2016-10-01 12:18:59 +02:00
|
|
|
% Title = "MISP core format"
|
|
|
|
% abbrev = "MISP core format"
|
|
|
|
% category = "info"
|
|
|
|
% docName = "draft-dulaunoy-misp-core-format"
|
|
|
|
% ipr= "trust200902"
|
|
|
|
% area = "Security"
|
|
|
|
%
|
|
|
|
% date = 2016-10-01T00:00:00Z
|
|
|
|
%
|
|
|
|
% [[author]]
|
2016-10-01 16:31:50 +02:00
|
|
|
% initials="A."
|
2016-10-01 12:18:59 +02:00
|
|
|
% surname="Dulaunoy"
|
|
|
|
% fullname="Alexandre Dulaunoy"
|
|
|
|
% abbrev="CIRCL"
|
|
|
|
% organization = "Computer Incident Response Center Luxembourg"
|
|
|
|
% [author.address]
|
|
|
|
% email = "alexandre.dulaunoy@circl.lu"
|
|
|
|
% phone = "+352 247 88444"
|
|
|
|
% [author.address.postal]
|
|
|
|
% street = "41, avenue de la gare"
|
|
|
|
% city = "Luxembourg"
|
|
|
|
% code = "L-1611"
|
|
|
|
% country = "Luxembourg"
|
|
|
|
|
|
|
|
.# Abstract
|
|
|
|
|
|
|
|
This document describes the MISP core format used to exchange indicators and threat information between
|
|
|
|
MISP (Malware Information and threat Sharing Platform) instances.
|
|
|
|
The JSON format includes the overall structure along with the semantic associated for each
|
|
|
|
respective key. The format is described to support other implementations which reuse the
|
2016-10-01 12:47:20 +02:00
|
|
|
format and ensuring an interoperability with existing MISP [@?MISP-P] software and other Threat Intelligence Platforms.
|
2016-10-01 12:18:59 +02:00
|
|
|
|
|
|
|
{mainmatter}
|
|
|
|
|
|
|
|
# Introduction
|
|
|
|
|
|
|
|
Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat
|
|
|
|
information can include indicators of compromise, malicious file indicators, financial fraud indicators
|
2016-10-01 12:47:20 +02:00
|
|
|
or even detailed information about a threat actor. MISP started as an open source project in late 2011 and
|
|
|
|
the MISP format started to be widely used as an exchange format within the community in the past years. The aim of this document
|
|
|
|
is to describe the specification and the MISP core format.
|
2016-10-01 12:18:59 +02:00
|
|
|
|
2016-10-01 17:50:05 +02:00
|
|
|
## Conventions and Terminology
|
|
|
|
|
|
|
|
The key words "**MUST**", "**MUST NOT**", "**REQUIRED**", "**SHALL**", "**SHALL NOT**",
|
|
|
|
"**SHOULD**", "**SHOULD NOT**", "**RECOMMENDED**", "**MAY**", and "**OPTIONAL**" in this
|
|
|
|
document are to be interpreted as described in RFC 2119 [@!RFC2119].
|
|
|
|
|
2016-10-01 12:18:59 +02:00
|
|
|
# Format
|
|
|
|
|
|
|
|
## Overview
|
|
|
|
|
|
|
|
The MISP core format is in the JSON [@!RFC4627] format. In MISP, an event is composed of a single JSON object.
|
|
|
|
|
2016-10-01 17:50:05 +02:00
|
|
|
A capitalized key (like Event, Org) represent a data model and a non-capitalized key is just an attribute. This nomenclature
|
|
|
|
can support an implementation to represent the MISP format in another data structure.
|
|
|
|
|
2016-10-01 12:18:59 +02:00
|
|
|
## Event
|
|
|
|
|
2016-10-01 12:47:20 +02:00
|
|
|
An event is a simple meta structure scheme where attributes and meta-data are embedded to compose a coherent set
|
|
|
|
of indicators. An event can be composed from an incident, a security analysis report or a specific threat actor
|
|
|
|
analysis. The meaning of an event only depends of the information embedded in the event.
|
2016-10-01 12:18:59 +02:00
|
|
|
|
2016-10-01 17:50:05 +02:00
|
|
|
### Event Attributes
|
|
|
|
|
|
|
|
#### uuid
|
|
|
|
|
|
|
|
uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the event. The uuid MUST be preserved
|
|
|
|
for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.
|
|
|
|
|
|
|
|
uuid is represented as a JSON string. uuid MUST be present.
|
|
|
|
|
|
|
|
#### id
|
|
|
|
|
|
|
|
id represents the human-readable identifier associated to the event for a specific MISP instance.
|
|
|
|
|
|
|
|
id is represented as a JSON string. id SHALL be present.
|
|
|
|
|
|
|
|
#### published
|
|
|
|
|
|
|
|
published represents the event publication state. If the event was published, the published value MUST be true.
|
|
|
|
In any other publication state, the published value MUST be false.
|
2016-10-01 12:18:59 +02:00
|
|
|
|
2016-10-01 17:50:05 +02:00
|
|
|
published is represented as a JSON boolean. published MUST be present.
|
|
|
|
|
2016-10-01 12:18:59 +02:00
|
|
|
<reference anchor='MISP-P' target='https://github.com/MISP'>
|
|
|
|
<front>
|
|
|
|
<title>MISP Project - Malware Information Sharing Platform and Threat Sharing</title>
|
|
|
|
<author initials='' surname='MISP' fullname='MISP Community'></author>
|
|
|
|
<date></date>
|
|
|
|
</front>
|
|
|
|
</reference>
|
|
|
|
|
|
|
|
{backmatter}
|
|
|
|
|
|
|
|
# Acknowledgements
|
|
|
|
|
|
|
|
The authors wish to thank all the MISP community to support the creation
|
|
|
|
of open standards in threat intelligence sharing.
|
|
|
|
|
|
|
|
|