project.org/",
},
{ // Corresponds to the second observable
"type": "domain",
// Colander observable UUID
"uuid": "50d7e69c-d625-4aa7-9cfb-4cfb136af59f",
"comment": "Test comment",
"value": "pts-project.org",
},
]
}
colanderASN mapped on misp-attributeAS
observable.name ↦ value
observable.description ↦ comment
“Network activity” ↦ category
colanderCOMMUNITY_ID mapped on misp-attributecommunity-id
observable.name ↦ value
observable.description ↦ comment
“Network activity” ↦ category
colanderDOMAIN mapped on misp-attributedomain
observable.name ↦ value
observable.description ↦ comment
“Network activity” ↦ category
colanderEMAIL mapped on misp-attributeemail
observable.name ↦ value
observable.description ↦ comment
“Network activity” ↦ category
colanderIMPHASH mapped on misp-attributeimphash
observable.name ↦ value
observable.description ↦ comment
“Other” ↦ category
colanderIPV4 mapped on misp-attributeip-dst
observable.name ↦ value
observable.description ↦ comment
“Network activity” ↦ category
colanderIPV6 mapped on misp-attributeip-dst
observable.name ↦ value
observable.description ↦ comment
“Network activity” ↦ category
colanderMAC mapped on misp-attributemac-address
observable.name ↦ value
observable.description ↦ comment
“Network activity” ↦ category
colanderMD5 mapped on misp-attributemd5
observable.name ↦ value
observable.description ↦ comment
“Other” ↦ category
colanderMUTEX mapped on misp-attributemutex
observable.name ↦ value
observable.description ↦ comment
“Other” ↦ category
colanderPATH mapped on misp-attributefilename
observable.name ↦ value
observable.description ↦ comment
“Other” ↦ category
colanderPHONE mapped on misp-attributephone-number
observable.name ↦ value
observable.description ↦ comment
“Other” ↦ category
colanderSHA1 mapped on misp-attributesha1
observable.name ↦ value
observable.description ↦ comment
“Other” ↦ category
colanderSHA256 mapped on misp-attributesha256
observable.name ↦ value
observable.description ↦ comment
“Other” ↦ category
colanderURL mapped on misp-attributeurl
observable.name ↦ value
observable.description ↦ comment
“Network activity” ↦ category
Threats
Events are converted into MISP objects of type misp-tag.
colanderADWARE mapped on misp-objectmisp-tag
“colander:threat:adware” ↦ name
colanderAPT mapped on misp-objectmisp-tag
“colander:threat:advanced-persistent-threat” ↦ name
colanderBACKDOOR mapped on misp-objectmisp-tag
“colander:threat:backdoor” ↦ name
colanderBOTNET mapped on misp-objectmisp-tag
“colander:threat:botnet” ↦ name
colanderBROWSER_HIJACKER mapped on misp-objectmisp-tag
“colander:threat:browser-hijacker” ↦ name
colanderCRYPTOJACKING mapped on misp-objectmisp-tag
“colander:threat:cryptojacking” ↦ name
colanderDROPPER mapped on misp-objectmisp-tag
“colander:threat:dropper” ↦ name
colanderEXPLOIT_KIT mapped on misp-objectmisp-tag
“colander:threat:exploit-kit” ↦ name
colanderINFO_STEALER mapped on misp-objectmisp-tag
“colander:threat:information-stealer” ↦ name
colanderLOADER mapped on misp-objectmisp-tag
“colander:threat:loader” ↦ name
colanderMALVERTISING mapped on misp-objectmisp-tag
“colander:threat:malvertising” ↦ name
colanderMOBILE_MALWARE mapped on misp-objectmisp-tag
“colander:threat:mobile-malware” ↦ name
colanderRANSOMWARE mapped on misp-objectmisp-tag
“colander:threat:ransomware” ↦ name
colanderPHISHING mapped on misp-objectmisp-tag
“colander:threat:phishing” ↦ name
colanderSTALKERWARE mapped on misp-objectmisp-tag
“colander:threat:stalkerware” ↦ name
colanderMALWARE mapped on misp-objectmisp-tag
“colander:threat:malware” ↦ name
colanderRAT mapped on misp-objectmisp-tag
“colander:threat:remote-access-trojan” ↦ name
colanderROOTKIT mapped on misp-objectmisp-tag
“colander:threat:rootkit” ↦ name
colanderSPAM mapped on misp-objectmisp-tag
“colander:threat:spam” ↦ name
colanderSPYWARE mapped on misp-objectmisp-tag
“colander:threat:spyware” ↦ name
colanderTROJAN mapped on misp-objectmisp-tag
“colander:threat:trojan” ↦ name
colanderCYBERCRIME mapped on misp-objectmisp-tag
“colander:threat:cybercrime” ↦ name
colanderCYBER_ATTACK mapped on misp-objectmisp-tag
“colander:threat:cyber-attack” ↦ name
colanderPHYSICAL_ATTACK mapped on misp-objectmisp-tag
“colander:threat:physical-attack” ↦ name
colanderHARASSMENT mapped on misp-objectmisp-tag
“colander:threat:harassment” ↦ name
colanderDOXXING mapped on misp-objectmisp-tag
“colander:threat:doxxing” ↦ name
colanderGENERIC mapped on misp-objectmisp-tag
“colander:threat:generic” ↦ name
"Event": { // Corresponds to the Colander Case
// Colander case UUID
"uuid": "25b4dae2-0ea7-46f2-9f7a-08ef3a43063e",
"info": "Name and description of the case",
"Attribute": [
{ // Corresponds to the observable
"type": "domain",
// Colander observable UUID
"uuid": "50d7e69c-d625-4aa7-9cfb-4cfb136af59f",
"comment": "Test comment",
"value": "pts-project.org",
"Tag" : [ {
"name" : "colander:threat:information-stealer"
} ],
},
]
}