MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

txt export committed

pull/13/head
Alexandre Dulaunoy 2018-04-10 10:50:10 +02:00
parent fd568ff71f
commit 14b9e26240
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 206 additions and 206 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

412
misp-core-format/raw.md.txt
View File

@ -5,7 +5,7 @@
Network Working Group A. Dulaunoy
Internet-Draft A. Iklody
Intended status: Informational CIRCL
Expires: August 13, 2018 February 9, 2018
Expires: October 12, 2018 April 10, 2018
MISP core format
@ -37,7 +37,7 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 13, 2018.
This Internet-Draft will expire on October 12, 2018.
Copyright Notice
@ -53,9 +53,9 @@ Copyright Notice
Dulaunoy & Iklody Expires August 13, 2018 [Page 1]
Dulaunoy & Iklody Expires October 12, 2018 [Page 1]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
include Simplified BSD License text as described in Section 4.e of
@ -72,12 +72,12 @@ Table of Contents
2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3
2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8
2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 8
2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9
2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 14
2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 14
2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 15
2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 15
2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 21
@ -109,9 +109,9 @@ Table of Contents
Dulaunoy & Iklody Expires August 13, 2018 [Page 2]
Dulaunoy & Iklody Expires October 12, 2018 [Page 2]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
1. Introduction
@ -165,9 +165,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 3]
Dulaunoy & Iklody Expires October 12, 2018 [Page 3]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
2.2.1.2. id
@ -221,9 +221,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 4]
Dulaunoy & Iklody Expires October 12, 2018 [Page 4]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
2.2.1.6. analysis
@ -277,9 +277,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 5]
Dulaunoy & Iklody Expires October 12, 2018 [Page 5]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
2.2.1.10. org_id
@ -333,9 +333,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 6]
Dulaunoy & Iklody Expires October 12, 2018 [Page 6]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
All Communities
@ -354,6 +354,15 @@ Internet-Draft MISP core format February 2018
present. If a distribution level other than "4" is chosen the
sharing_group_id MUST be set to "0".
2.2.1.15. extends_uuid
extends_uuid represents which event is extended by this event. The
extend_uuid is described as an Universally Unique IDentifier (UUID)
[RFC4122] with the UUID of the extended event.
extends_uuid is represented as a JSON string. extends_uuid SHOULD be
present.
2.3. Objects
2.3.1. Org
@ -374,6 +383,17 @@ Internet-Draft MISP core format February 2018
2.3.1.1. Sample Org Object
Dulaunoy & Iklody Expires October 12, 2018 [Page 7]
Internet-Draft MISP core format April 2018
"Org": {
"id": "2",
"name": "CIRCL",
@ -386,14 +406,6 @@ Internet-Draft MISP core format February 2018
The uuid MUST be preserved for any updates or transfer of the same
event. UUID version 4 is RECOMMENDED when assigning it to a new
Dulaunoy & Iklody Expires August 13, 2018 [Page 7]
Internet-Draft MISP core format February 2018
event. The organisation UUID is globally assigned to an organisation
and SHALL be kept overtime.
