mirror of https://github.com/MISP/MISP
Created EnhancedSighting (markdown)
parent
d810511fa4
commit
ba18bbf3f3
|
@ -0,0 +1,48 @@
|
|||
# Enhanced Sighting
|
||||
|
||||
The original version of sighting was basically very minimal (even if this is was already an improvement over the STIX 1.0 sighting).
|
||||
|
||||
|
||||
## Current format
|
||||
~~~
|
||||
+---------------+------------+------+-----+---------+----------------+
|
||||
| Field | Type | Null | Key | Default | Extra |
|
||||
+---------------+------------+------+-----+---------+----------------+
|
||||
| id | int(11) | NO | PRI | NULL | auto_increment |
|
||||
| attribute_id | int(11) | NO | MUL | NULL | |
|
||||
| event_id | int(11) | NO | MUL | NULL | |
|
||||
| org_id | int(11) | NO | MUL | NULL | |
|
||||
| date_sighting | bigint(20) | NO | | NULL | |
|
||||
+---------------+------------+------+-----+---------+----------------+
|
||||
~~~
|
||||
|
||||
## Extended format
|
||||
|
||||
Based on common use-cases, sighting can come from various ```source``` (honeypot,
|
||||
IDS sensor id, SIEM). ```source``` is an optional free text field assigned by the organisation
|
||||
to uniquely identify the source of a specific sighting. ```uuid``` has been added
|
||||
to allow the sharing of the sightings. ```type``` describes the type of sighting
|
||||
which is by default 0 (the original definition).
|
||||
|
||||
```type``` list:
|
||||
|
||||
- (0) default sighting meaning the referenced attribute has been sighted.
|
||||
- (1) a false-positive sighting meaning the sighing has been interpreted as a false-positive by the organisation.
|
||||
- (2) an expiration sighting which defines when the referenced attribute is expired following the defined date_sighting.
|
||||
|
||||
~~~
|
||||
+---------------+------------+------+-----+---------+----------------+
|
||||
| Field | Type | Null | Key | Default | Extra |
|
||||
+---------------+------------+------+-----+---------+----------------+
|
||||
| id | int(11) | NO | PRI | NULL | auto_increment |
|
||||
| uuid | varchar(40)| NO | UNI | NULL | |
|
||||
| attribute_id | int(11) | NO | MUL | NULL | |
|
||||
| event_id | int(11) | NO | MUL | NULL | |
|
||||
| org_id | int(11) | NO | MUL | NULL | |
|
||||
| source | varchar(255)| NO | | NULL | |
|
||||
| type | int(11) | NO | | 0 | |
|
||||
| date_sighting | bigint(20) | NO | | NULL | |
|
||||
+---------------+------------+------+-----+---------+----------------+
|
||||
~~~
|
||||
|
||||
The new fields are ```source```, ```type```, ```uuid```.
|
Loading…
Reference in New Issue