MISP-STIX-Converter - Mapping documentation
This documentation describes how the conversion between MISP and STIX works in terms of mapping both formats together (as opposed to the more generic description of the library itself, describing how to use it).
Thus, it gives a detailed description of the inputs and outputs that are to expect depending on the type of data to convert.
Summary
Introduction
MISP supports 2 majors features regarding STIX:
- The export of data collections from MISP to STIX
- The import of STIX content into a MISP Event
More specifically, MISP can generate STIX1.1 and STIX2.0 content from a given event using the UI (Download as... feature available in the event view), or any collection of event(s) using the built-in restSearch client.
In order to do so, MISP gives data formatted in the standard misp format (used in every communication between connected MISP instances for example) to the corresponding export script (available within the STIX export directory of this repository) which returns STIX format.
It is also possible to import STIX data into MISP using again either the UI interface or the restSearch client (should support versions 1.1, 1.2, 2.0 and 2.1). In this case everything imported is put into a single MISP Event.
In order to use that functionality, users can either pass the content of their STIX file to the restSearch client, or upload it using the Import from... feature available in the events list view. In both cases, the content of the file is then passed to the corresponding import script (available within the STIX import directory of this repository) which returns MISP format that is going to be saved as an Event in MISP.
Within this documentation we focus on the mapping between MISP and STIX formats.
MISP to STIX
MISP to STIX1
Events to STIX1 mapping
Summary
| MISP datastructure | STIX object |
|---|---|
| Event | STIX Package |
| Attribute | Indicator or Observable in most cases, TTP, Journal entry or Custom Object otherwise |
| Object | Indicator or Observable in most cases, TTP, Threat Actor, Course of Action or Custom Object otherwise |
| Galaxy | TTP, Threat Actor, or Course of Action |
Detailed mapping
The detailed mapping for events and its contained structures, with explanations and examples, is available here
Attributes to STIX1 mapping
Summary
Most of the MISP attributes are converted into Indicator or Observable Objects.
In the following table, all the object types preceded by any information about another object type are considered as being embedded in the list of RelatedIndicators or RelatedObservables.
When they are exported neither as indicator nor as observable, the top level object type is mentioned.
| MISP Attribute type | STIX Object type - property name |
|---|---|
| AS | ASObjectType - Handle |
| attachment | ArtifactObjectType - Raw_Artifact |
| authentihash | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| campaign-name | stix: Campaigns -> CampaignType - Name -> Name |
| cdhash | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| comment | incident: History -> HistoryItem - Journal_Entry |
| domain | DomainNameObjectType - Value |
| domain|ip | ObservableComposition -> DomainNameObjectType - Value | AddressObjectType - Address_Value |
| email-attachment | EmailMessageObjectType - Attachments referencing FileObjectType - File_Name |
| email-body | EmailMessageObjectType - Raw_Body |
| email-dst | EmailMessageObjectType - To -> AddressObjectType - Address_Value |
| email-header | EmailMessageObjectType - Raw_Header |
| email-message-id | EmailMessageObjectType - Header -> Message_ID |
| email-mime-boundary | EmailMessageObjectType - Header -> Boundary |
| email-reply-to | EmailMessageObjectType - Reply_To -> AddressObjectType - Address_Value |
| email-src | EmailMessageObjectType - From -> AddressObjectType - Address_Value |
| email-subject | EmailMessageObjectType - Subject |
| email-x-mailer | EmailMessageObjectType - Header -> X_Mailer |
| filename | FileObjectType - File_Name |
| filename|authentihash | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|impfuzzy | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|imphash | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|md5 | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|pehash | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|sha1 | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|sha224 | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|sha256 | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|sha384 | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|sha512 | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|sha512/224 | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|sha512/256 | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|ssdeep | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|tlsh | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| filename|vhash | FileObjectType - File_Name \& Hashes -> Hash - Simple_Hash_Value |
| hostname | HostnameObjectType - Hostname_Value |
| hostname|port | SocketAddressObjectType - Hostname (HostnameObjectType - Hostname_Value) & Port (PortObjectType - Port_value) |
| http-method | HTTPSessionObjectType - HTTP_Method |
| impfuzzy | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| imphash | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| ip-dst | AddressObjectType - Address_Value |
| ip-dst|port | SocketAddressObjectType - IP_Address (AddressObjectType - Address_Value) & Port (PortObjectType - Port_value) |
| ip-src | AddressObjectType - Address_Value |
| ip-src|port | SocketAddressObjectType - IP_Address (AddressObjectType - Address_Value) & Port (PortObjectType - Port_value) |
| link | URIObjectType - Value |
| mac-address | SystemObjectType - Network_Interface_list -> Network_Interface - MAC |
| malware-sample | ArtifactObjectType - Raw_Artifact & Hashes -> Hash - Simple_Hash_Value |
| md5 | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| mutex | MutexObjectType - Name |
| named pipe | PipeObjectType - Name |
| other | incident: History -> HistoryItem - Journal_Entry |
| pattern-in-file | FileObjectType - Byte_Runs -> Byte_Run - Byte_Run_Data |
| pehash | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| port | PortObjectType - Port_Value |
| regkey | WindowsRegistryKeyObjectType - Key |
| regkey|value | WindowsRegistryKeyObjectType - Key & Values -> Value - Data |
| sha1 | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| sha224 | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| sha256 | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| sha384 | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| sha512 | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| sha512/224 | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| sha512/256 | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| size-in-bytes | FileObjectType - Size_In_Bytes |
| snort | indicator: Test_Mechanisms -> SnortTestMechanismType - Rule |
| ssdeep | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| target-email | incident: Victim -> CIQIdentity3.0InstanceType - ElectronicAddressIdentifiers - ElectronicAddressIdentifier |
| target-external | incident: Victim -> CIQIdentity3.0InstanceType - PartyName - NameLine |
| target-location | incident: Victim -> CIQIdentity3.0InstanceType - Addresses -> Address - FreeTextAddress - AddressLine |
