MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Created EnhancedSighting (markdown)

master
Alexandre Dulaunoy 2017-01-30 22:33:18 +01:00
parent d810511fa4
commit ba18bbf3f3
1 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
EnhancedSighting.md Normal file

@ -0,0 +1,48 @@
# Enhanced Sighting
The original version of sighting was basically very minimal (even if this is was already an improvement over the STIX 1.0 sighting).
## Current format
~~~
+---------------+------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| attribute_id | int(11) | NO | MUL | NULL | |
| event_id | int(11) | NO | MUL | NULL | |
| org_id | int(11) | NO | MUL | NULL | |
| date_sighting | bigint(20) | NO | | NULL | |
+---------------+------------+------+-----+---------+----------------+
~~~
## Extended format
Based on common use-cases, sighting can come from various ```source``` (honeypot,
IDS sensor id, SIEM). ```source``` is an optional free text field assigned by the organisation
to uniquely identify the source of a specific sighting. ```uuid``` has been added
to allow the sharing of the sightings. ```type``` describes the type of sighting
which is by default 0 (the original definition).
```type``` list:
- (0) default sighting meaning the referenced attribute has been sighted.
- (1) a false-positive sighting meaning the sighing has been interpreted as a false-positive by the organisation.
- (2) an expiration sighting which defines when the referenced attribute is expired following the defined date_sighting.
~~~
+---------------+------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| uuid | varchar(40)| NO | UNI | NULL | |
| attribute_id | int(11) | NO | MUL | NULL | |
| event_id | int(11) | NO | MUL | NULL | |
| org_id | int(11) | NO | MUL | NULL | |
| source | varchar(255)| NO | | NULL | |
| type | int(11) | NO | | 0 | |
| date_sighting | bigint(20) | NO | | NULL | |
+---------------+------------+------+-----+---------+----------------+
~~~
The new fields are ```source```, ```type```, ```uuid```.