pull/31/head
Deborah Servili 3 years ago
commit 025c2ee432
No known key found for this signature in database
GPG Key ID: 7E3A832850D4D7D1
  1. 2
      README.md
  2. 255
      misp-core-format/raw.md
  3. 111
      misp-galaxy-format/raw.md
  4. 206
      misp-galaxy-format/raw.md.txt
  5. 210
      misp-object-template-format/raw.md
  6. 548
      misp-object-template-format/raw.md.txt
  7. 2
      misp-query-format/raw.md
  8. 306
      misp-query-format/raw.md.txt
  9. 78
      misp-taxonomy-format/raw.md
  10. 210
      misp-taxonomy-format/raw.md.txt
  11. 4
      misp-warninglist-format/raw.md
  12. 8
      sightingdb-format/Makefile
  13. 202
      sightingdb-format/raw.md
  14. 392
      sightingdb-format/raw.md.txt

@ -12,7 +12,7 @@ All the formats can be freely reused by everyone.
* [misp-core-format](misp-core-format/raw.md.txt) ([markdown source](misp-core-format/raw.md)) which describes the core JSON format of MISP. Current Internet-Draft: [07](https://tools.ietf.org/html/draft-dulaunoy-misp-core-format)
* [misp-taxonomy-format](misp-taxonomy-format/raw.md.txt) ([markdown source](misp-taxonomy-format/raw.md)) which describes the taxonomy JSON format of MISP. Current Internet-Draft: [07](https://tools.ietf.org/html/draft-dulaunoy-misp-taxonomy-format)
* [misp-galaxy-format](misp-galaxy-format/raw.md.txt) which describes the [galaxy](https://github.com/MISP/misp-galaxy) template format used to expand the threat actor modelling of MISP. Current Internet-Draft: [06](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-galaxy-format/)
* [misp-object-template-format](misp-object-template-format/raw.md.txt) which describes the [object](https://github.com/MISP/misp-objects) template format to add combinedand composite object to the MISP core format. Current Internet-Draft: [01](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-object-template-format/)
* [misp-object-template-format](misp-object-template-format/raw.md.txt) which describes the [object](https://github.com/MISP/misp-objects) template format to add combinedand composite object to the MISP core format. Current Internet-Draft: [03](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-object-template-format/)
## MISP Format in design phase and implemented in at least one software prototype

@ -1,40 +1,42 @@
% Title = "MISP core format"
% abbrev = "MISP core format"
% category = "info"
% docName = "draft-dulaunoy-misp-core-format"
% ipr= "trust200902"
% area = "Security"
%
% date = 2018-08-08T00:00:00Z
%
% [[author]]
% initials="A."
% surname="Dulaunoy"
% fullname="Alexandre Dulaunoy"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "alexandre.dulaunoy@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = "16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1160"
% country = "Luxembourg"
% [[author]]
% initials="A."
% surname="Iklody"
% fullname="Andras Iklody"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "andras.iklody@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = "16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1160"
% country = "Luxembourg"
%%%
Title = "MISP core format"
abbrev = "MISP core format"
category = "info"
docName = "draft-dulaunoy-misp-core-format"
ipr= "trust200902"
area = "Security"
date = 2018-08-08T00:00:00Z
[[author]]
initials="A."
surname="Dulaunoy"
fullname="Alexandre Dulaunoy"
abbrev="CIRCL"
organization = "Computer Incident Response Center Luxembourg"
[author.address]
email = "alexandre.dulaunoy@circl.lu"
phone = "+352 247 88444"
[author.address.postal]
street = "16, bd d'Avranches"
city = "Luxembourg"
code = "L-1160"
country = "Luxembourg"
[[author]]
initials="A."
surname="Iklody"
fullname="Andras Iklody"
abbrev="CIRCL"
organization = "Computer Incident Response Center Luxembourg"
[author.address]
email = "andras.iklody@circl.lu"
phone = "+352 247 88444"
[author.address.postal]
street = "16, bd d'Avranches"
city = "Luxembourg"
code = "L-1160"
country = "Luxembourg"
%%%
.# Abstract
@ -64,7 +66,7 @@ document are to be interpreted as described in RFC 2119 [@!RFC2119].
## Overview
The MISP core format is in the JSON [@!RFC4627] format. In MISP, an event is composed of a single JSON object.
The MISP core format is in the JSON [@!RFC8259] format. In MISP, an event is composed of a single JSON object.
A capitalized key (like Event, Org) represent a data model and a non-capitalised key is just an attribute. This nomenclature
can support an implementation to represent the MISP format in another data structure.
@ -105,7 +107,7 @@ of the event. info **SHOULD** NOT be bigger than 256 characters and **SHOULD** N
info is represented as a JSON string. info **MUST** be present.
#### threat_level_id
#### threat\_level\_id
threat_level_id represents the threat level.
@ -154,13 +156,13 @@ timestamp represents a reference time when the event, or one of the attributes w
timestamp is represented as a JSON string. timestamp **MUST** be present.
#### publish_timestamp
#### publish\_timestamp
publish_timestamp represents a reference time when the event was published on the instance. published_timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). At each publication of an event, publish_timestamp **MUST** be updated. The time zone **MUST** be UTC. If the published_timestamp is present and the published flag is set to false, the publish_timestamp represents the previous publication timestamp. If the event was never published, the published_timestamp **MUST** be set to 0.
publish_timestamp is represented as a JSON string. publish_timestamp **MUST** be present.
