misp-objects/objects/apivoid-email-verification/definition.json at main · MISP/misp-objects · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
{
  "attributes": {
    "china_free_email": {
      "description": "True if email is a free China email, i.e 163.com.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "comment": {
      "description": "Field for comments or correlating text",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 1
    },
    "dirty_words_domain": {
      "description": "True if domain contains dirty/bad words.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "dirty_words_username": {
      "description": "True if username contains dirty/bad words.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "disposable": {
      "description": "True if email is disposable, i.e yopmail.com.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "dmarc_configured": {
      "description": "True if domain has DMARC records configured.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "dmarc_enforced": {
      "description": "True if domain is configured for DMARC and set to an enforcement policy.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "domain": {
      "description": "Email domain.",
      "disable_correlation": true,
      "misp-attribute": "domain",
      "to_ids": false,
      "ui-priority": 1
    },
    "domain_popular": {
      "description": "True if domain is a known popular domain.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "educational_domain": {
      "description": "True if domain is an educational domain, i.e .edu",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "email": {
      "categories": [
        "Attribution"
      ],
      "description": "The email address that was queried.",
      "misp-attribute": "email",
      "to_ids": false,
      "ui-priority": 1
    },
    "free_email": {
      "description": "True if email is a free email, i.e gmail.com.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "government_domain": {
      "description": "True if domain is a government domain, i.e .gov",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "has_a_records": {
      "description": "True if domain has A records configured.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "has_mx_records": {
      "description": "True if domain has MX records configured.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "has_spf_records": {
      "description": "True if domain has SPF records configured.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "is_spoofable": {
      "description": "True if domain does not have SPF records or if ~all is not configured.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "police_domain": {
      "description": "True if domain is a police domain (such as *polizei*, *police*, etc).",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "risky_tld": {
      "description": "True if domain TLD is risky, i.e .top or .pro.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "role_address": {
      "description": "True if email is a role address, i.e admin@website.com",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "russian_free_email": {
      "description": "True if email is a free Russian email, i.e mail.ru.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "score": {
      "description": "A number between 0 (bad) and 100 (good).",
      "disable_correlation": true,
      "misp-attribute": "float",
      "ui-priority": 1
    },
    "should_block": {
      "description": "True if the score is bad (<= 70) and thus it should be blocked.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "suspicious_domain": {
      "description": "True if domain is suspicious, i.e known spam or parked.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "suspicious_email": {
      "description": "True if email is considered suspicious.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "suspicious_username": {
      "description": "True if username is suspicious, i.e only numbers.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "username": {
      "description": "Username part of the email address (email prefix)",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 1
    },
    "valid_format": {
      "description": "True if email has a valid format.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "valid_tld": {
      "description": "True if domain TLD is valid, i.e .com or .co.uk",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    }
  },
  "description": "Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/",
  "meta-category": "misc",
  "name": "apivoid-email-verification",
  "required": [
    "email"
  ],
  "requiredOneOf": [
    "valid_format",
    "username",
    "role_address",
    "suspicious_username",
    "dirty_words_username",
    "suspicious_email",
    "domain",
    "valid_tld",
    "disposable",
    "has_a_records",
    "has_mx_records",
    "has_spf_records",
    "is_spoofable",
    "dmarc_configured",
    "dmarc_enforced",
    "free_email",
    "russian_free_email",
    "china_free_email",
    "suspicious_domain",
    "dirty_words_domain",
    "domain_popular",
    "risky_tld",
    "police_domain",
    "government_domain",
    "educational_domain",
    "should_block",
    "score"
  ],
  "uuid": "289492ab-4b74-49ec-add7-cd9b541f2245",
  "version": 1
}