MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

manifold is now the consensus

pull/34/head
Sebastien Tricaud 2020-04-12 20:44:34 -07:00
parent 4c7dc6015e
commit 0ea2db5801
1 changed files with 8 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
sightingdb-format/raw.md.txt
View File

@ -96,8 +96,8 @@ Table of Contents
The SightingDB format is in JSON [RFC8259] format and used to query a The SightingDB format is in JSON [RFC8259] format and used to query a
SightingDB compatible connector. In SightingDB, a Sighting Object is SightingDB compatible connector. In SightingDB, a Sighting Object is
composed of a single JSON object. This object contains the following composed of a single JSON object. This object contains the following
fields: value, first_seen, last_seen, count, tags, ttl, frequency and fields: value, first_seen, last_seen, count, tags, ttl and consensus.
manifold.
2.1.1. Attribute Storage 2.1.1. Attribute Storage
@ -128,7 +128,7 @@ Internet-Draft SightingDB query format November 2019
that expired, preserving the origin namespace _shadow/: When a value that expired, preserving the origin namespace _shadow/: When a value
is searched and does not exists, it is stored there _stats: is searched and does not exists, it is stored there _stats:
Statistics _config: Configuration _all: All the Attributes in one Statistics _config: Configuration _all: All the Attributes in one
place, used to retrieve the 'manifold' property. place, used to retrieve the 'consensus' property.
The Attribute Key MUST always be the last part of the Namespace. The Attribute Key MUST always be the last part of the Namespace.
@ -182,8 +182,8 @@ Internet-Draft SightingDB query format November 2019
2.1.3.6. ttl 2.1.3.6. ttl
Time To Live, represents the expiration in seconds since the time the Time To Live, represents the expiration in seconds since the time the
Attribute was created. Once it has expired, it moves in the private Attribute was created (first_seen). Once it has expired, it moves in
Namespace _expired. the private Namespace _expired.
When an Attribute has this field set to 0, it means it is not set to When an Attribute has this field set to 0, it means it is not set to
expired. This is the default behavior. expired. This is the default behavior.
@ -191,16 +191,10 @@ Internet-Draft SightingDB query format November 2019
When an Attribute has this field set to a number greater than 0, the When an Attribute has this field set to a number greater than 0, the
expiration status is computed only at retrieval time. expiration status is computed only at retrieval time.
2.1.3.7. frequency 2.1.3.8. consensus
Frequency is the number of time an Attribute is seen in average per
day. As this field can introduced latence, its implementation is
OPTIONAL.
2.1.3.8. manifold
When a given Attribute Value is stored in different namespaces, the When a given Attribute Value is stored in different namespaces, the
manifold field keeps track of them so it returns in how many consensus field keeps track of them so it returns in how many
different places this attributes exists. This is a simple counter. different places this attributes exists. This is a simple counter.
2.2. SightingDB Format - One Attribute 2.2. SightingDB Format - One Attribute
@ -213,7 +207,7 @@ Internet-Draft SightingDB query format November 2019
"tags":"", "tags":"",
"ttl":0, "ttl":0,
"frequency":1185, "frequency":1185,
"manifold": 17 "consensus": 17
} }