#### org_id
#### org\_id
org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event. A human-readable identifier **MUST** be
represented as an unsigned integer.
@ -169,7 +171,7 @@ The org_id **MUST** be updated when the event is generated by a new instance.
org_id is represented as a JSON string. org_id **MUST** be present.
#### orgc_id
#### orgc\_id
orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event.
@ -177,7 +179,7 @@ The orgc_id and Org object **MUST** be preserved for any updates or transfer of
orgc_id is represented as a JSON string. orgc_id **MUST** be present.
#### attribute_count
#### attribute\_count
attribute_count represents the number of attributes in the event. attribute_count is expressed in decimal.
@ -204,7 +206,7 @@ distribution is represented by a JSON string. distribution **MUST** be present a
4
: Sharing Group
#### sharing_group_id
#### sharing\_group\_id
sharing\_group\_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the event, if distribution level "4" is set. A human-readable identifier **MUST** be represented as an unsigned integer.
@ -279,7 +281,9 @@ A MISP document **MUST** at least includes category-type-value triplet described
"value": "Hello world",
"SharingGroup": [],
"ShadowAttribute": [],
"RelatedAttribute": []
"RelatedAttribute": [],
"first_seen": "2019-06-02T22:14:28.711954+00:00",
"last_seen": null
}
~~~~
@ -305,52 +309,52 @@ type represents the means through which an attribute tries to describe the inten
type is represented as a JSON string. type **MUST** be present and it **MUST** be a valid selection for the chosen category. The list of valid category-type combinations is as follows:
**Antivirus detection**
Antivirus detection
: link, comment, text, hex, attachment, other, anonymised
**Artifacts dropped**
Artifacts dropped
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised
**Attribution**
Attribution
: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised
**External analysis**
: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised
External analysis
: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id
**Financial fraud**
: btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised
Financial fraud
: btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised
**Internal reference**
Internal reference
: text, link, comment, other, hex, anonymised
**Network activity**
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised
Network activity
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject
**Other**
Other
: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised
**Payload delivery**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised
Payload delivery
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised
**Payload installation**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised
Payload installation
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised
**Payload type**
Payload type
: comment, text, other, anonymised
**Persistence mechanism**
Persistence mechanism
: filename, regkey, regkey|value, comment, text, other, hex, anonymised
**Person**
Person
: first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised
**Social network**
Social network
: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised
**Support Tool**
Support Tool
: link, text, attachment, comment, other, hex, anonymised
**Targeting data**
Targeting data
: target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised
Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.
@ -412,7 +416,7 @@ comment is a contextual comment field.
comment is represented by a JSON string. comment **MAY** be present.
#### sharing_group_id
#### sharing\_group\_id
sharing\_group\_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the attribute, if distribution level "4" is set. A human-readable identifier **MUST** be represented as an unsigned integer.
@ -450,6 +454,18 @@ value represents the payload of an attribute. The format of the value is depende
value is represented by a JSON string. value **MUST** be present.
#### first_seen
first_seen represents a reference time when the attribute was first seen. first_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.
first_seen is represented as a JSON string. first_seen **MAY** be present.
#### last_seen
last_seen represents a reference time when the attribute was last seen. last_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.
last_seen is represented as a JSON string. last_seen **MAY** be present.
## ShadowAttribute
ShadowAttributes are 3rd party created attributes that either propose to add new information to an event or modify existing information. They are not meant to be actionable until the event creator accepts them - at which point they will be converted into attributes or modify an existing attribute.
@ -477,7 +493,9 @@ They are similar in structure to Attributes but additionally carry a reference t
"id": "1",
"name": "MISP",
"uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869"
}
},
"first_seen": "2019-06-02T22:14:28.711954+00:00",
"last_seen": null
}
~~~~
@ -501,52 +519,52 @@ type represents the means through which an attribute tries to describe the inten
type is represented as a JSON string. type **MUST** be present and it **MUST** be a valid selection for the chosen category. The list of valid category-type combinations is as follows:
**Antivirus detection**
Antivirus detection
: link, comment, text, hex, attachment, other, anonymised
**Artifacts dropped**
Artifacts dropped
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised
**Attribution**
Attribution
: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised
**External analysis**
: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised
External analysis
: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id
**Financial fraud**
: btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised
Financial fraud
: btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised
**Internal reference**
Internal reference
: text, link, comment, other, hex, anonymised
**Network activity**
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised
Network activity
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject
**Other**
Other
: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised
**Payload delivery**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised
Payload delivery
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised
**Payload installation**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised
Payload installation
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised
**Payload type**
Payload type
: comment, text, other, anonymised
**Persistence mechanism**
Persistence mechanism
: filename, regkey, regkey|value, comment, text, other, hex, anonymised
**Person**
Person
: first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised
**Social network**
Social network
: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised
**Support Tool**
Support Tool
: link, text, attachment, comment, other, hex, anonymised
**Targeting data**
Targeting data
: target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised
Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.
@ -620,6 +638,18 @@ the sample **MUST** be encrypted using a password protected zip archive, with th
data is represented by a JSON string in base64 encoding. data **MUST** be set for shadow attributes of type malware-sample and attachment.
#### first_seen
first_seen represents a reference time when the attribute was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support.
first_seen is represented as a JSON string. first_seen **MAY** be present.
#### last_seen
last_seen represents a reference time when the attribute was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support.
last_seen is represented as a JSON string. last_seen **MAY** be present.
