From 973cd2160a31ce99a4f505f26155559ea0a24955 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 10 Apr 2026 19:41:54 +0200
Subject: [PATCH] Add dga-domain object template

---
 README.md                          |  1 +
 objects/dga-domain/definition.json | 76 ++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 objects/dga-domain/definition.json

diff --git a/README.md b/README.md
index 955524e0..36162bf4 100644
--- a/README.md
+++ b/README.md
@@ -178,6 +178,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/decoded-qrcode](https://github.com/MISP/misp-objects/blob/main/objects/decoded-qrcode/definition.json) - Object describing a decoded QR code, including its decoded value, original image, and contextual description.
 - [objects/detection](https://github.com/MISP/misp-objects/blob/main/objects/detection/definition.json) - A comprehensive object to document a detection analytic, its logic, robustness, validation, and associated response playbooks. It is based on an advanced detection engineering template that integrates concepts like 'Summiting the Pyramid' for robustness scoring and a 'Funnel of Fidelity' for validation, along with structured SOAR automation steps.
 - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device.
+- [objects/dga-domain](https://github.com/MISP/misp-objects/blob/main/objects/dga-domain/definition.json) - Domain Generation Algorithm (DGA) output and generation context, including the generated domain and associated algorithm parameters (e.g. seed, epoch, TLD strategy, and malware family). Reference: https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf.
 - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks.
 - [objects/diamond-event](https://github.com/MISP/misp-objects/blob/main/objects/diamond-event/definition.json) - A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.
 - [objects/directory](https://github.com/MISP/misp-objects/blob/main/objects/directory/definition.json) - Directory object describing a directory with meta-information.
diff --git a/objects/dga-domain/definition.json b/objects/dga-domain/definition.json
new file mode 100644
index 00000000..78b36e37
--- /dev/null
+++ b/objects/dga-domain/definition.json
@@ -0,0 +1,76 @@
+{
+  "attributes": {
+    "algorithm-name": {
+      "description": "Name or identifier of the DGA algorithm.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "algorithm-version": {
+      "description": "Version or variant of the DGA algorithm.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "counter": {
+      "description": "Generation counter/index for the candidate domain.",
+      "misp-attribute": "counter",
+      "ui-priority": 0
+    },
+    "domain": {
+      "description": "Generated domain name.",
+      "misp-attribute": "domain",
+      "ui-priority": 1
+    },
+    "epoch": {
+      "description": "Epoch, date, or time input used by the DGA.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "malware-family": {
+      "description": "Malware family using the DGA.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "reference": {
+      "description": "Reference URL for algorithm analysis, source code, or campaign report.",
+      "misp-attribute": "link",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "seed": {
+      "description": "Seed value used by the DGA.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "text": {
+      "description": "Additional context about DGA domain generation and usage.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "tld": {
+      "description": "Top-level domain generated or selected by the DGA.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "validity-end": {
+      "description": "End of expected validity window for the generated domain.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "validity-start": {
+      "description": "Start of expected validity window for the generated domain.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    }
+  },
+  "description": "Domain Generation Algorithm (DGA) output and generation context, including the generated domain and associated algorithm parameters (e.g. seed, epoch, TLD strategy, and malware family). Reference: https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf.",
+  "meta-category": "network",
+  "name": "dga-domain",
+  "requiredOneOf": [
+    "domain",
+    "algorithm-name"
+  ],
+  "uuid": "64ce4c1c-ed8c-48cd-afa9-12b37389118d",
+  "version": 1
+}