Skip to content

Hide Navigation Hide TOC

Edit

mitre-data-component

Data components are parts of data sources.

Authors
Authors and/or Contributors
MITRE

Active Directory Object Access

Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)

Internal MISP references

UUID 5c6de881-bc70-4070-855a-7a9631a407f7 which can be used as unique global reference for Active Directory Object Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Active Directory Object Creation

Initial construction of a new active directory object (ex: Windows EID 5137)

Internal MISP references

UUID 18b236d8-7224-488f-9d2f-50076a0f653a which can be used as unique global reference for Active Directory Object Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Active Directory Credential Request

A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)

Internal MISP references

UUID 02d090b6-8157-48da-98a2-517f7edd49fc which can be used as unique global reference for Active Directory Credential Request in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Active Directory Object Deletion

Removal of an active directory object (ex: Windows EID 5141)

Internal MISP references

UUID 9085a576-636a-455b-91d2-c2921bbe6d1d which can be used as unique global reference for Active Directory Object Deletion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Active Directory Object Modification

Changes made to an active directory object (ex: Windows EID 5163 or 5136)

Internal MISP references

UUID 5b8b466b-2c81-4fe7-946f-d677a74ae3db which can be used as unique global reference for Active Directory Object Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Windows Registry Key Access

Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)

Internal MISP references

UUID ed0dd8aa-1677-4551-bb7d-8da767617e1b which can be used as unique global reference for Windows Registry Key Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Windows Registry Key Creation

Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)

Internal MISP references

UUID 7f70fae7-a68d-4730-a83a-f260b9606129 which can be used as unique global reference for Windows Registry Key Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Windows Registry Key Deletion

Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)

Internal MISP references

UUID 1177a4c5-31c8-400c-8544-9071166afa0e which can be used as unique global reference for Windows Registry Key Deletion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Windows Registry Key Modification

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

Internal MISP references

UUID da85d358-741a-410d-9433-20d6269a6170 which can be used as unique global reference for Windows Registry Key Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

User Account Authentication

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)

Internal MISP references

UUID a953ca55-921a-44f7-9b8d-3d40141aa17e which can be used as unique global reference for User Account Authentication in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Internal MISP references

UUID 9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa which can be used as unique global reference for Application Log Content in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cloud Storage Access

Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject)

Internal MISP references

UUID 58ef998c-f3bf-4985-b487-b1005f5c05d1 which can be used as unique global reference for Cloud Storage Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

User Account Creation

Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)

Internal MISP references

UUID deb22295-7e37-4a3b-ac6f-c86666fbe63d which can be used as unique global reference for User Account Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

User Account Deletion

Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)

Internal MISP references

UUID d6257b8e-869c-41c0-8731-fdca40858a91 which can be used as unique global reference for User Account Deletion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

OS API Execution

Operating system function/method calls executed by a process

Internal MISP references

UUID 9bde2f9d-a695-4344-bfac-f2dce13d121e which can be used as unique global reference for OS API Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

User Account Metadata

Contextual data about an account, which may include a username, user ID, environmental data, etc.

Internal MISP references

UUID b5d0492b-cda4-421c-8e51-ed2b8d85c5d0 which can be used as unique global reference for User Account Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

User Account Modification

Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)

Internal MISP references

UUID d27b0089-2c39-4b6c-84ff-303e48657e77 which can be used as unique global reference for User Account Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Network Share Access

Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)

Internal MISP references

UUID f5468e67-51c7-4756-9b4f-65707708e7fa which can be used as unique global reference for Network Share Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Network Connection Creation

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Internal MISP references

UUID 181a9f8c-c780-4f1f-91a8-edb770e904ba which can be used as unique global reference for Network Connection Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cloud Storage Creation

Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket)

Internal MISP references

UUID 59ec10d9-546b-4b8e-bccb-fa85f71e5055 which can be used as unique global reference for Cloud Storage Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Web Credential Creation

Initial construction of new web credential material (ex: Windows EID 1200 or 4769)

Internal MISP references

UUID 5f7c9def-0ddf-423b-b1f8-fb2ddeed0ce3 which can be used as unique global reference for Web Credential Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cloud Service Disable

Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)

Internal MISP references

UUID ec0612c5-2644-4c50-bcac-82586974fedd which can be used as unique global reference for Cloud Service Disable in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cloud Storage Deletion

Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket)