### Org
An Org object is composed of an uuid, name and id.
@ -658,9 +688,10 @@ The schema used is described by the template_uuid and template_version fields.
A MISP document containing an Object **MUST** contain a name, a meta-category, a description, a template_uuid and a template_version as described in the "Object Attributes" section.
### Sample Object object
### Sample Object
~~~~~
{#fig-sample-object}
~~~
"Object": {
"id": "588",
"name": "file",
@ -693,11 +724,15 @@ A MISP document containing an Object **MUST** contain a name, a meta-category, a
"object_id": "588",
"object_relation": "filename",
"value": "StarCraft.exe",
"ShadowAttribute": []
}
"ShadowAttribute": [],
"first_seen": null,
"last_seen": null
},
"first_seen": "2019-06-02T22:14:28.711954+00:00",
"last_seen": null
]
}
~~~~~
~~~
### Object Attributes
@ -732,19 +767,19 @@ description is a human-readable description of the given object type, as derived
description is represented as a JSON string. id **SHALL** be present.
#### template_uuid
#### template\_uuid
uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the template used to create the object. The uuid **MUST** be preserved
to preserve the object's association with the correct template used for creation. UUID version 4 is **RECOMMENDED** when assigning it to a new object.
#### template_version
#### template\_version
template_version represents a numeric incrementing version of the template used to create the object. It is used to associate the object to the
correct version of the template and together with the template_uuid forms an association to the correct template type and version.
version is represented as a JSON string. version **MUST** be present.
#### event_id
#### event\_id
event_id represents the human-readable identifier of the event that the object belongs to on a specific MISP instance. A human-readable identifier **MUST** be
represented as an unsigned integer.
@ -778,7 +813,7 @@ distribution is represented by a JSON string. distribution **MUST** be present a
4
: Sharing Group
#### sharing_group_id
#### sharing\_group\_id
sharing\_group\_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the object, if distribution level "4" is set. A human-readable identifier **MUST** be represented as an unsigned integer.
@ -802,13 +837,25 @@ Attribute is an array of attributes that describe the object with data.
Each attribute in an object **MUST** contain the parent event's ID in the event_id field and the parent object's ID in the object_id field.
#### first\_seen
first_seen represents a reference time when the object was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support.
first_seen is represented as a JSON string. first_seen **MAY** be present.
#### last\_seen
last_seen represents a reference time when the object was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support.
last_seen is represented as a JSON string. last_seen **MAY** be present.
## Object References
Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary.
The relationship_type is recommended to be taken from the MISP object relationship list [[@?MISP-R]] is **RECOMMENDED** to ensure a coherent naming of the tags
The relationship\_type is recommended to be taken from the MISP object relationship list [[@?MISP-R]] is **RECOMMENDED** to ensure a coherent naming of the tags
All Object References **MUST** contain an object_uuid, a referenced_uuid and a relationship type.
All Object References **MUST** contain an object\_uuid, a referenced\_uuid and a relationship type.
### Sample ObjectReference object
@ -892,14 +939,14 @@ deleted represents a setting that allows object references to be revoked. Revoke
deleted is represented by a JSON boolean. deleted **MUST** be present.
#### object_uuid
#### object\_uuid
object_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object that the given object reference belongs to. The object_uuid **MUST** be preserved
object\_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object that the given object reference belongs to. The object\_uuid **MUST** be preserved
to preserve the object reference's association with the object.
#### referenced_uuid
#### referenced\_uuid
referenced_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object or attribute that is being referenced by the object reference. The referenced_uuid **MUST** be preserved
referenced\_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object or attribute that is being referenced by the object reference. The referenced\_uuid **MUST** be preserved
to preserve the object reference's association with the object or attribute.
## Tag

@ -1,55 +1,56 @@
% Title = "MISP galaxy format"
% abbrev = "MISP galaxy format"
% category = "info"
% docName = "draft-dulaunoy-misp-galaxy-format"
% ipr= "trust200902"
% area = "Security"
%
% date = 2018-09-20T00:00:00Z
%
% [[author]]
% initials="A."
% surname="Dulaunoy"
% fullname="Alexandre Dulaunoy"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "alexandre.dulaunoy@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = "16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1611"
% country = "Luxembourg"
% [[author]]
% initials="A."
% surname="Iklody"
% fullname="Andras Iklody"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "andras.iklody@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = " 16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1611"
% country = "Luxembourg"
% [[author]]
% initials="D."
% surname="Servili"
% fullname="Deborah Servili"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "deborah.servili@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = " 16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1611"
% country = "Luxembourg"
%%%
Title = "MISP galaxy format"
abbrev = "MISP galaxy format"
category = "info"
docName = "draft-dulaunoy-misp-galaxy-format"
ipr= "trust200902"
area = "Security"
date = 2019-10-04T00:00:00Z
[[author]]
initials="A."
surname="Dulaunoy"
fullname="Alexandre Dulaunoy"
abbrev="CIRCL"
organization = "Computer Incident Response Center Luxembourg"
[author.address]
email = "alexandre.dulaunoy@circl.lu"
phone = "+352 247 88444"
[author.address.postal]
street = "16, bd d'Avranches"
city = "Luxembourg"
code = "L-1611"
country = "Luxembourg"
[[author]]
initials="A."
surname="Iklody"
fullname="Andras Iklody"
abbrev="CIRCL"
organization = "Computer Incident Response Center Luxembourg"
[author.address]
email = "andras.iklody@circl.lu"
phone = "+352 247 88444"
[author.address.postal]
street = " 16, bd d'Avranches"
city = "Luxembourg"
code = "L-1611"
country = "Luxembourg"
[[author]]
initials="D."
surname="Servili"
fullname="Deborah Servili"
abbrev="CIRCL"
organization = "Computer Incident Response Center Luxembourg"
[author.address]
email = "deborah.servili@circl.lu"
phone = "+352 247 88444"
[author.address.postal]
street = " 16, bd d'Avranches"
city = "Luxembourg"
code = "L-1611"
country = "Luxembourg"
%%%
.# Abstract
@ -74,11 +75,11 @@ document are to be interpreted as described in RFC 2119 [@!RFC2119].