| target-machine | incident: Affected_Assets -> Affected_Asset - Description |
| target-org | incident: Victim -> CIQIdentity3.0InstanceType - PartyName -> OrganisationName - NameElement |
| target-user | incident: Victim -> CIQIdentity3.0InstanceType - PartyName -> PersonName - NameElement |
| text | incident: History -> HistoryItem - Journal_Entry |
| tlsh | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| uri | URIObjectType - Value |
| url | URIObjectType - Value |
| user-agent | HTTPSessionObjectType - HTTP_Request_Response -> HTTP_Client_Request -> HTTP_Request_Header -> Parsed_Header - User_Agent |
| vhash | FileObjectType - Hashes -> Hash - Simple_Hash_Value |
| vulnerability | stix: TTPs -> TTPType - Exploit_Targets -> ExploitTargetType -> Vulnerability - CVE_ID |
| weakness | stix: TTPs -> TTPType - Exploit_targets -> ExploitTargetType -> Weakness - CWE_ID |
| whois-registrant-email | WhoisObjectType - Registrants -> Registrant - Email_Address -> AddressObjectType - Address_Value |
| whois-registrant-name | WhoisObjectType - Registrants -> Registrant - Name |
| whois-registrant-org | WhoisObjectType - Registrants -> Registrant - Organization |
| whois-registrant-phone | WhoisObjectType - Registrants -> Registrant - Phone_Number |
| whois-registrar | WhoisObjectType - Registrar_Info -> Name |
| windows-service-displayname | WindowsServiceObjectType - Display_Name |
| windows-service-name | WindowsServiceObjectType - Service_Name |
| x509-fingerprint-md5 | X509CertificateObjectType - Certificate_Signature - Signature |
| x509-fingerprint-sha1 | X509CertificateObjectType - Certificate_Signature - Signature |
| x509-fingerprint-sha256 | X509CertificateObjectType - Certificate_Signature - Signature |
| yara | indicator: Test_Mechanisms -> YaraTestMechanismType - Rule |
Detailed mapping
The detailed mapping for attributes, with explanations and examples, is available here
Objects to STIX1 mapping
Summary
| MISP Object name | STIX Object type |
|---|---|
| asn | ASObjectType |
| attack-pattern | TTPType - Behavior - Attack_Patterns |
| course-of-action | CourseOfActionType |
| credential | UserAccountObjectType |
| domain-ip | ObservableComposition -> DomainNameObjectType | AddressObjectType |
| EmailMessageObjectType | |
| file | FileObjectType |
| file with references to pe \& pe-section objects | WindowsExecutableFileObjectType |
| ip-port | ObservableComposition -> AddressObjectType | PortObjectType |
| mutex | MutexObjectType |
| network-connection | NetworkConnectionObjectType |
| network-socket | NetworkSocketObjectType |
| process | ProcessObjectType |
| registry-key | WindowsRegistryKeyObjectType |
| url | URIObjectType |
| user-account | UserAccountObjectType |
user-account with unix as account-type attribute value |
UnixUserAccountObjectType |
user-account with windows-local as account-type attribute value |
WindowsUserAccountObjectType |
| vulnerability | TTPType - Exploit_Target - Vulnerability |
| weakness | TTPType - Exploit_Target - Weakness |
| whois | WhoisObjectType |
| x509 | X509CertificateObjectType |
Detailed mapping
The detailed mapping for objects, with explanations and examples, is available here
Galaxies to STIX1 mapping
Summary
| MISP Galaxy Clusters name | STIX Object type |
|---|---|
| android, backdoor, banker, malpedia, mitre-enterprise-attack-malware, mitre-malware, mitre-mobile-attack-malware, ransomware, stealer | stix: TTPs -> TTPType - Behavior -> Malware - Malware_Instance |
| botnet, exploit-kit, mitre-enterprise-attack-tool, mitre-mobile-attack-tool, mitre-tool, rat, tds, tool | stix: TTPs -> TTPType - Resources -> Tools -> Tool |
| branded-vulneratbility | stix: TTPs -> TTPType - Exploit_targets -> ExploitTargetType - Vulnerability |
| microsoft-activity-group, threat-actor | stix: Threat_Actors -> ThreatActorType |
| mitre-attack-pattern, mitre-enterprise-attack-attack-pattern, mitre-mobile-attack-attack-pattern, mitre-pre-attack-attack-pattern | stix: TTPs -> TTPType - Behavior -> Attack_Patterns -> Attack_Pattern |
| mitre-course-of-action, mitre-enterprise-attack-course-of-action, mitre-mobile-attack-course-of-action | stix: Courses_Of_action -> CourseOfActionType |
Detailed mapping
The detailed mapping for galaxies, with explanations and examples, is available here
MISP to STIX 2.0
Events to STIX 2.0 mapping
Summary
| MISP datastructure | STIX object |
|---|---|
| Event | Report |
| Attribute | Indicator or Observable in most cases, Vulnerability, Campaign or Custom Object otherwise |
| Object | Indicator or Observable in most cases, Vulnerability, Threat Actor, Course of Action or Custom Object otherwise |
| Galaxy | Vulnerability, Threat Actor, or Course of Action |
Detailed mapping
The detailed mapping for events and its contained structures, with explanations and examples, is available here
Attributes to STIX 2.0 mapping
Summary
Most of the MISP attributes are converted into Indicator or Observed Data Objects.
The following table mentions then the patterning expression or Observable Object type the attributes are exported into, respectively within the Indicator or Observed Data object.
When another object type is mentioned in bold, it means the corresponding attribute is neither exported as Indicator nor as Observed Data.
| MISP Attribute type | STIX Object type / Observable Object type |
|---|---|
| AS | Object and IoCs described in Indicator (pattern) |
| attachment | Object and IoCs described in Indicator (pattern) |
| authentihash | Object and IoCs described in Indicator (pattern) |
| campaign-name | Campaign |
| domain | Object and IoCs described in Indicator (pattern) |
| domain|ip | Object and IoCs described in Indicator (pattern) |
| Object and IoCs described in Indicator (pattern) | |
| email-attachment | Object and IoCs described in Indicator (pattern) |
| email-body | Object and IoCs described in Indicator (pattern) |
| email-dst | Object and IoCs described in Indicator (pattern) |
| email-header | Object and IoCs described in Indicator (pattern) |
| email-reply-to | Object and IoCs described in Indicator (pattern) |
| email-src | Object and IoCs described in Indicator (pattern) |
| email-subject | Object and IoCs described in Indicator (pattern) |
| email-x-mailer | Object and IoCs described in Indicator (pattern) |
| filename | Object and IoCs described in Indicator (pattern) |
| filename|authentihash | Object and IoCs described in Indicator (pattern) |
| filename|imphash | Object and IoCs described in Indicator (pattern) |
| filename|md5 | Object and IoCs described in Indicator (pattern) |
| filename|pehash | Object and IoCs described in Indicator (pattern) |
| filename|sha1 | Object and IoCs described in Indicator (pattern) |
| filename|sha224 | Object and IoCs described in Indicator (pattern) |
| filename|sha256 | Object and IoCs described in Indicator (pattern) |
| filename|sha3-224 | Object and IoCs described in Indicator (pattern) |
| filename|sha3-256 | Object and IoCs described in Indicator (pattern) |
| filename|sha3-384 | Object and IoCs described in Indicator (pattern) |
| filename|sha3-512 | Object and IoCs described in Indicator (pattern) |
| filename|sha384 | Object and IoCs described in Indicator (pattern) |
| filename|sha512 | Object and IoCs described in Indicator (pattern) |
| filename|sha512/224 | Object and IoCs described in Indicator (pattern) |
| filename|sha512/256 | Object and IoCs described in Indicator (pattern) |
