MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
Page: EnhancedSighting
Pages
3rd party modules AddNewAttributes AuthenticationProject Categories & Types changes CheckList CommitMessageBestPractices Contributing to MISP Project CortexIntegration Critical aspects or features DeploymentTools EnhancedSighting Frequently Asked Questions Hackathon Hardening Home Max and min value for first_seen last_seen NewAttributes Notes: MISP STIX2 Planned features and functionalities Presentations about MISP or mentioning MISP Project dependencies Proxy RedisAllocation ReleaseCheckList Rename default branches master to main STIX2.0 to STIX2.1 changes Sharing guidelines TaxonomiesResearch Use cases UserInterface
2 EnhancedSighting
Alexandre Dulaunoy edited this page 2017-02-18 17:33:14 +01:00
Table of Contents

Enhanced Sighting

The original version of sighting was basically very minimal (even if this is was already an improvement over the STIX 1.0 sighting).

Old format (pre 2.4.65)

+---------------+------------+------+-----+---------+----------------+
| Field         | Type       | Null | Key | Default | Extra          |
+---------------+------------+------+-----+---------+----------------+
| id            | int(11)    | NO   | PRI | NULL    | auto_increment |
| attribute_id  | int(11)    | NO   | MUL | NULL    |                |
| event_id      | int(11)    | NO   | MUL | NULL    |                |
| org_id        | int(11)    | NO   | MUL | NULL    |                |
| date_sighting | bigint(20) | NO   |     | NULL    |                |
+---------------+------------+------+-----+---------+----------------+

Extended format (starting from 2.4.66)

Based on common use-cases, sighting can come from various source (honeypot, IDS sensor id, SIEM). source is an optional free text field assigned by the organisation to uniquely identify the source of a specific sighting. uuid has been added to allow the sharing of the sightings. type describes the type of sighting which is by default 0 (the original definition).

type list:

  • (0) default sighting meaning the referenced attribute has been sighted.
  • (1) a false-positive sighting meaning the sighing has been interpreted as a false-positive by the organisation.
  • (2) an expiration sighting which defines when the referenced attribute is expired following the defined date_sighting.
+---------------+------------+------+-----+---------+----------------+
| Field         | Type       | Null | Key | Default | Extra          |
+---------------+------------+------+-----+---------+----------------+
| id            | int(11)    | NO   | PRI | NULL    | auto_increment |
| uuid          | varchar(40)| NO   | UNI | NULL    |                |
| attribute_id  | int(11)    | NO   | MUL | NULL    |                |
| event_id      | int(11)    | NO   | MUL | NULL    |                |
| org_id        | int(11)    | NO   | MUL | NULL    |                |
| source        | varchar(255)| NO  |     | NULL    |                |
| type          | int(11)    | NO   |     | 0       |                | 
| date_sighting | bigint(20) | NO   |     | NULL    |                |
+---------------+------------+------+-----+---------+----------------+

The new fields are source, type, uuid.