A cluster is composed of a value (**MUST**), a description (**OPTIONAL**) and metadata (**OPTIONAL**).
Clusters are represented as a JSON [@!RFC4627] dictionary.
Clusters are represented as a JSON [@!RFC8259] dictionary.
## Overview
The MISP galaxy format uses the JSON [@!RFC4627] format. Each galaxy is represented as a JSON object with meta information including the following fields: name, uuid, description, version, type, authors, source, values, category.
The MISP galaxy format uses the JSON [@!RFC8259] format. Each galaxy is represented as a JSON object with meta information including the following fields: name, uuid, description, version, type, authors, source, values, category.
name defines the name of the galaxy. The name is represented as a string and **MUST** be present. The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object reference. The uuid **MUST** be preserved. For any updates or transfer of the same object reference. UUID version 4 is **RECOMMENDED** when assigning it to a new object reference and **MUST** be present. The description is represented as a string and **MUST** be present. The uuid is represented as a string and **MUST** be present. The version is represented as a decimal and **MUST** be present. The type is represented as a string and **MUST** be present and **MUST** match the name of the galaxy file. The source is represented as a string and **MUST** be present. Authors are represented as an array containing one or more authors and **MUST** be present. The category is represented as a string and **MUST** be present and describes the overall category of the galaxy such as tool or actor.
@ -104,7 +105,7 @@ Related contains a list of JSON key value pairs which describe the related value
## meta
Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price, spoken-language wherever applicable.
Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price, spoken-language wherever applicable. Additional meta field **MAY** be added without the need to be referenced or registered in advance.
refs, synonyms **SHALL** be used to give further informations. refs is represented as an array containing one or more strings and **SHALL** be present. synonyms is represented as an array containing one or more strings and **SHALL** be present.

@ -5,8 +5,8 @@
Network Working Group A. Dulaunoy
Internet-Draft A. Iklody
Intended status: Informational D. Servili
Expires: March 24, 2019 CIRCL
September 20, 2018
Expires: April 6, 2020 CIRCL
October 4, 2019
MISP galaxy format
@ -38,11 +38,11 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 24, 2019.
This Internet-Draft will expire on April 6, 2020.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
@ -53,9 +53,9 @@ Copyright Notice
Dulaunoy, et al. Expires March 24, 2019 [Page 1]
Dulaunoy, et al. Expires April 6, 2020 [Page 1]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
to this document. Code Components extracted from this document must
@ -72,14 +72,14 @@ Table of Contents
2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 8
3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 9
3.2. MISP galaxy format - clusters . . . . . . . . . . . . . . 9
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Normative References . . . . . . . . . . . . . . . . . . 13
5.2. Informative References . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
3.2. MISP galaxy format - clusters . . . . . . . . . . . . . . 10
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1. Normative References . . . . . . . . . . . . . . . . . . 14
5.2. Informative References . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction
@ -109,9 +109,9 @@ Table of Contents
Dulaunoy, et al. Expires March 24, 2019 [Page 2]
Dulaunoy, et al. Expires April 6, 2020 [Page 2]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
2. Format
@ -119,11 +119,11 @@ Internet-Draft MISP galaxy format September 2018
A cluster is composed of a value (MUST), a description (OPTIONAL) and
metadata (OPTIONAL).
Clusters are represented as a JSON [RFC4627] dictionary.
Clusters are represented as a JSON [RFC8259] dictionary.
2.1. Overview
The MISP galaxy format uses the JSON [RFC4627] format. Each galaxy
The MISP galaxy format uses the JSON [RFC8259] format. Each galaxy
is represented as a JSON object with meta information including the
following fields: name, uuid, description, version, type, authors,
source, values, category.
@ -165,9 +165,9 @@ Internet-Draft MISP galaxy format September 2018
Dulaunoy, et al. Expires March 24, 2019 [Page 3]
Dulaunoy, et al. Expires April 6, 2020 [Page 3]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
dest-uuid represents the target UUID which encompasses a relation of
@ -195,7 +195,9 @@ Internet-Draft MISP galaxy format September 2018
filenames, ransomnotes-refs, suspected-victims, suspected-state-
sponsor, type-of-incident, target-category, cfr-suspected-victims,
cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-
category, attribution-confidence wherever applicable.
category, attribution-confidence, payment-method, price wherever
applicable. Additional meta field MAY be added without the need to
be referenced or registered in advance.
refs, synonyms SHALL be used to give further informations. refs is
represented as an array containing one or more strings and SHALL be
@ -216,16 +218,16 @@ Internet-Draft MISP galaxy format September 2018
complexity, effectiveness, impact, possible_issues MAY be used to
give further information in preventive-measure galaxy. complexity is
represented by an enumerated value from a fixed vocabulary and SHALL
be present. effectiveness is represented by an enumerated value from
a fixed vocabulary and SHALL be present. impact is represented by an
Dulaunoy, et al. Expires March 24, 2019 [Page 4]
Dulaunoy, et al. Expires April 6, 2020 [Page 4]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
be present. effectiveness is represented by an enumerated value from
a fixed vocabulary and SHALL be present. impact is represented by an
enumerated value from a fixed vocabulary and SHALL be present.
possible_issues is represented as a string and SHOULD be present.
