Merge pull request #512 from MISP/codex/create-dga-domain-object-and-algorithm

adulau · web-flow · commit 37ca34daf9d0 · 2026-04-11T09:27:49.000+02:00
Add DGA domain object template with algorithm context
diff --git a/README.md b/README.md
@@ -178,6 +178,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/decoded-qrcode](https://github.com/MISP/misp-objects/blob/main/objects/decoded-qrcode/definition.json) - Object describing a decoded QR code, including its decoded value, original image, and contextual description.
 - [objects/detection](https://github.com/MISP/misp-objects/blob/main/objects/detection/definition.json) - A comprehensive object to document a detection analytic, its logic, robustness, validation, and associated response playbooks. It is based on an advanced detection engineering template that integrates concepts like 'Summiting the Pyramid' for robustness scoring and a 'Funnel of Fidelity' for validation, along with structured SOAR automation steps.
 - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device.
+- [objects/dga-domain](https://github.com/MISP/misp-objects/blob/main/objects/dga-domain/definition.json) - Domain Generation Algorithm (DGA) output and generation context, including the generated domain and associated algorithm parameters (e.g. seed, epoch, TLD strategy, and malware family). Reference: https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf.
 - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks.
 - [objects/diamond-event](https://github.com/MISP/misp-objects/blob/main/objects/diamond-event/definition.json) - A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.
 - [objects/directory](https://github.com/MISP/misp-objects/blob/main/objects/directory/definition.json) - Directory object describing a directory with meta-information.
diff --git a/objects/dga-domain/definition.json b/objects/dga-domain/definition.json
@@ -0,0 +1,76 @@
+{
+  "attributes": {
+    "algorithm-name": {
+      "description": "Name or identifier of the DGA algorithm.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "algorithm-version": {
+      "description": "Version or variant of the DGA algorithm.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "counter": {
+      "description": "Generation counter/index for the candidate domain.",
+      "misp-attribute": "counter",
+      "ui-priority": 0
+    },
+    "domain": {
+      "description": "Generated domain name.",
+      "misp-attribute": "domain",
+      "ui-priority": 1
+    },
+    "epoch": {
+      "description": "Epoch, date, or time input used by the DGA.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "malware-family": {
+      "description": "Malware family using the DGA.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "reference": {
+      "description": "Reference URL for algorithm analysis, source code, or campaign report.",
+      "misp-attribute": "link",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "seed": {
+      "description": "Seed value used by the DGA.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "text": {
+      "description": "Additional context about DGA domain generation and usage.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "tld": {
+      "description": "Top-level domain generated or selected by the DGA.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "validity-end": {
+      "description": "End of expected validity window for the generated domain.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "validity-start": {
+      "description": "Start of expected validity window for the generated domain.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    }
+  },
+  "description": "Domain Generation Algorithm (DGA) output and generation context, including the generated domain and associated algorithm parameters (e.g. seed, epoch, TLD strategy, and malware family). Reference: https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf.",
+  "meta-category": "network",
+  "name": "dga-domain",
+  "requiredOneOf": [
+    "domain",
+    "algorithm-name"
+  ],
+  "uuid": "64ce4c1c-ed8c-48cd-afa9-12b37389118d",
+  "version": 1
+}