Internal MISP references

UUID 4c41e296-b8d2-4a37-b789-eb565c87c00c which can be used as unique global reference for Cloud Storage Deletion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cloud Storage Enumeration

An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects)

Internal MISP references

UUID fcc4811f-9cc8-4db5-8097-4d8242a380de which can be used as unique global reference for Cloud Storage Enumeration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cloud Service Enumeration

An extracted list of cloud services (ex: AWS ECS ListServices)

Internal MISP references

UUID 8c826308-2760-492f-9e36-4f0f7e23bcac which can be used as unique global reference for Cloud Service Enumeration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Scheduled Job Creation

Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)

Internal MISP references

UUID f42df6f0-6395-4f0c-9376-525a031f00c3 which can be used as unique global reference for Scheduled Job Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Logon Session Creation

Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

Internal MISP references

UUID 9ce98c86-8d30-4043-ba54-0784d478d0b5 which can be used as unique global reference for Logon Session Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cloud Storage Metadata

Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner

Internal MISP references

UUID e214eb6d-de8f-4154-9015-6d47915fbed1 which can be used as unique global reference for Cloud Storage Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cloud Service Metadata

Contextual data about a cloud service and activity around it such as name, type, or purpose/function

Internal MISP references

UUID b33d36e3-d7ea-4895-8eed-19a08a8f7c4f which can be used as unique global reference for Cloud Service Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cloud Storage Modification

Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl)

Internal MISP references

UUID 45977f14-1bcc-4ec4-ac14-a30fd3a11f44 which can be used as unique global reference for Cloud Storage Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cloud Service Modification

Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)

Internal MISP references

UUID e52d89f9-1710-4708-88a5-cbef77c4cd5e which can be used as unique global reference for Cloud Service Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Network Traffic Content

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Internal MISP references

UUID 3772e279-27d6-477a-9fe3-c6beb363594c which can be used as unique global reference for Network Traffic Content in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Web Credential Usage

An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)

Internal MISP references

UUID ff93f688-d7a4-49cf-9c79-a14454da8428 which can be used as unique global reference for Web Credential Usage in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Firewall Rule Modification

Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)

Internal MISP references

UUID d2ff4b56-8351-4ed8-b0fb-d8605366005f which can be used as unique global reference for Firewall Rule Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Network Traffic Flow

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Internal MISP references

UUID a7f22107-02e5-4982-9067-6625d4a1765a which can be used as unique global reference for Network Traffic Flow in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Scheduled Job Metadata

Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Internal MISP references

UUID 7b375092-3a61-448d-900a-77c9a4bde4dc which can be used as unique global reference for Scheduled Job Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Scheduled Job Modification

Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)

Internal MISP references

UUID faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b which can be used as unique global reference for Scheduled Job Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Kernel Module Load

An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls

Internal MISP references

UUID 23e4ee78-26f3-4fcf-ba43-ab953962f96c which can be used as unique global reference for Kernel Module Load in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Logon Session Metadata

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

Internal MISP references

UUID 39b9db72-8b48-4595-a18d-db5bbba3091b which can be used as unique global reference for Logon Session Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Named Pipe Metadata

Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)

Internal MISP references

UUID b9a1578e-8653-4103-be23-cb52e0b1816e which can be used as unique global reference for Named Pipe Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

API Calls

API calls utilized by an application that could indicate malicious activity

Internal MISP references

UUID 5ae32c6a-2d12-4b8f-81ca-f862f2be0962 which can be used as unique global reference for API Calls in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Active DNS

Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)

Internal MISP references

UUID 2e521444-7295-4dec-96c1-7595b2df7811 which can be used as unique global reference for Active DNS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Drive Access

Opening of a data storage device with an assigned drive letter or mount point

Internal MISP references

UUID 73ff2dcc-24b1-4368-b9dc-706dd9e68354 which can be used as unique global reference for Drive Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

File Access

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Internal MISP references

UUID 235b7491-2d2b-4617-9a52-3c0783680f71 which can be used as unique global reference for File Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Process Access

Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)

Internal MISP references

UUID 1887a270-576a-4049-84de-ef746b2572d6 which can be used as unique global reference for Process Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Container Creation

Initial construction of a new container (ex: docker create )

Internal MISP references

UUID a5ae90ca-0c4b-481c-959f-0eb18a7ff953 which can be used as unique global reference for Container Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Drive Creation