@ -275,11 +277,9 @@ Internet-Draft MISP galaxy format September 2018
Dulaunoy, et al. Expires March 24, 2019 [Page 5]
Dulaunoy, et al. Expires April 6, 2020 [Page 5]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
{
@ -303,14 +303,16 @@ Internet-Draft MISP galaxy format September 2018
}
encryption, extensions, ransomnotes, ransomnotes-filenames,
ransomnotes-refs MAY be used to give further information in
ransomware galaxy. encryption is represented as a string and SHALL be
present. extensions is represented as an array containing one or more
strings and SHALL be present. ransomnotes is represented as an array
containing one or more strings ans SHALL be present. ransomnotes-
filenames is represented as an array containing one or more strings
ans SHALL be present. ransomnotes-refs is represented as an array
containing one or more strings ans SHALL be present.
ransomnotes-refs, payment-method, price MAY be used to give further
information in ransomware galaxy. encryption is represented as a
string and SHALL be present. extensions is represented as an array
containing one or more strings and SHALL be present. ransomnotes is
represented as an array containing one or more strings ans SHALL be
present. ransomnotes-filenames is represented as an array containing
one or more strings ans SHALL be present. ransomnotes-refs is
represented as an array containing one or more strings ans SHALL be
present. payment-method is represented as a string and SHALL be
present. price is represented as a string and SHALL be present.
Example use of the encryption, extensions, ransomnotes fields in the
ransomware galaxy:
@ -331,11 +333,9 @@ Internet-Draft MISP galaxy format September 2018
Dulaunoy, et al. Expires March 24, 2019 [Page 6]
Dulaunoy, et al. Expires April 6, 2020 [Page 6]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
{
@ -356,11 +356,44 @@ Internet-Draft MISP galaxy format September 2018
"value": "Ryuk ransomware"
}
Example use of the payment-method, price fields in the ransomware
galaxy:
{
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
"meta": {
"date": "March 2017",
"encryption": "AES-128",
"extensions": [
".enc"
],
"payment-method": "Bitcoin",
"price": "0.1",
"ransomnotes": [
"Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the \"Buy Bitcoins\" section and then buy Bitcoin Step 4: Go to the \"Send\" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear 'Check' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites."
],
"refs": [
"https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html"
]
},
"uuid": "4c76c845-c5eb-472c-93a1-4178f86c319b",
"value": "CryptoMeister Ransomware"
}
source-uuid, target-uuid SHALL be used to describe relationships.
source-uuid and target-uuid represent the Universally Unique
IDentifier (UUID) [RFC4122] of the value reference. source-uuid and
target-uuid MUST be preserved.
Dulaunoy, et al. Expires April 6, 2020 [Page 7]
Internet-Draft MISP galaxy format October 2019
Example use of the source-uuid, target-uuid fields in the mitre-
enterprise-attack-relationship galaxy:
@ -387,16 +420,35 @@ Internet-Draft MISP galaxy format September 2018
exhaustive list of possible values for cfr-target-category includes
"Private sector", "Government", "Civil society", "Military".
Example use of the cfr-suspected-victims, cfr-suspected-state-
sponsor, cfr-type-of-incident, cfr-target-category fields in the
threat-actor galaxy:
Dulaunoy, et al. Expires March 24, 2019 [Page 7]
Internet-Draft MISP galaxy format September 2018
Example use of the cfr-suspected-victims, cfr-suspected-state-
sponsor, cfr-type-of-incident, cfr-target-category fields in the
threat-actor galaxy:
Dulaunoy, et al. Expires April 6, 2020 [Page 8]
Internet-Draft MISP galaxy format October 2019
{
"meta": {
@ -441,16 +493,18 @@ Internet-Draft MISP galaxy format September 2018
formats. The main format is the MISP galaxy format used for the
clusters.
3.1. MISP galaxy format - galaxy
Dulaunoy, et al. Expires March 24, 2019 [Page 8]
Internet-Draft MISP galaxy format September 2018
3.1. MISP galaxy format - galaxy
Dulaunoy, et al. Expires April 6, 2020 [Page 9]
Internet-Draft MISP galaxy format October 2019
{
"$schema": "http://json-schema.org/schema#",
@ -498,16 +552,16 @@ Internet-Draft MISP galaxy format September 2018
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Clusters",
"id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
"type": "object",
Dulaunoy, et al. Expires March 24, 2019 [Page 9]
Dulaunoy, et al. Expires April 6, 2020 [Page 10]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
"id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
@ -554,16 +608,16 @@ Internet-Draft MISP galaxy format September 2018
"type": "object"
},
"properties": {
"dest-uuid": {
"type": "string"
Dulaunoy, et al. Expires March 24, 2019 [Page 10]
Dulaunoy, et al. Expires April 6, 2020 [Page 11]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
"dest-uuid": {
"type": "string"
},
"type": {
"type": "string"
@ -610,16 +664,16 @@ Internet-Draft MISP galaxy format September 2018
"type": "string"
},
"refs": {
"type": "array",
"uniqueItems": true,
Dulaunoy, et al. Expires March 24, 2019 [Page 11]
Dulaunoy, et al. Expires April 6, 2020 [Page 12]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
@ -666,16 +720,16 @@ Internet-Draft MISP galaxy format September 2018
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
Dulaunoy, et al. Expires March 24, 2019 [Page 12]
Dulaunoy, et al. Expires April 6, 2020 [Page 13]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
"type": "string"
}
}
},
"required": [
@ -710,10 +764,10 @@ Internet-Draft MISP galaxy format September 2018
DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>.
[RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627,
DOI 10.17487/RFC4627, July 2006,
<https://www.rfc-editor.org/info/rfc4627>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>.
5.2. Informative References
@ -725,9 +779,11 @@ Internet-Draft MISP galaxy format September 2018
Dulaunoy, et al. Expires March 24, 2019 [Page 13]
Dulaunoy, et al. Expires April 6, 2020 [Page 14]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
[JSON-SCHEMA]
@ -781,9 +837,9 @@ Authors' Addresses
Dulaunoy, et al. Expires March 24, 2019 [Page 14]
Dulaunoy, et al. Expires April 6, 2020 [Page 15]
Internet-Draft MISP galaxy format September 2018
Internet-Draft MISP galaxy format October 2019
Deborah Servili
@ -837,4 +893,4 @@ Internet-Draft MISP galaxy format September 2018
Dulaunoy, et al. Expires March 24, 2019 [Page 15]
Dulaunoy, et al. Expires April 6, 2020 [Page 16]

@ -1,40 +1,42 @@
% Title = "MISP object template format"
% abbrev = "MISP object template format"
% category = "info"
% docName = "draft-dulaunoy-misp-object-template-format"
% ipr= "trust200902"
% area = "Security"
%
% date = 2018-04-10T00:00:00Z
%
% [[author]]
% initials="A."
% surname="Dulaunoy"
% fullname="Alexandre Dulaunoy"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "alexandre.dulaunoy@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = "16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1611"
% country = "Luxembourg"
% [[author]]
% initials="A."
% surname="Iklody"
% fullname="Andras Iklody"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "andras.iklody@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = " 16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1611"
% country = "Luxembourg"
%%%
Title = "MISP object template format"
abbrev = "MISP object template format"
category = "info"
docName = "draft-dulaunoy-misp-object-template-format"
ipr= "trust200902"
area = "Security"
date = 2018-04-10T00:00:00Z
[[author]]
initials="A."
surname="Dulaunoy"
fullname="Alexandre Dulaunoy"
abbrev="CIRCL"
organization = "Computer Incident Response Center Luxembourg"
[author.address]
email = "alexandre.dulaunoy@circl.lu"
phone = "+352 247 88444"
[author.address.postal]
street = "16, bd d'Avranches"
city = "Luxembourg"
code = "L-1611"
country = "Luxembourg"
[[author]]
initials="A."
surname="Iklody"
fullname="Andras Iklody"
abbrev="CIRCL"
organization = "Computer Incident Response Center Luxembourg"
[author.address]
email = "andras.iklody@circl.lu"
phone = "+352 247 88444"
[author.address.postal]
street = " 16, bd d'Avranches"
city = "Luxembourg"
code = "L-1611"
country = "Luxembourg"
%%%
.# Abstract
@ -67,7 +69,7 @@ MISP object template elements consist of an object\_relation (**MUST**), a type
## Overview
The MISP object template format uses the JSON [@!RFC4627] format. Each template is represented as a JSON object with meta information including the following fields: uuid, requiredOneOf, description, version, meta-category, name.
The MISP object template format uses the JSON [@!RFC8259] format. Each template is represented as a JSON object with meta information including the following fields: uuid, requiredOneOf, description, version, meta-category, name.
### Object Template
@ -313,7 +315,137 @@ format is represented by a JSON list containing a list of formats that the relat
The MISP object template directory is publicly available [@?MISP-O] in a git repository. The repository contains an objects directory, which contains a directory per object type, containing a file named definition.json which contains the definition of the object template in the above described format.
A relationships directory is also included, containing a definition.json file which contains a list of MISP object relation definitions. There are more than 90 existing templates object documented in [@?MISP-O-DOC].
A relationships directory is also included, containing a definition.json file which contains a list of MISP object relation definitions. There are more than 125 existing templates object documented in [@?MISP-O-DOC].
## Existing and public MISP object templates
- tsk-chats - An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.
- tsk-web-bookmark - An Object Template to add evidential bookmarks identified during a digital forensic investigation.
- tsk-web-cookie - An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.
- tsk-web-downloads - An Object Template to add web-downloads.
- tsk-web-history - An Object Template to share web history information.
- tsk-web-search-query - An Object Template to share web search query information.
- ail-leak - An information leak as defined by the AIL Analysis Information Leak framework.
- ais-info - Automated Indicator Sharing (AIS) Information Source Markings.
- android-permission - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app).
- annotation - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.
- anonymisation - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml.
- asn - Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
- authenticode-signerinfo - Authenticode Signer Info.
- av-signature - Antivirus detection signature.
- bank-account - An object describing bank account information based on account description from goAML 4.0.
- bgp-hijack - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com.
- cap-alert - Common Alerting Protocol Version (CAP) alert object.
- cap-info - Common Alerting Protocol Version (CAP) info object.
- cap-resource - Common Alerting Protocol Version (CAP) resource object.