| filename|ssdeep | Object and IoCs described in Indicator (pattern) |
| filename|tlsh | Object and IoCs described in Indicator (pattern) |
| filename|vhash | Object and IoCs described in Indicator (pattern) |
| github-username | Indicator |
| hostname | Object and IoCs described in Indicator (pattern) |
| hostname|port | Object and IoCs described in Indicator (pattern) |
| http-method | Indicator |
| imphash | Object and IoCs described in Indicator (pattern) |
| ip-dst | Object and IoCs described in Indicator (pattern) |
| ip-dst|port | Object and IoCs described in Indicator (pattern) |
| ip-src | Object and IoCs described in Indicator (pattern) |
| ip-src|port | Object and IoCs described in Indicator (pattern) |
| link | Object and IoCs described in Indicator (pattern) |
| mac-address | Object and IoCs described in Indicator (pattern) |
| malware-sample | Object and IoCs described in Indicator (pattern) |
| md5 | Object and IoCs described in Indicator (pattern) |
| mutex | Object and IoCs described in Indicator (pattern) |
| pehash | Object and IoCs described in Indicator (pattern) |
| port | Indicator |
| regkey | Object and IoCs described in Indicator (pattern) |
| regkey|value | Object and IoCs described in Indicator (pattern) |
| sha1 | Object and IoCs described in Indicator (pattern) |
| sha224 | Object and IoCs described in Indicator (pattern) |
| sha256 | Object and IoCs described in Indicator (pattern) |
| sha3-224 | Object and IoCs described in Indicator (pattern) |
| sha3-256 | Object and IoCs described in Indicator (pattern) |
| sha3-384 | Object and IoCs described in Indicator (pattern) |
| sha3-512 | Object and IoCs described in Indicator (pattern) |
| sha384 | Object and IoCs described in Indicator (pattern) |
| sha512 | Object and IoCs described in Indicator (pattern) |
| sha512/224 | Object and IoCs described in Indicator (pattern) |
| sha512/256 | Object and IoCs described in Indicator (pattern) |
| size-in-bytes | Indicator |
| ssdeep | Object and IoCs described in Indicator (pattern) |
| telfhash | Object and IoCs described in Indicator (pattern) |
| tlsh | Object and IoCs described in Indicator (pattern) |
| uri | Object and IoCs described in Indicator (pattern) |
| url | Object and IoCs described in Indicator (pattern) |
| user-agent | Indicator |
| vhash | Object and IoCs described in Indicator (pattern) |
| vulnerability | Vulnerability |
| x509-fingerprint-md5 | Object and IoCs described in Indicator (pattern) |
| x509-fingerprint-sha1 | Object and IoCs described in Indicator (pattern) |
| x509-fingerprint-sha256 | Object and IoCs described in Indicator (pattern) |
Detailed mapping
The detailed mapping for attributes, with explanations and examples, is available here
Objects to STIX 2.0 mapping
Summary
| MISP Object name | STIX Object type |
|---|---|
| Script object where state is “Malicious” | Malware |
| Script object where state is not “Malicious” | Tool |
| android-app | Object and IoCs described in Indicator (pattern) |
| asn | Object and IoCs described in Indicator (pattern) |
| attack-pattern | Attack-pattern |
| course-of-action | Course-of-action |
| cpe-asset | Object and IoCs described in Indicator (pattern) |
| credential | Object and IoCs described in Indicator (pattern) |
| domain-ip | Object and IoCs described in Indicator (pattern) |
| Object and IoCs described in Indicator (pattern) | |
| email with display names | Object and IoCs described in Indicator (pattern) |
| employee | Identity |
| facebook-account | Object and IoCs described in Indicator (pattern) |
| file | File Object (potential references to Artifact & Directory Objects) |
| file with references to pe & pe-section(s) | File Object with a Windows PE binary extension |
| github-user | Object and IoCs described in Indicator (pattern) |
| gitlab-user | Object and IoCs described in Indicator (pattern) |
| http-request | Object and IoCs described in Indicator (pattern) |
| identity | Identity |
| image | Object and IoCs described in Indicator (pattern) |
| intrusion-set | Intrusion-set |
| ip-port | Object and IoCs described in Indicator (pattern) |
| legal-entity | Identity |
| lnk | Object and IoCs described in Indicator (pattern) |
| mutex | Object and IoCs described in Indicator (pattern) |
| netflow | Object and IoCs described in Indicator (pattern) |
| network-connection | Network Traffic, IPv4/IPv6 Address & Domain Name Objects |
| network-socket | Network Traffic with a socket extension, IPv4/IPv6 Address & Domain Name Objects |
| news-agency | Identity |
| organization | Identity |
| parler-account | Object and IoCs described in Indicator (pattern) |
| pe | Windows PE binary extension within a File Object |
| pe & pe-sections | Windows PE binary extension within a File Object |
| pe-section | Sections fields in the Windows PE binary extension (always exported with the related pe object) |
| person | Identity |
| process | Process Objects (potential reference to File Objects) |
| reddit-account | Object and IoCs described in Indicator (pattern) |
| registry-key | Object and IoCs described in Indicator (pattern) |
| telegram-account | Object and IoCs described in Indicator (pattern) |
| twitter-account | Object and IoCs described in Indicator (pattern) |
| url | Object and IoCs described in Indicator (pattern) |
| user-account | Object and IoCs described in Indicator (pattern) |
| vulnerability | Vulnerability |
| x509 | Object and IoCs described in Indicator (pattern) |
Detailed mapping
The detailed mapping for MISP objects, with explanations and examples, is available here
Galaxies to STIX 2.0 mapping
Summary
| MISP Galaxy Clusters name | STIX Object type |
|---|---|
| mitre-attack-pattern, mitre-enterprise-attack-attack-pattern, mitre-mobile-attack-attack-pattern, mitre-pre-attack-attack-pattern | AttackPattern |
| mitre-course-of-action, mitre-enterprise-attack-course-of-action, mitre-mobile-attack-course-of-action | CourseOfAction |
| mitre-enterprise-attack-intrusion-set, mitre-intrusion-set, mitre-mobile-attack-intrusion-set, mitre-pre-attack-intrusion-set | IntrusionSet |
| android, backdoor, banker, malpedia, mitre-enterprise-attack-malware, mitre-malware, mitre-mobile-attack-malware, ransomware, stealer | Malware |
| microsoft-activity-group, threat-actor | ThreatActor |
| botnet, exploit-kit, mitre-enterprise-attack-tool, mitre-mobile-attack-tool, mitre-tool, rat, tds, tool | Tool |
| branded-vulneratbility | Vulnerability |
Detailed mapping
The detailed mapping for galaxies, with explanations and examples, is available here
MISP to STIX 2.1
Events to STIX 2.1 mapping
Summary
| MISP datastructure | STIX object |
|---|---|
| Event | Report or Grouping |
| Attribute | Indicator or Observable in most cases, Vulnerability, Campaign or Custom Object otherwise |
| Object | Indicator or Observable in most cases, Vulnerability, Threat Actor, Course of Action or Custom Object otherwise |
| Galaxy | Vulnerability, Threat Actor, or Course of Action |
Detailed mapping
The detailed mapping for events and its contained structures, with explanations and examples, is available here
Attributes to STIX 2.1 mapping
Summary
Most of the MISP attributes are converted into Indicator or Observable Objects.
The following table mentions then the patterning expression or Observable Object type the attributes are exported into, respectively within the Indicator or Observed Data object.