Initial construction of a drive letter or mount point to a data storage device

Internal MISP references

UUID 3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f which can be used as unique global reference for Drive Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Container Enumeration

An extracted list of containers (ex: docker ps)

Internal MISP references

UUID 91b3ed33-d1b5-4c4b-a896-76c55eb3cfd8 which can be used as unique global reference for Container Enumeration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Command Execution

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Internal MISP references

UUID 685f917a-e95e-4ba0-ade1-c7d354dae6e0 which can be used as unique global reference for Command Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

File Creation

Initial construction of a new file (ex: Sysmon EID 11)

Internal MISP references

UUID 2b3bfe19-d59a-460d-93bb-2f546adc2d2c which can be used as unique global reference for File Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

WMI Creation

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)

Internal MISP references

UUID 05645013-2fed-4066-8bdc-626b2e201dd4 which can be used as unique global reference for WMI Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Instance Creation

Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)

Internal MISP references

UUID b5b0e8ae-7436-4951-950a-7b83c4dd3f2c which can be used as unique global reference for Instance Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Image Creation

Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)

Internal MISP references

UUID b008766d-f34f-4ded-b712-659f59aaed6e which can be used as unique global reference for Image Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Container Metadata

Contextual data about a container and activity around it such as name, ID, image, or status

Internal MISP references

UUID df508a43-65f5-453f-8b8f-4b5d64e60a21 which can be used as unique global reference for Container Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value

Cluster Metadata

Contextual data about a cluster and activity around it such as name, namespace, age, or status

Internal MISP references

UUID fafaa705-ec08-4405-ac62-288c252e520d which can be used as unique global reference for Cluster Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value

Malware Content

Code, strings, and other signatures that compromise a malicious payload

Internal MISP references

UUID 167b48f7-76e9-4fcb-9e8d-7121f7bf56c3 which can be used as unique global reference for Malware Content in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Network Communication

Network requests made by an application or domains contacted

Internal MISP references

UUID 764ee29e-48d6-4934-8e6b-7a606aaaafc0 which can be used as unique global reference for Network Communication in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Protected Configuration

Device configuration options that are not typically utilized by benign applications

Internal MISP references

UUID 6c62144a-cd5c-401c-ada9-58c4c74cd9d2 which can be used as unique global reference for Protected Configuration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Process Creation

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Internal MISP references

UUID 3d20385b-24ef-40e1-9f56-f39750379077 which can be used as unique global reference for Process Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Pod Creation

Initial construction of a new pod (ex: kubectl apply|run)

Internal MISP references

UUID 5263cb33-08cc-4a68-820f-004e1e400d76 which can be used as unique global reference for Pod Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Certificate Registration

Queried or logged information highlighting current and expired digital certificates (ex: Certificate transparency)

Internal MISP references

UUID 1dad5aa4-4bb5-45e4-9e42-55d40003cfa6 which can be used as unique global reference for Certificate Registration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Response Content

Logged network traffic in response to a scan showing both protocol header and body values

Internal MISP references

UUID 0dcbbf4f-929c-489a-b66b-9b820d3f7f0e which can be used as unique global reference for Response Content in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Snapshot Creation

Initial construction of a new snapshot (ex: AWS create-snapshot)

Internal MISP references

UUID 3da222e6-53f3-451c-a239-0b405c009432 which can be used as unique global reference for Snapshot Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Container Start

Activation or invocation of a container (ex: docker start or docker restart)

Internal MISP references

UUID 5fe82895-28e5-4aac-845e-dc886b63be2e which can be used as unique global reference for Container Start in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Service Creation

Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)

Internal MISP references

UUID 5297a638-1382-4f0c-8472-0d21830bf705 which can be used as unique global reference for Service Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Volume Creation

Initial construction of a cloud volume (ex: AWS create-volume)

Internal MISP references

UUID dad75cc7-5bae-4175-adb4-ca1962d8650e which can be used as unique global reference for Volume Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Firewall Disable

Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)

Internal MISP references

UUID c97d0171-f6e0-4415-85ff-4082fdb8c72a which can be used as unique global reference for Firewall Disable in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

File Deletion

Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)

Internal MISP references

UUID e905dad2-00d6-477c-97e8-800427abd0e8 which can be used as unique global reference for File Deletion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Instance Deletion

Removal of an instance (ex: instance.delete within GCP Audit Logs)