@ -418,6 +430,26 @@ Internet-Draft MISP core format February 2018
2.4.1. Sample Attribute Object
Dulaunoy & Iklody Expires October 12, 2018 [Page 8]
Internet-Draft MISP core format April 2018
"Attribute": {
"id": "346056",
"type": "comment",
@ -438,18 +470,6 @@ Internet-Draft MISP core format February 2018
2.4.2. Attribute Attributes
Dulaunoy & Iklody Expires August 13, 2018 [Page 8]
Internet-Draft MISP core format February 2018
2.4.2.1. uuid
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
@ -478,6 +498,14 @@ Internet-Draft MISP core format February 2018
category-type combinations is as follows:
Internal reference
Dulaunoy & Iklody Expires October 12, 2018 [Page 9]
Internet-Draft MISP core format April 2018
text, link, comment, other, hex
Targeting data
@ -498,14 +526,6 @@ Internet-Draft MISP core format February 2018
email-dst, email-subject, email-attachment, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, yara, attachment, malware-
sample, link, malware-type, mime-type, comment, text,
Dulaunoy & Iklody Expires August 13, 2018 [Page 9]
Internet-Draft MISP core format February 2018
vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
src|port, hostname|port, email-dst-display-name, email-src-
display-name, email-header, email-reply-to, email-x-mailer, email-
@ -534,6 +554,14 @@ Internet-Draft MISP core format February 2018
filename|tlsh, filename|imphash, filename|pehash, pattern-in-file,
mime-type, pattern-in-traffic, pattern-in-memory, yara,
stix2-pattern, vulnerability, attachment, malware-sample, malware-
Dulaunoy & Iklody Expires October 12, 2018 [Page 10]
Internet-Draft MISP core format April 2018
type, comment, text, hex, x509-fingerprint-sha1, mobile-
application-id, other
@ -554,14 +582,6 @@ Internet-Draft MISP core format February 2018
whois-registrant-email, whois-registrant-name, whois-registrar,
whois-creation-date, comment, text, x509-fingerprint-sha1, other
Dulaunoy & Iklody Expires August 13, 2018 [Page 10]
Internet-Draft MISP core format February 2018
External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url,
@ -591,6 +611,13 @@ Internet-Draft MISP core format February 2018
of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number
Dulaunoy & Iklody Expires October 12, 2018 [Page 11]
Internet-Draft MISP core format April 2018
Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number
@ -609,15 +636,6 @@ Internet-Draft MISP core format February 2018
and it MUST be a valid selection for the chosen type. The list of
valid category-type combinations is mentioned above.
Dulaunoy & Iklody Expires August 13, 2018 [Page 11]
Internet-Draft MISP core format February 2018
2.4.2.5. to_ids
to_ids represents whether the attribute is meant to be actionable.
@ -648,6 +666,14 @@ Internet-Draft MISP core format February 2018
present and be one of the following options:
0
Dulaunoy & Iklody Expires October 12, 2018 [Page 12]
Internet-Draft MISP core format April 2018
Your Organisation Only
1
@ -665,15 +691,6 @@ Internet-Draft MISP core format February 2018
5
Inherit Event
Dulaunoy & Iklody Expires August 13, 2018 [Page 12]
Internet-Draft MISP core format February 2018
2.4.2.8. timestamp
timestamp represents a reference time when the attribute was created
@ -705,6 +722,14 @@ Internet-Draft MISP core format February 2018
Revoked attributes are not actionable and exist merely to inform
other instances of a revocation.
Dulaunoy & Iklody Expires October 12, 2018 [Page 13]
Internet-Draft MISP core format April 2018
deleted is represented by a JSON boolean. deleted MUST be present.
2.4.2.12. data
@ -722,14 +747,6 @@ Internet-Draft MISP core format February 2018
RelatedAttribute is an array of attributes correlating with the
current attribute. Each element in the array represents an JSON
object which contains an Attribute dictionnary with the external
Dulaunoy & Iklody Expires August 13, 2018 [Page 13]
Internet-Draft MISP core format February 2018
attributes who correlate. Each Attribute MUST include the id,
org_id, info and a value. Only the correlations found on the local
instance are shown in RelatedAttribute.
@ -761,6 +778,14 @@ Internet-Draft MISP core format February 2018
ShadowAttributes are 3rd party created attributes that either propose
to add new information to an event or modify existing information.
They are not meant to be actionable until the event creator accepts
Dulaunoy & Iklody Expires October 12, 2018 [Page 14]
Internet-Draft MISP core format April 2018
them - at which point they will be converted into attributes or
modify an existing attribute.