When another object type is mentioned in bold, it means the corresponding attribute is neither exported as Indicator nor as Observed Data.
| MISP Attribute type | STIX Object type / Observable Object type |
|---|---|
| AS | Autonomous System Object and IoCs described in Indicator (pattern) |
| attachment | Artifact & File Objects and IoCs described in Indicator (pattern) |
| authentihash | File Object and IoCs described in Indicator (pattern) |
| campaign-name | Campaign |
| domain | Domain Name Object and IoCs described in Indicator (pattern) |
| domain|ip | Domain Name & Ipv4 Addr Objects and IoCs described in Indicator (pattern) |
| Email Addr Object and IoCs described in Indicator (pattern) | |
| email-attachment | Email Message & File Objects and IoCs described in Indicator (pattern) |
| email-body | Email Message Object and IoCs described in Indicator (pattern) |
| email-dst | Email Addr & Email Message Objects and IoCs described in Indicator (pattern) |
| email-header | Email Message Object and IoCs described in Indicator (pattern) |
| email-message-id | Email Message Object and IoCs described in Indicator (pattern) |
| email-reply-to | Email Message Object and IoCs described in Indicator (pattern) |
| email-src | Email Addr & Email Message Objects and IoCs described in Indicator (pattern) |
| email-subject | Email Message Object and IoCs described in Indicator (pattern) |
| email-x-mailer | Email Message Object and IoCs described in Indicator (pattern) |
| filename | File Object and IoCs described in Indicator (pattern) |
| filename|authentihash | File Object and IoCs described in Indicator (pattern) |
| filename|imphash | File Object and IoCs described in Indicator (pattern) |
| filename|md5 | File Object and IoCs described in Indicator (pattern) |
| filename|pehash | File Object and IoCs described in Indicator (pattern) |
| filename|sha1 | File Object and IoCs described in Indicator (pattern) |
| filename|sha224 | File Object and IoCs described in Indicator (pattern) |
| filename|sha256 | File Object and IoCs described in Indicator (pattern) |
| filename|sha3-224 | File Object and IoCs described in Indicator (pattern) |
| filename|sha3-256 | File Object and IoCs described in Indicator (pattern) |
| filename|sha3-384 | File Object and IoCs described in Indicator (pattern) |
| filename|sha3-512 | File Object and IoCs described in Indicator (pattern) |
| filename|sha384 | File Object and IoCs described in Indicator (pattern) |
| filename|sha512 | File Object and IoCs described in Indicator (pattern) |
| filename|sha512/224 | File Object and IoCs described in Indicator (pattern) |
| filename|sha512/256 | File Object and IoCs described in Indicator (pattern) |
| filename|ssdeep | File Object and IoCs described in Indicator (pattern) |
| filename|tlsh | File Object and IoCs described in Indicator (pattern) |
| filename|vhash | File Object and IoCs described in Indicator (pattern) |
| github-username | User Account Object and IoCs described in Indicator (pattern) |
| hostname | Domain Name Object and IoCs described in Indicator (pattern) |
| hostname|port | Domain Name & Network Traffic Objects and IoCs described in Indicator (pattern) |
| http-method | Indicator |
| imphash | File Object and IoCs described in Indicator (pattern) |
| ip-dst | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) |
| ip-dst|port | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) |
| ip-src | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) |
| ip-src|port | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) |
| link | Url Object and IoCs described in Indicator (pattern) |
| mac-address | Mac Addr Object and IoCs described in Indicator (pattern) |
| malware-sample | Artifact & File Objects and IoCs described in Indicator (pattern) |
| md5 | File Object and IoCs described in Indicator (pattern) |
| mutex | Mutex Object and IoCs described in Indicator (pattern) |
| pehash | File Object and IoCs described in Indicator (pattern) |
| port | Indicator |
| regkey | Windows Registry Key Object and IoCs described in Indicator (pattern) |
| regkey|value | Windows Registry Key Object and IoCs described in Indicator (pattern) |
| sha1 | File Object and IoCs described in Indicator (pattern) |
| sha224 | File Object and IoCs described in Indicator (pattern) |
| sha256 | File Object and IoCs described in Indicator (pattern) |
| sha3-224 | File Object and IoCs described in Indicator (pattern) |
| sha3-256 | File Object and IoCs described in Indicator (pattern) |
| sha3-384 | File Object and IoCs described in Indicator (pattern) |
| sha3-512 | File Object and IoCs described in Indicator (pattern) |
| sha384 | File Object and IoCs described in Indicator (pattern) |
| sha512 | File Object and IoCs described in Indicator (pattern) |
| sha512/224 | File Object and IoCs described in Indicator (pattern) |
| sha512/256 | File Object and IoCs described in Indicator (pattern) |
| sigma | Indicator |
| size-in-bytes | Indicator |
| snort | Indicator |
| ssdeep | File Object and IoCs described in Indicator (pattern) |
| suricata | Indicator |
| telfhash | File Object and IoCs described in Indicator (pattern) |
| tlsh | File Object and IoCs described in Indicator (pattern) |
| uri | Url Object and IoCs described in Indicator (pattern) |
| url | Url Object and IoCs described in Indicator (pattern) |
| user-agent | Indicator |
| vhash | File Object and IoCs described in Indicator (pattern) |
| vulnerability | Vulnerability |
| x509-fingerprint-md5 | X509 Certificate Object and IoCs described in Indicator (pattern) |
| x509-fingerprint-sha1 | X509 Certificate Object and IoCs described in Indicator (pattern) |
| x509-fingerprint-sha256 | X509 Certificate Object and IoCs described in Indicator (pattern) |
| yara | Indicator |
Detailed mapping
The detailed mapping for attributes, with explanations and examples, is available here
Objects to STIX 2.1 mapping
Summary
| MISP Object name | STIX Object type |
|---|---|
| Script object where state is “Malicious” | Malware |
| Script object where state is not “Malicious” | Tool |
| android-app | Software Object and IoCs described in Indicator (pattern) |
| annotation | Note with references to the annotated objects |
| asn | Autonomous System Object and IoCs described in Indicator (pattern) |
| attack-pattern | Attack-pattern |
| course-of-action | Course-of-action |
| cpe-asset | Software Object and IoCs described in Indicator (pattern) |
| credential | User Account Object and IoCs described in Indicator (pattern) |
| domain-ip | Domain Name & Ipv4 Addr Objects and IoCs described in Indicator (pattern) |
| domain-ip with the perfect domain & ip matching | A tuple of IPv4/IPv6 Address & Network Objects for each associated domain & ip |
| Email Addr & Email Message & File Objects and IoCs described in Indicator (pattern) | |
| email with display names | Email Addr & Email Message Objects and IoCs described in Indicator (pattern) |
| employee | Identity |
| facebook-account | User Account Object and IoCs described in Indicator (pattern) |
| file | File Object (potential references to Artifact & Directory Objects) |
| file with references to pe & pe-section | File Object with a windows pebinary extension |
| file with references to pe & pe-section(s) | File Object with a Windows PE binary extension |
| geolocation | Location |
| github-user | User Account Object and IoCs described in Indicator (pattern) |
| gitlab-user | User Account Object and IoCs described in Indicator (pattern) |
| http-request | Domain Name & Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) |
| identity | Identity |
| image | Artifact & File Objects and IoCs described in Indicator (pattern) |
| intrusion-set | Intrusion-set |
| ip-port | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) |
| legal-entity | Identity |
| lnk | Artifact & Directory & File Objects and IoCs described in Indicator (pattern) |
| mutex | Mutex Object and IoCs described in Indicator (pattern) |
| netflow | Autonomous System & Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) |
| network-connection | Network Traffic, IPv4/IPv6 Address & Domain Name Objects |
| network-socket | Network Traffic with a socket extension, IPv4/IPv6 Address & Domain Name Objects |
| news-agency | Identity |
| nova-rule | Indicator |
| organization | Identity |
| owasp-crs-rule | Indicator |
| parler-account | User Account Object and IoCs described in Indicator (pattern) |
| pe | Windows PE binary extension within a File Object |