Internal MISP references

UUID 7561ed50-16cb-4826-82c7-c1ddca61785e which can be used as unique global reference for Instance Deletion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Image Deletion

Removal of a virtual machine image (ex: Azure Compute Service Images DELETE)

Internal MISP references

UUID 8b4ca854-ac08-47da-b24f-601b28a39aff which can be used as unique global reference for Image Deletion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Driver Load

Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)

Internal MISP references

UUID 3551476e-14f5-4e48-a518-e82135329e03 which can be used as unique global reference for Driver Load in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Driver Metadata

Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking

Internal MISP references

UUID f5a9a1dd-82f9-41a3-85b8-13e5b9cd6c79 which can be used as unique global reference for Driver Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Drive Modification

Changes made to a drive letter or mount point of a data storage device

Internal MISP references

UUID 4dcd8ba3-2075-4f8b-941e-39884ffaac08 which can be used as unique global reference for Drive Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Passive DNS

Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)

Internal MISP references

UUID cc150ad8-ecfa-4340-9aaa-d21165873bd4 which can be used as unique global reference for Passive DNS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Domain Registration

Information about domain name assignments and other domain metadata (ex: WHOIS)

Internal MISP references

UUID ff9b665a-598b-4bcb-8b2a-a87566aa1256 which can be used as unique global reference for Domain Registration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Snapshot Deletion

Removal of a snapshot (ex: AWS delete-snapshot)

Internal MISP references

UUID 16e07530-764b-4d83-bae0-cdbfc31bf21d which can be used as unique global reference for Snapshot Deletion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Volume Deletion

Removal of a a cloud volume (ex: AWS delete-volume)

Internal MISP references

UUID 3acecdde-c327-4498-9bb8-33a2e63c6c57 which can be used as unique global reference for Volume Deletion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Firewall Enumeration

An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

Internal MISP references

UUID bf91faa8-0049-4870-810a-4df55e0b77ee which can be used as unique global reference for Firewall Enumeration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Group Enumeration

An extracted list of available groups and/or their associated settings (ex: AWS list-groups)

Internal MISP references

UUID 8e44412e-3238-4d64-8878-4f11e27784fe which can be used as unique global reference for Group Enumeration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Instance Enumeration

An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs)

Internal MISP references

UUID 2a80d95f-08c4-48e3-833e-151ef19d90f5 which can be used as unique global reference for Instance Enumeration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Pod Enumeration

An extracted list of pods within a cluster (ex: kubectl get pods)

Internal MISP references

UUID 07688e40-a7fa-4436-937f-1216674341a0 which can be used as unique global reference for Pod Enumeration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Snapshot Enumeration

An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)

Internal MISP references

UUID ffd73905-2e51-4f2d-8549-e72fb0eb6c38 which can be used as unique global reference for Snapshot Enumeration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Script Execution

The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)

Internal MISP references

UUID 9f387817-df83-432a-b56b-a8fb7f71eedd which can be used as unique global reference for Script Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Volume Enumeration

An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)

Internal MISP references

UUID ec225357-8197-47a4-a9cd-57741d592877 which can be used as unique global reference for Volume Enumeration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Firewall Metadata

Contextual data about a firewall and activity around it such as name, policy, or status

Internal MISP references

UUID 746f095a-f84c-4ccc-90a5-c7caa5c100a2 which can be used as unique global reference for Firewall Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

File Metadata

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

Internal MISP references

UUID 639e87f3-acb6-448a-9645-258f20da4bc5 which can be used as unique global reference for File Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Firmware Modification

Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)

Internal MISP references

UUID b9d031bb-d150-4fc6-8025-688201bf3ffd which can be used as unique global reference for Firmware Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

File Modification

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

Internal MISP references

UUID 84572de3-9583-4c73-aabd-06ea88123dd8 which can be used as unique global reference for File Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Group Metadata

Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group

Internal MISP references

UUID 8d8c7cac-94cf-4726-8989-cab33851168c which can be used as unique global reference for Group Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Group Modification

Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)

Internal MISP references

UUID 05d5b5b4-ef93-4807-b05f-33d8c5a35bc5 which can be used as unique global reference for Group Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Host Status

Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)

Internal MISP references

UUID 85a533a4-5fa4-4dba-b45d-f0717bedd6e6 which can be used as unique global reference for Host Status in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Instance Metadata

Contextual data about an instance and activity around it such as name, type, or status