- coin-address - An address used in a cryptocurrency.
- cookie - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.
- cortex - Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.
- cortex-taxonomy - Cortex object describing an Cortex Taxonomy (or mini report).
- course-of-action - An object describing a specific measure taken to prevent or respond to an attack.
- cowrie - Cowrie honeypot object template.
- credential - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).
- credit-card - A payment card like credit card, debit card or any similar cards which can be used for financial transactions.
- ddos - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy.
- device - An object to define a device.
- diameter-attack - Attack as seen on diameter authentication against a GSM, UMTS or LTE network.
- domain-ip - A domain and IP address seen as a tuple in a specific time frame.
- elf - Object describing a Executable and Linkable Format.
- elf-section - Object describing a section of an Executable and Linkable Format.
- email - Email object describing an email with meta-information.
- exploit-poc - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.
- facial-composite - An object which describes a facial composite.
- fail2ban - Fail2ban event.
- file - File object describing a file with meta-information.
- forensic-case - An object template to describe a digital forensic case.
- forensic-evidence - An object template to describe a digital forensic evidence.
- geolocation - An object to describe a geographic location.
- gtp-attack - GTP attack object as seen on a GSM, UMTS or LTE network.
- http-request - A single HTTP request header.
- ilr-impact - Institut Luxembourgeois de Regulation - Impact.
- ilr-notification-incident - Institut Luxembourgeois de Regulation - Notification d'incident.
- internal-reference - Internal reference.
- interpol-notice - An object which describes a Interpol notice.
- ip-api-address - IP Address information. Useful if you are pulling your ip information from ip-api.com.
- ip-port - An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.
- irc - An IRC object to describe an IRC server and the associated channels.
- ja3 - JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3.
- legal-entity - An object to describe a legal entity.
- lnk - LNK object describing a Windows LNK binary file (aka Windows shortcut).
- macho - Object describing a file in Mach-O format.
- macho-section - Object describing a section of a file in Mach-O format.
- mactime-timeline-analysis - Mactime template, used in forensic investigations to describe the timeline of a file activity.
- malware-config - Malware configuration recovered or extracted from a malicious binary.
- microblog - Microblog post like a Twitter tweet or a post on a Facebook wall.
- mutex - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program.
- netflow - Netflow object describes an network object based on the Netflowv5/v9 minimal definition.
- network-connection - A local or remote network connection.
- network-socket - Network socket object describes a local or remote network connections based on the socket data structure.
- misc - An object which describes an organization.
- original-imported-file - Object describing the original file used to import data in MISP.
- passive-dns - Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01.
- paste - Paste or similar post from a website allowing to share privately or publicly posts.
- pcap-metadata - Network packet capture metadata.
- pe - Object describing a Portable Executable.
- pe-section - Object describing a section of a Portable Executable.
- person - An object which describes a person or an identity.
- phishing - Phishing template to describe a phishing website and its analysis.
- phishing-kit - Object to describe a phishing-kit.
- phone - A phone or mobile phone object which describe a phone.
- process - Object describing a system process.
- python-etvx-event-log - Event log object template to share information of the activities conducted on a system. .
- r2graphity - Indicators extracted from files using radare2 and graphml.
- regexp - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.
- registry-key - Registry key object describing a Windows registry key with value and last-modified timestamp.
- regripper-NTUser - Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.
- regripper-sam-hive-single-user - Regripper Object template designed to present user profile details extracted from the SAM hive.
- regripper-sam-hive-user-group - Regripper Object template designed to present group profile details extracted from the SAM hive.
- regripper-software-hive-BHO - Regripper Object template designed to gather information of the browser helper objects installed on the system.
- regripper-software-hive-appInit-DLLS - Regripper Object template designed to gather information of the DLL files installed on the system.
- regripper-software-hive-application-paths - Regripper Object template designed to gather information of the application paths.
- regripper-software-hive-applications-installed - Regripper Object template designed to gather information of the applications installed on the system.
- regripper-software-hive-command-shell - Regripper Object template designed to gather information of the shell commands executed on the system.
- regripper-software-hive-windows-general-info - Regripper Object template designed to gather general windows information extracted from the software-hive.
- regripper-software-hive-software-run - Regripper Object template designed to gather information of the applications set to run on the system.
- regripper-software-hive-userprofile-winlogon - Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.
- regripper-system-hive-firewall-configuration - Regripper Object template designed to present firewall configuration information extracted from the system-hive.
- regripper-system-hive-general-configuration - Regripper Object template designed to present general system properties extracted from the system-hive.
- regripper-system-hive-network-information. - Regripper object template designed to gather network information from the system-hive.
- regripper-system-hive-services-drivers - Regripper Object template designed to gather information regarding the services/drivers from the system-hive.
- report - Metadata used to generate an executive level report.
- research-scanner - Information related to known scanning activity (e.g. from research projects).
- rogue-dns - Rogue DNS as defined by CERT.br.
- rtir - RTIR - Request Tracker for Incident Response.
- sandbox-report - Sandbox report.
- sb-signature - Sandbox detection signature.
- script - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.
- shell-commands - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.
- short-message-service - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.
- shortened-link - Shortened link and its redirect target.
- splunk - Splunk / Splunk ES object.
- ss7-attack - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.
- ssh-authorized-keys - An object to store ssh authorized keys file.
- stix2-pattern - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.
- suricata - An object describing one or more Suricata rule(s) along with version and contextual information.
- target-system - Description about an targeted system, this could potentially be a compromissed internal system.