| pe & pe-sections | Windows PE binary extension within a File Object |
| pe-section | Sections fields in the Windows PE binary extension (always exported with the related pe object) |
| person | Identity |
| process | Process Objects (potential reference to File Objects) |
| reddit-account | User Account Object and IoCs described in Indicator (pattern) |
| registry-key | Windows Registry Key Object and IoCs described in Indicator (pattern) |
| sigma | Indicator |
| suricata | Indicator |
| telegram-account | User Account Object and IoCs described in Indicator (pattern) |
| twitter-account | User Account Object and IoCs described in Indicator (pattern) |
| url | Url Object and IoCs described in Indicator (pattern) |
| user-account | User Account Object and IoCs described in Indicator (pattern) |
| vulnerability | Vulnerability |
| wazuh-rule | Indicator |
| x509 | X509 Certificate Object and IoCs described in Indicator (pattern) |
| yara | Indicator |
Detailed mapping
The detailed mapping for MISP objects, with explanations and examples, is available here
Galaxies to STIX 2.1 mapping
Summary
| MISP Galaxy Clusters name | STIX Object type |
|---|---|
| mitre-attack-pattern, mitre-enterprise-attack-attack-pattern, mitre-mobile-attack-attack-pattern, mitre-pre-attack-attack-pattern | AttackPattern |
| mitre-course-of-action, mitre-enterprise-attack-course-of-action, mitre-mobile-attack-course-of-action | CourseOfAction |
| mitre-enterprise-attack-intrusion-set, mitre-intrusion-set, mitre-mobile-attack-intrusion-set, mitre-pre-attack-intrusion-set | IntrusionSet |
| android, backdoor, banker, malpedia, mitre-enterprise-attack-malware, mitre-malware, mitre-mobile-attack-malware, ransomware, stealer | Malware |
| microsoft-activity-group, threat-actor | ThreatActor |
| botnet, exploit-kit, mitre-enterprise-attack-tool, mitre-mobile-attack-tool, mitre-tool, rat, tds, tool | Tool |
| branded-vulneratbility | Vulnerability |
Detailed mapping
The detailed mapping for galaxies, with explanations and examples, is available here
STIX to MISP
When importing STIX 2.x content into MISP, the converter first determines the origin of the bundle to apply the appropriate parsing strategy:
-
Internal: The bundle was originally produced by MISP (detected via the
misp:tool="MISP-STIX-Converter"label on theReportorGroupingobject). The import performs a faithful round-trip, reconstructing MISP attributes, objects, and galaxy clusters from MISP-specific custom types (x-misp-attribute,x-misp-object,x-misp-galaxy-cluster). -
External: The bundle was produced by a third-party tool. Standard STIX SDOs and SCOs are mapped to MISP attributes, objects, and galaxies using heuristics. SDOs that represent threat intelligence concepts (
AttackPattern,Malware,ThreatActor, etc.) are imported as new MISP Galaxy Clusters.
Both use cases are documented for STIX 2.0 and STIX 2.1 in the sections below.
STIX 2.0 to MISP
STIX 2.0 Bundles to MISP mapping
Summary
The import of STIX 2.0 content into MISP distinguishes between STIX bundles that were originally produced by MISP (internal) and those produced by third-party tools (external).
| STIX object | MISP datastructure |
|---|---|
Report |
Event |
Indicator |
Attribute or Object (to_ids flag set) |
Observed Data |
Attribute or Object (to_ids flag unset) |
AttackPattern, CourseOfAction, IntrusionSet, Malware, ThreatActor, Tool, Vulnerability |
Galaxy Cluster |
Attributes from STIX 2.0
Summary
The following table mentions the STIX 2.0 object types from which the MISP attributes are imported.
| MISP Attribute type | STIX Object type |
|---|---|
| AS | Autonomous System Object (pattern) / Autonomous System Object and IoCs described in Indicator (pattern) (observable) |
| attachment | File Object (pattern) / Artifact & File Objects and IoCs described in Indicator (pattern) (observable) |
| authentihash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| campaign-name | Campaign |
| domain | Domain Name Object and IoCs described in Indicator (pattern) (observable) / Domain Name Object (pattern) |
| domain|ip | Domain Name & Ipv4 Addr Objects and IoCs described in Indicator (pattern) (observable) / Domain Name Object (pattern) |
| Email Addr Object and IoCs described in Indicator (pattern) (observable) / Email Address Object (pattern) | |
| email-attachment | Email Message & File Objects and IoCs described in Indicator (pattern) (observable) / Email Message Object (pattern) |
| email-body | Email Message Object (pattern) / Email Message Object and IoCs described in Indicator (pattern) (observable) |
| email-dst | Email Addr & Email Message Objects and IoCs described in Indicator (pattern) (observable) / Email Message Object (pattern) |
| email-header | Email Message Object (pattern) / Email Message Object and IoCs described in Indicator (pattern) (observable) |
| email-reply-to | Email Message Object (pattern) / Email Message Object and IoCs described in Indicator (pattern) (observable) |
| email-src | Email Addr & Email Message Objects and IoCs described in Indicator (pattern) (observable) / Email Message Object (pattern) |
| email-subject | Email Message Object (pattern) / Email Message Object and IoCs described in Indicator (pattern) (observable) |
| email-x-mailer | Email Message Object (pattern) / Email Message Object and IoCs described in Indicator (pattern) (observable) |
| filename | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|authentihash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|imphash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|md5 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|pehash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha1 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha3-224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha3-256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha3-384 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha3-512 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha384 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha512 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha512/224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha512/256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|ssdeep | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|tlsh | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|vhash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| github-username | User Account Object (pattern) / Custom Object |
| hostname | Domain Name Object and IoCs described in Indicator (pattern) (observable) / Domain Name Object (pattern) |
| hostname|port | Domain Name & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) / Domain Name & Network Traffic Objects (pattern) |
| http-method | Network Traffic Object (pattern) / Custom Object |
| imphash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| ip-dst | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) / Network Traffic Object (pattern) |
| ip-dst|port | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) / Network Traffic Object (pattern) |
| ip-src | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) / Network Traffic Object (pattern) |
| ip-src|port | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) / Network Traffic Object (pattern) |
| link | URL Object (pattern) / Url Object and IoCs described in Indicator (pattern) (observable) |
| mac-address | Mac Address Object (pattern) / Mac Addr Object and IoCs described in Indicator (pattern) (observable) |
| malware-sample | Artifact & File Objects and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| md5 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| mutex | Mutex Object and IoCs described in Indicator (pattern) (observable) / Mutex Object (pattern) |
| pehash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| port | Network Traffic Object (pattern) / Custom Object |
| regkey | Windows Registry Key Object and IoCs described in Indicator (pattern) (observable) / Windows Registry Key Object (pattern) |
| regkey|value | Windows Registry Key Object and IoCs described in Indicator (pattern) (observable) / Windows Registry Key Object (pattern) |
| sha1 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha3-224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha3-256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha3-384 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha3-512 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha384 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha512 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha512/224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha512/256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| size-in-bytes | File Object (pattern) / Custom Object |