Internal MISP references

UUID 45fd904d-6eb0-4b50-8478-a961f09f898b which can be used as unique global reference for Instance Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Image Metadata

Contextual data about a virtual machine image such as name, resource group, state, or type

Internal MISP references

UUID b597a220-6510-4397-b0d8-342cd2c58827 which can be used as unique global reference for Image Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Instance Modification

Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)

Internal MISP references

UUID 45d0ff14-b9c4-41f5-8603-156657c20b75 which can be used as unique global reference for Instance Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Image Modification

Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)

Internal MISP references

UUID 071a09b1-8945-46fd-8bb7-6bcc89400963 which can be used as unique global reference for Image Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Instance Start

Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

Internal MISP references

UUID f8213cde-6b3a-420d-9ab7-41c9af1a919f which can be used as unique global reference for Instance Start in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Instance Stop

Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)

Internal MISP references

UUID 1361e324-b594-4c0e-a517-20cee32b8d7f which can be used as unique global reference for Instance Stop in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Module Load

Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)

Internal MISP references

UUID c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1 which can be used as unique global reference for Module Load in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Malware Metadata

Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information

Internal MISP references

UUID 93a6e38c-02a5-44d8-9035-b2e08459f31f which can be used as unique global reference for Malware Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Process Metadata

Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.

Internal MISP references

UUID ee575f4a-2d4f-48f6-b18b-89067760adc1 which can be used as unique global reference for Process Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Pod Metadata

Contextual data about a pod and activity around it such as name, ID, namespace, or status

Internal MISP references

UUID c0edd522-0aef-46b3-8efa-2bd334ce4242 which can be used as unique global reference for Pod Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value

Process Modification

Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)

Internal MISP references

UUID d5fca4e4-e47a-487b-873f-3d22f8865e96 which can be used as unique global reference for Process Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Pod Modification

Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit)

Internal MISP references

UUID 672b2ebd-4310-4efe-bf03-7ab005298a74 which can be used as unique global reference for Pod Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Response Metadata

Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports

Internal MISP references

UUID 1067aa74-5796-4d9b-b4f1-a4c9eb6fd9da which can be used as unique global reference for Response Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Snapshot Metadata

Contextual data about a snapshot, which may include information such as ID, type, and status

Internal MISP references

UUID 8bc66f94-54a9-4be4-bdd1-fe90df643774 which can be used as unique global reference for Snapshot Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Service Metadata

Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

Internal MISP references

UUID 74fa567d-bc90-425c-8a41-3c703abb221c which can be used as unique global reference for Service Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Social Media

Established, compromised, or otherwise acquired social media personas

Internal MISP references

UUID 8fb2f315-1aca-4cef-ae0d-8105e1f95985 which can be used as unique global reference for Social Media in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Snapshot Modification

Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)

Internal MISP references

UUID f1eb6ea9-f3ab-414f-af35-2d5427199984 which can be used as unique global reference for Snapshot Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Service Modification

Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)

Internal MISP references

UUID 66531bc6-a509-4868-8314-4d599e91d222 which can be used as unique global reference for Service Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Volume Metadata

Contextual data about a cloud volume and activity around it, such as id, type, state, and size

Internal MISP references

UUID 0f72bf50-35b3-419d-ab95-70f9b6a818dd which can be used as unique global reference for Volume Metadata in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Volume Modification

Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)

Internal MISP references

UUID d46272ce-a0fe-4256-855e-738de7bb63ee which can be used as unique global reference for Volume Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

System Notifications

Notifications generated by the OS

Internal MISP references

UUID bf0ff551-a5a7-40e5-bff9-f9405011b1f4 which can be used as unique global reference for System Notifications in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Permissions Requests

Permissions declared in an application's manifest or property list file

Internal MISP references

UUID b1e0bb80-23d4-44f2-b919-7e9c54898f43 which can be used as unique global reference for Permissions Requests in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Permissions Request

System prompts triggered when an application requests new or additional permissions

Internal MISP references

UUID e2f72131-14d1-411f-8e8c-aa3453dd5456 which can be used as unique global reference for Permissions Request in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Process Termination

Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)

Internal MISP references

UUID 61f1d40e-f3d0-4cc6-aa2d-937b6204194f which can be used as unique global reference for Process Termination in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

System Settings

Settings visible to the user on the device

Internal MISP references

UUID 56c2b384-77f8-461f-a71a-76f7888ebfb6 which can be used as unique global reference for System Settings in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.