MISP · adulau · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026
diff --git a/objects/ghidra-function/definition.json b/objects/ghidra-function/definition.json
@@ -0,0 +1,122 @@
+{
+  "attributes": {
+    "bsim-signature": {
+      "description": "BSIM signature of the vector",
+      "misp-attribute": "hex",
+      "ui-priority": 0
+    },
+    "bsim-vector": {
+      "description": "comma separated BSIM Feature Vector",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "calling-convention": {
+      "description": "The calling convention used by the function (e.g., cdecl, stdcall)",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "decompiled-function": {
+      "description": "Ghidra decompiled function",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "decompiler-id": {
+      "description": "ghidra's decompiler version used to generate the FID and BSIM hashes.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "entrypoint-address": {
+      "description": "function entrypoint address (integer in a text for consistency with the entrypoint-address in ELF/PE/Mach-O Objects)",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "external-library": {
+      "description": "external library name if the function is an import",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "fid-fh-hash": {
+      "description": "Function ID FH Function hash",
+      "misp-attribute": "hex",
+      "ui-priority": 0
+    },
+    "fid-fx-hash": {
+      "description": "Function ID FX Extended hash",
+      "misp-attribute": "hex",
+      "ui-priority": 0
+    },
+    "flirt-hash": {
+      "description": "IDA pro FLIRT hash",
+      "misp-attribute": "hex",
+      "ui-priority": 0
+    },
+    "function-name": {
+      "description": "function name",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "function-scope": {
+      "description": "ghidra function scope (export, import, internal)",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "export",
+        "import",
+        "internal"
+      ],
+      "ui-priority": 0
+    },
+    "function-signature": {
+      "description": "Function signature",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "instruction-count": {
+      "description": "Instruction count",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "is-thunk": {
+      "description": "identifies a thunk function",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "ui-priority": 0
+    },
+    "label": {
+      "description": "ghidra symbol label(s) associated with the function",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "language-id": {
+      "description": "Language id of the program (architecture, compiler, etc.)",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "return-type": {
+      "description": "The data type returned by the function",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "ghidra function",
+  "meta-category": "misc",
+  "name": "ghidra-function",
+  "required": [
+    "function-name",
+    "decompiler-id"
+  ],
+  "uuid": "4679fa5b-a9b4-463a-aaec-1ca563abedde",
+  "version": 1
+}