| ssdeep | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| telfhash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| tlsh | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| uri | Url Object and IoCs described in Indicator (pattern) (observable) / URL Object (pattern) |
| url | Url Object and IoCs described in Indicator (pattern) (observable) / URL Object (pattern) |
| user-agent | Network Traffic Object (pattern) / Custom Object |
| vhash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| vulnerability | Vulnerability |
| x509-fingerprint-md5 | X509 Certificate Object and IoCs described in Indicator (pattern) (observable) / X509 Certificate Object (pattern) |
| x509-fingerprint-sha1 | X509 Certificate Object and IoCs described in Indicator (pattern) (observable) / X509 Certificate Object (pattern) |
| x509-fingerprint-sha256 | X509 Certificate Object and IoCs described in Indicator (pattern) (observable) / X509 Certificate Object (pattern) |
Detailed mapping
The detailed mapping for attributes, with explanations and examples, is available here
Objects from STIX 2.0
Summary
| MISP Object name | STIX Object type |
|---|---|
| Domain-IP object (custom case) | Domain Name & IPv4/IPv6 Address Objects (observable) |
| Domain-IP object (standard case) | Domain Name & IPv4/IPv6 Address Objects (observable) |
| File object with a Windows PE binary extension | File object with a Windows PE binary extension |
| Script object where state is “Malicious” | Malware |
| Script object where state is not “Malicious” | Tool |
| android-app | Software Object (pattern) / Software Object and IoCs described in Indicator (pattern) (observable) |
| asn | Autonomous System Object (pattern) / Autonomous System Object and IoCs described in Indicator (pattern) (observable) |
| attack-pattern | Attack Pattern |
| course-of-action | Course of Action |
| cpe-asset | Software Object (pattern) / Software Object and IoCs described in Indicator (pattern) (observable) |
| credential | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| domain-ip | Domain Name Object (pattern) / Domain Name & Ipv4 Addr Objects and IoCs described in Indicator (pattern) (observable) |
| Email Message Object (pattern) / Email Addr & Email Message & File Objects and IoCs described in Indicator (pattern) (observable) | |
| employee | Identity |
| facebook-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| file | File Object (pattern) / Artifact & Directory & File Objects and IoCs described in Indicator (pattern) (observable) |
| github-user | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| gitlab-user | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| http-request | Network Traffic Object (pattern) / Domain Name & Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) |
| identity | Identity |
| image | File Object (pattern) / Artifact & File Objects and IoCs described in Indicator (pattern) (observable) |
| ip-port | Network Traffic Object (pattern) / Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) |
| legal-entity | Identity |
| lnk | File Object (pattern) / Artifact & Directory & File Objects and IoCs described in Indicator (pattern) (observable) |
| mutex | Mutex Object (pattern) / Mutex Object and IoCs described in Indicator (pattern) (observable) |
| netflow | Network Traffic Object (pattern) / Autonomous System & Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) |
| network-connection | Network Traffic Object (pattern) / Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) |
| network-socket | Network Traffic Object (pattern) / Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) |
| news-agency | Identity |
| organization | Identity |
| parler-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| person | Identity |
| process | Process Object (pattern) / File & Process Objects and IoCs described in Indicator (pattern) (observable) |
| reddit-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| registry-key | Windows Registry Key Object (pattern) / Windows Registry Key Object and IoCs described in Indicator (pattern) (observable) |
| telegram-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| twitter-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| url | URL Object (pattern) / Url Object and IoCs described in Indicator (pattern) (observable) |
| user-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| vulnerability | Vulnerability |
| x509 | X509 Certificate Object (pattern) / X509 Certificate Object and IoCs described in Indicator (pattern) (observable) |
Detailed mapping
The detailed mapping for MISP objects, with explanations and examples, is available here
Galaxies from STIX 2.0
Summary
| STIX Object type | MISP Galaxy |
|---|---|
| attack-pattern | Attack Pattern (mitre-attack-pattern) |
| course-of-action | Course of Action (mitre-course-of-action) |
| identity | Sector (sector) |
| intrusion-set | Intrusion Set (mitre-intrusion-set) |
| malware | Malware (mitre-malware) |
| threat-actor | Threat Actor (threat-actor) |
| tool | Tool (mitre-tool) |
| vulnerability | Branded Vulnerability (branded-vulnerability) |
Detailed mapping
The detailed mapping for MISP galaxies from STIX 2.0 bundles, with explanations and examples, is available here
Attributes from External STIX 2.0
Summary
| MISP Attribute type | STIX Object type |
|---|---|
| AS | Autonomous System Object (pattern) / Autonomous System Object and IoCs described in Indicator (pattern) (observable) |
| domain | Domain Name Object and IoCs described in Indicator (pattern) (observable) / Domain Name Object (pattern) |
| Email Addr Object and IoCs described in Indicator (pattern) (observable) | |
| email-dst | Email Address Object (pattern) / Custom Object |
| ip-dst | Ipv4 Addr Object and IoCs described in Indicator (pattern) (observable) / IPv4/IPv6 Address Object (pattern) |
| mac-address | Mac Addr Object and IoCs described in Indicator (pattern) (observable) / Mac Address Object (pattern) |
| mutex | Mutex Object and IoCs described in Indicator (pattern) (observable) / Mutex Object (pattern) |
| url | Url Object and IoCs described in Indicator (pattern) (observable) / URL Object (pattern) |
Detailed mapping
The detailed mapping for attributes from external STIX 2.0 bundles, with explanations and examples, is available here
Objects from External STIX 2.0
Summary
| MISP Object name | STIX Object type |
|---|---|
| artifact | Artifact Object (pattern) / Artifact Object and IoCs described in Indicator (pattern) (observable) |
| asn | Autonomous System Object (pattern) / Autonomous System Object and IoCs described in Indicator (pattern) (observable) |
| directory | Directory Object (pattern) / Directory Object and IoCs described in Indicator (pattern) (observable) |
| domain-ip | Domain Name Object (pattern) / Domain Name & Ipv4 Addr & Ipv6 Addr Objects and IoCs described in Indicator (pattern) (observable) |
| Email Message Object (pattern) / Artifact & Email Addr & Email Message & File Objects and IoCs described in Indicator (pattern) (observable) | |
| file | File Object (pattern) / Artifact & Directory & File Objects and IoCs described in Indicator (pattern) (observable) |
| network-socket | Network Traffic Object (pattern) / Custom Object |
| network-traffic | Network Traffic Object (pattern) / Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) |
| process | Process Object (pattern) / Process Object and IoCs described in Indicator (pattern) (observable) |
| registry-key | Windows Registry Key Object (pattern) / Windows Registry Key Object and IoCs described in Indicator (pattern) (observable) |
| software | Software Object (pattern) / Software Object and IoCs described in Indicator (pattern) (observable) |
| user-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| x509 | X509 Certificate Object (pattern) / X509 Certificate Object and IoCs described in Indicator (pattern) (observable) |
Detailed mapping
The detailed mapping for MISP objects from external STIX 2.0 bundles, with explanations and examples, is available here
Galaxies from External STIX 2.0
SDOs in STIX 2.0 bundles produced by third-party tools are imported as new MISP Galaxy Clusters with galaxy type stix-2.0-{object-type}.