- threatgrid-report - ThreatGrid report.
- timecode - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence.
- timesketch-timeline - A timesketch timeline object based on mandatory field in timesketch to describe a log entry.
- timesketch_message - A timesketch message entry.
- timestamp - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.
- tor-hiddenservice - Tor hidden service (onion service) object.
- tor-node - Tor node (which protects your privacy on the internet by hiding the connection between users Internet address and the services used by the users) description which are part of the Tor network at a time.
- tracking-id - Analytics and tracking ID such as used in Google Analytics or other analytic platform.
- transaction - An object to describe a financial transaction.
- url - url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.
- vehicle - Vehicle object template to describe a vehicle information and registration.
- victim - Victim object describes the target of an attack or abuse.
- virustotal-report - VirusTotal report.
- vulnerability - Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.
- whois - Whois records information for a domain name or an IP address.
- x509 - x509 object describing a X.509 certificate.
- yabin - yabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref: https://github.com/AlienVault-OTX/yabin.
- yara - An object describing a YARA rule along with its version.
# Acknowledgements

@ -27,7 +27,7 @@ Status of This Memo
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
@ -43,7 +43,7 @@ Copyright Notice
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
@ -69,11 +69,12 @@ Table of Contents
2.1.3. Sample Object Template object . . . . . . . . . . . . 6
2.1.4. Object Relationships . . . . . . . . . . . . . . . . 9
3. Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. Normative References . . . . . . . . . . . . . . . . . . 10
5.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
3.1. Existing and public MISP object templates . . . . . . . . 10
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.1. Normative References . . . . . . . . . . . . . . . . . . 18
5.2. Informative References . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction
@ -108,7 +109,6 @@ Table of Contents
Dulaunoy & Iklody Expires October 12, 2018 [Page 2]
Internet-Draft MISP object template format April 2018
@ -123,18 +123,20 @@ Internet-Draft MISP object template format April 2018
MISP object templates themselves consist of a name (MUST), a meta-
category (MUST) and a description (SHOULD). They are identified by a
uuid (MUST) and a version (MUST). The list of requirements when it
comes to the contained MISP object template elements is defined in
the requirements field (OPTIONAL).
MISP object template elements consist of an object_relation (MUST) a
type (MUST) an object_template_id (SHOULD) a ui_priority (SHOULD) a
list of categories (MAY), a list of sane_default values (MAY) or a
uuid (MUST) and a version (MUST). For any updates or transfer of the
same object reference. UUID version 4 is RECOMMENDED when assigning
it to a new object reference. The list of requirements when it comes
to the contained MISP object template elements is defined in the
requirements field (OPTIONAL).
MISP object template elements consist of an object_relation (MUST), a
type (MUST), an object_template_id (SHOULD), a ui_priority (SHOULD),
a list of categories (MAY), a list of sane_default values (MAY) or a
values_list (MAY).
2.1. Overview
The MISP object template format uses the JSON [RFC4627] format. Each
The MISP object template format uses the JSON [RFC8259] format. Each
template is represented as a JSON object with meta information
including the following fields: uuid, requiredOneOf, description,
version, meta-category, name.
@ -157,10 +159,8 @@ Internet-Draft MISP object template format April 2018
be created based on the given template. The requiredOneOf field MAY
be present.
2.1.1.3. required
required is represented as a JSON list and contains a list of
attribute relationships of which all must be present in the object to
@ -170,6 +170,10 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 3]
Internet-Draft MISP object template format April 2018
2.1.1.3. required
required is represented as a JSON list and contains a list of
attribute relationships of which all must be present in the object to
be created based on the given template. The required field MAY be
present.
@ -195,7 +199,7 @@ Internet-Draft MISP object template format April 2018
list of options but can be created on the fly.
meta-category is represented as a JSON string. meta-category MUST be
present
present.
2.1.1.7. name
@ -212,11 +216,7 @@ Internet-Draft MISP object template format April 2018
attributes is represented as a JSON list. attributes MUST be present.
2.1.2.1. description
description is represented as a JSON string and contains the
description of the given attribute in the context of the object with
the given relationship. The description field MUST be present.
@ -226,6 +226,12 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 4]
Internet-Draft MISP object template format April 2018
2.1.2.1. description
description is represented as a JSON string and contains the
description of the given attribute in the context of the object with
the given relationship. The description field MUST be present.
2.1.2.2. ui-priority
ui-priority is represented by a numeric values in JSON string format
@ -268,12 +274,6 @@ Internet-Draft MISP object template format April 2018
The multiple field MAY be present.
2.1.2.7. sane_default
sane_default is represented by a JSON list containing one or several
recommended/sane values for an attribute. sane_default is mutually
exclusive with values_list.
@ -282,6 +282,12 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 5]
Internet-Draft MISP object template format April 2018
2.1.2.7. sane_default
sane_default is represented by a JSON list containing one or several
recommended/sane values for an attribute. sane_default is mutually
exclusive with values_list.
The sane_default field MAY be present.
2.1.2.8. values_list
@ -313,12 +319,6 @@ Internet-Draft MISP object template format April 2018
@ -522,7 +522,453 @@ Internet-Draft MISP object template format April 2018
A relationships directory is also included, containing a
definition.json file which contains a list of MISP object relation
definitions
definitions. There are more than 125 existing templates object
documented in [MISP-O-DOC].
3.1. Existing and public MISP object templates
o tsk-chats - An Object Template to gather information from
evidential or interesting exchange of messages identified during a