Summary
| STIX Object type | MISP Galaxy |
|---|---|
| attack-pattern | STIX 2.0 Attack Pattern (stix-2.0-attack-pattern) |
| campaign | STIX 2.0 Campaign (stix-2.0-campaign) |
| course-of-action | STIX 2.0 Course of Action (stix-2.0-course-of-action) |
| intrusion-set | STIX 2.0 Intrusion Set (stix-2.0-intrusion-set) |
| malware | STIX 2.0 Malware (stix-2.0-malware) |
| threat-actor | STIX 2.0 Threat Actor (stix-2.0-threat-actor) |
| tool | STIX 2.0 Tool (stix-2.0-tool) |
| vulnerability | STIX 2.0 Vulnerability (stix-2.0-vulnerability) |
Detailed mapping
The detailed mapping for MISP galaxies from external STIX 2.0 bundles, with explanations and examples, is available here
STIX 2.1 to MISP
STIX 2.1 Bundles to MISP mapping
Summary
The import of STIX 2.1 content into MISP distinguishes between STIX bundles that were originally produced by MISP (internal) and those produced by third-party tools (external).
| STIX object | MISP datastructure |
|---|---|
Report or Grouping |
Event |
Indicator |
Attribute or Object (to_ids flag set) |
Observed Data + SCOs |
Attribute or Object (to_ids flag unset) |
AttackPattern, CourseOfAction, IntrusionSet, Malware, ThreatActor, Tool, Vulnerability |
Galaxy Cluster |
Attributes from STIX 2.1
Summary
The following table mentions the STIX 2.1 object types from which the MISP attributes are imported.
| MISP Attribute type | STIX Object type |
|---|---|
| AS | Autonomous System Object (pattern) / Autonomous System Object and IoCs described in Indicator (pattern) (observable) |
| attachment | File Object (pattern) / Artifact & File Objects and IoCs described in Indicator (pattern) (observable) |
| authentihash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| campaign-name | Campaign |
| domain | Domain Name Object and IoCs described in Indicator (pattern) (observable) / Domain Name Object (pattern) |
| domain|ip | Domain Name & Ipv4 Addr Objects and IoCs described in Indicator (pattern) (observable) / Domain Name Object (pattern) |
| Email Addr Object and IoCs described in Indicator (pattern) (observable) / Email Address Object (pattern) | |
| email-attachment | Email Message & File Objects and IoCs described in Indicator (pattern) (observable) / Email Message Object (pattern) |
| email-body | Email Message Object (pattern) / Email Message Object and IoCs described in Indicator (pattern) (observable) |
| email-dst | Email Addr & Email Message Objects and IoCs described in Indicator (pattern) (observable) / Email Message Object (pattern) |
| email-header | Email Message Object (pattern) / Email Message Object and IoCs described in Indicator (pattern) (observable) |
| email-message-id | Email Message Object (pattern) / Email Message Object and IoCs described in Indicator (pattern) (observable) |
| email-reply-to | Email Message Object (pattern) / Email Message Object and IoCs described in Indicator (pattern) (observable) |
| email-src | Email Addr & Email Message Objects and IoCs described in Indicator (pattern) (observable) / Email Message Object (pattern) |
| email-subject | Email Message Object (pattern) / Email Message Object and IoCs described in Indicator (pattern) (observable) |
| email-x-mailer | Email Message Object (pattern) / Email Message Object and IoCs described in Indicator (pattern) (observable) |
| filename | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|authentihash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|imphash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|md5 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|pehash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha1 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha3-224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha3-256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha3-384 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha3-512 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha384 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha512 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha512/224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|sha512/256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|ssdeep | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|tlsh | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| filename|vhash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| github-username | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| hostname | Domain Name Object and IoCs described in Indicator (pattern) (observable) / Domain Name Object (pattern) |
| hostname|port | Domain Name & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) / Domain Name & Network Traffic Objects (pattern) |
| http-method | Network Traffic Object (pattern) / Custom Object |
| imphash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| ip-dst | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) / Network Traffic Object (pattern) |
| ip-dst|port | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) / Network Traffic Object (pattern) |
| ip-src | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) / Network Traffic Object (pattern) |
| ip-src|port | Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) / Network Traffic Object (pattern) |
| link | URL Object (pattern) / Url Object and IoCs described in Indicator (pattern) (observable) |
| mac-address | Mac Address Object (pattern) / Mac Addr Object and IoCs described in Indicator (pattern) (observable) |
| malware-sample | Artifact & File Objects and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| md5 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| mutex | Mutex Object and IoCs described in Indicator (pattern) (observable) / Mutex Object (pattern) |
| pehash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| port | Network Traffic Object (pattern) / Custom Object |
| regkey | Windows Registry Key Object and IoCs described in Indicator (pattern) (observable) / Windows Registry Key Object (pattern) |
| regkey|value | Windows Registry Key Object and IoCs described in Indicator (pattern) (observable) / Windows Registry Key Object (pattern) |
| sha1 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha3-224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha3-256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha3-384 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha3-512 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha384 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha512 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha512/224 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sha512/256 | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| sigma | Indicator |
| size-in-bytes | File Object (pattern) / Custom Object |
| snort | Indicator |
| ssdeep | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| telfhash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| tlsh | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| uri | Url Object and IoCs described in Indicator (pattern) (observable) / URL Object (pattern) |
| url | Url Object and IoCs described in Indicator (pattern) (observable) / URL Object (pattern) |
| user-agent | Network Traffic Object (pattern) / Custom Object |
| vhash | File Object and IoCs described in Indicator (pattern) (observable) / File Object (pattern) |
| vulnerability | Vulnerability |
| x509-fingerprint-md5 | X509 Certificate Object and IoCs described in Indicator (pattern) (observable) / X509 Certificate Object (pattern) |
| x509-fingerprint-sha1 | X509 Certificate Object and IoCs described in Indicator (pattern) (observable) / X509 Certificate Object (pattern) |
| x509-fingerprint-sha256 | X509 Certificate Object and IoCs described in Indicator (pattern) (observable) / X509 Certificate Object (pattern) |
| yara | Indicator |
Detailed mapping
The detailed mapping for attributes, with explanations and examples, is available here
Objects from STIX 2.1
Summary
| MISP Object name | STIX Object type |
| – | – |
| Domain-IP object (custom case) | Domain Name & IPv4/IPv6 Address Objects (observable) |
| Domain-IP object (standard case) | Domain Name & IPv4/IPv6 Address Objects (observable) |
| File object with a Windows PE binary extension | File object with a Windows PE binary extension |
| Script object where state is “Malicious” | Malware |
| Script object where state is not “Malicious” | Tool |
| android-app | Software Object (pattern) / Software Object and IoCs described in Indicator (pattern) (observable) |
| annotation | Note |
| asn | Autonomous System Object (pattern) / Autonomous System Object and IoCs described in Indicator (pattern) (observable) |
| attack-pattern | Attack Pattern |
| course-of-action | Course of Action |
| cpe-asset | Software Object (pattern) / Software Object and IoCs described in Indicator (pattern) (observable) |
| credential | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| domain-ip | Domain Name Object (pattern) / Domain Name & Ipv4 Addr Objects and IoCs described in Indicator (pattern) (observable) |
| email | Email Message Object (pattern) / Email Addr & Email Message & File Objects and IoCs described in Indicator (pattern) (observable) |
| employee | Identity |
| facebook-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| file | File Object (pattern) / Artifact & Directory & File Objects and IoCs described in Indicator (pattern) (observable) |
| geolocation | Location |
| github-user | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| gitlab-user | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| http-request | Network Traffic Object (pattern) / Domain Name & Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) |
| identity | Identity |
| image | File Object (pattern) / Artifact & File Objects and IoCs described in Indicator (pattern) (observable) |
| ip-port | Network Traffic Object (pattern) / Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) |
| legal-entity | Identity |
| lnk | File Object (pattern) / Artifact & Directory & File Objects and IoCs described in Indicator (pattern) (observable) |
| mutex | Mutex Object (pattern) / Mutex Object and IoCs described in Indicator (pattern) (observable) |
| netflow | Network Traffic Object (pattern) / Autonomous System & Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) |
| network-connection | Network Traffic Object (pattern) / Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) |
| network-socket | Network Traffic Object (pattern) / Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) |
| news-agency | Identity |
| nova-rule | Ule Multimodalinjection
{
Meta Object (pattern) / Custom Object |
| organization | Identity |
| owasp-crs-rule | Ecrule Tx Object (pattern) / Custom Object |
| parler-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| person | Identity |
| process | Process Object (pattern) / File & Process Objects and IoCs described in Indicator (pattern) (observable) |
| reddit-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| registry-key | Windows Registry Key Object (pattern) / Windows Registry Key Object and IoCs described in Indicator (pattern) (observable) |
| sigma | Indicator |
| suricata | Indicator |
| telegram-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| twitter-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| url | URL Object (pattern) / Url Object and IoCs described in Indicator (pattern) (observable) |
| user-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) |
| vulnerability | Vulnerability |
| wazuh-rule | Rule Id=”200996” Level=”12”>
Detailed mapping
The detailed mapping for MISP objects, with explanations and examples, is available here
Galaxies from STIX 2.1
Summary
| STIX Object type | MISP Galaxy |
|---|---|
| attack-pattern | Attack Pattern (mitre-attack-pattern) |
| course-of-action | Course of Action (mitre-course-of-action) |
| identity | Sector (sector) |
| intrusion-set | Intrusion Set (mitre-intrusion-set) |
| malware | Malware (mitre-malware) |
| threat-actor | Threat Actor (threat-actor) |
| tool | Tool (mitre-tool) |
| vulnerability | Branded Vulnerability (branded-vulnerability) |
Detailed mapping
The detailed mapping for MISP galaxies from STIX 2.1 bundles, with explanations and examples, is available here
Attributes from External STIX 2.1
Summary
| MISP Attribute type | STIX Object type |
|---|---|
| AS | Autonomous System Object (pattern) / Autonomous System Object and IoCs described in Indicator (pattern) (observable) / Observable |
| domain | Domain Name Object and IoCs described in Indicator (pattern) (observable) / Domain Name Object (pattern) / Observable |
| Email Addr Object and IoCs described in Indicator (pattern) (observable) / Observable | |
| email-dst | Email Address Object (pattern) / Custom Object |
| ip-dst | Ipv4 Addr Object and IoCs described in Indicator (pattern) (observable) / IPv4/IPv6 Address Object (pattern) / Observable |
| mac-address | Mac Addr Object and IoCs described in Indicator (pattern) (observable) / Mac Address Object (pattern) / Observable |
| mutex | Mutex Object and IoCs described in Indicator (pattern) (observable) / Mutex Object (pattern) / Observable |
| url | Url Object and IoCs described in Indicator (pattern) (observable) / URL Object (pattern) / Observable |
Detailed mapping
The detailed mapping for attributes from external STIX 2.1 bundles, with explanations and examples, is available here
Objects from External STIX 2.1
Summary
| MISP Object name | STIX Object type |
|---|---|
| artifact | Artifact Object (pattern) / Artifact Object and IoCs described in Indicator (pattern) (observable) / Observable |
| asn | Autonomous System Object (pattern) / Autonomous System Object and IoCs described in Indicator (pattern) (observable) / Observable |
| directory | Directory Object (pattern) / Directory Object and IoCs described in Indicator (pattern) (observable) / Observable |
| domain-ip | Domain Name Object (pattern) / Domain Name & Ipv4 Addr & Ipv6 Addr Objects and IoCs described in Indicator (pattern) (observable) / Observable |
| Email Message Object (pattern) / Artifact & Email Addr & Email Message & File Objects and IoCs described in Indicator (pattern) (observable) / Observable | |
| file | File Object (pattern) / Artifact & Directory & File Objects and IoCs described in Indicator (pattern) (observable) / Observable |
| network-socket | Network Traffic Object (pattern) / Custom Object |
| network-traffic | Network Traffic Object (pattern) / Ipv4 Addr & Network Traffic Objects and IoCs described in Indicator (pattern) (observable) / Observable |
| process | Process Object (pattern) / Process Object and IoCs described in Indicator (pattern) (observable) / Observable |
| registry-key | Windows Registry Key Object (pattern) / Windows Registry Key Object and IoCs described in Indicator (pattern) (observable) / Observable |
| software | Software Object (pattern) / Software Object and IoCs described in Indicator (pattern) (observable) / Observable |
| user-account | User Account Object (pattern) / User Account Object and IoCs described in Indicator (pattern) (observable) / Observable |
| x509 | X509 Certificate Object (pattern) / X509 Certificate Object and IoCs described in Indicator (pattern) (observable) / Observable |
Detailed mapping
The detailed mapping for MISP objects from external STIX 2.1 bundles, with explanations and examples, is available here
Galaxies from External STIX 2.1
SDOs in STIX 2.1 bundles produced by third-party tools are imported as new MISP Galaxy Clusters with galaxy type stix-2.1-{object-type}.
Summary
| STIX Object type | MISP Galaxy |
|---|---|
| attack-pattern | STIX 2.1 Attack Pattern (stix-2.1-attack-pattern) |
| campaign | STIX 2.1 Campaign (stix-2.1-campaign) |
| course-of-action | STIX 2.1 Course of Action (stix-2.1-course-of-action) |
| intrusion-set | STIX 2.1 Intrusion Set (stix-2.1-intrusion-set) |
| location | STIX 2.1 Location (stix-2.1-location) |
| malware | STIX 2.1 Malware (stix-2.1-malware) |
| threat-actor | STIX 2.1 Threat Actor (stix-2.1-threat-actor) |
| tool | STIX 2.1 Tool (stix-2.1-tool) |
| vulnerability | STIX 2.1 Vulnerability (stix-2.1-vulnerability) |
Detailed mapping
The detailed mapping for MISP galaxies from external STIX 2.1 bundles, with explanations and examples, is available here