@ -770,22 +795,6 @@ Internet-Draft MISP core format February 2018
2.5.1. Sample Attribute Object
Dulaunoy & Iklody Expires August 13, 2018 [Page 14]
Internet-Draft MISP core format February 2018
"ShadowAttribute": {
"id": "8",
"type": "ip-src",
@ -825,6 +834,14 @@ Internet-Draft MISP core format February 2018
represented as an unsigned integer. id is represented as a JSON
string. id SHALL be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 15]
Internet-Draft MISP core format April 2018
2.5.2.3. type
type represents the means through which an attribute tries to
@ -835,13 +852,6 @@ Internet-Draft MISP core format February 2018
MUST be a valid selection for the chosen category. The list of valid
category-type combinations is as follows:
Dulaunoy & Iklody Expires August 13, 2018 [Page 15]
Internet-Draft MISP core format February 2018
Internal reference
text, link, comment, other, hex
@ -879,6 +889,15 @@ Internet-Draft MISP core format February 2018
regkey|value, pattern-in-file, pattern-in-memory, pdb, yara,
sigma, gene, stix2-pattern, attachment, malware-sample, mime-type,
named pipe, mutex, windows-scheduled-task, windows-service-name,
Dulaunoy & Iklody Expires October 12, 2018 [Page 16]
Internet-Draft MISP core format April 2018
windows-service-displayname, comment, text, hex, x509-fingerprint-
sha1, other
@ -890,14 +909,6 @@ Internet-Draft MISP core format February 2018
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|pehash, mime-type,
pattern-in-file, pattern-in-traffic, pattern-in-memory, yara,
Dulaunoy & Iklody Expires August 13, 2018 [Page 16]
Internet-Draft MISP core format February 2018
stix2-pattern, vulnerability, attachment, malware-sample, malware-
type, comment, text, hex, x509-fingerprint-sha1, mobile-
application-id, other
@ -935,6 +946,14 @@ Internet-Draft MISP core format February 2018
Support tool
attachment, link, comment, text, other, hex
Dulaunoy & Iklody Expires October 12, 2018 [Page 17]
Internet-Draft MISP core format April 2018
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other
@ -946,14 +965,6 @@ Internet-Draft MISP core format February 2018
primary-residence, country-of-residence, special-service-request,
frequent-flyer-number, travel-details, payment-details, place-
port-of-original-embarkation, place-port-of-clearance, place-port-
Dulaunoy & Iklody Expires August 13, 2018 [Page 17]
Internet-Draft MISP core format February 2018
of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number
@ -990,6 +1001,15 @@ Internet-Draft MISP core format February 2018
event_id represents a human-readable identifier referencing the Event
object that the ShadowAttribute belongs to.
Dulaunoy & Iklody Expires October 12, 2018 [Page 18]
Internet-Draft MISP core format April 2018
The event_id SHOULD be updated when the event is imported to reflect
the newly created event's id on the instance.
@ -1001,15 +1021,6 @@ Internet-Draft MISP core format February 2018
Attribute object that the ShadowAttribute belongs to. A
ShadowAttribute can this way target an existing Attribute, implying
that it is a proposal to modify an existing Attribute, or
Dulaunoy & Iklody Expires August 13, 2018 [Page 18]
Internet-Draft MISP core format February 2018
alternatively it can be a proposal to create a new Attribute for the
containing Event.
@ -1046,6 +1057,15 @@ Internet-Draft MISP core format February 2018
org_id is represented by a JSON string and MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 19]
Internet-Draft MISP core format April 2018
2.5.2.11. proposal_to_delete
proposal_to_delete is a boolean flag that sets whether the shadow
@ -1058,14 +1078,6 @@ Internet-Draft MISP core format February 2018
proposal_to_delete is a JSON boolean and it MUST be present. If
proposal_to_delete is set to true, old_id MUST NOT be 0.
Dulaunoy & Iklody Expires August 13, 2018 [Page 19]
Internet-Draft MISP core format February 2018
2.5.2.12. deleted
deleted represents a setting that allows shadow attributes to be
@ -1100,6 +1112,16 @@ Internet-Draft MISP core format February 2018
uuid, name and id are represented as a JSON string. uuid, name and id
MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 20]
Internet-Draft MISP core format April 2018
2.5.3.1. Sample Org Object
"Org": {
@ -1115,13 +1137,6 @@ Internet-Draft MISP core format February 2018
value is represented by a JSON string. value MUST be present.
Dulaunoy & Iklody Expires August 13, 2018 [Page 20]
Internet-Draft MISP core format February 2018
2.6. Object
Objects serve as a contextual bond between a list of attributes
@ -1158,24 +1173,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires October 12, 2018 [Page 21]
Dulaunoy & Iklody Expires August 13, 2018 [Page 21]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
"Object": {
@ -1229,9 +1229,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 22]
Dulaunoy & Iklody Expires October 12, 2018 [Page 22]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
2.6.2.2. id
@ -1285,9 +1285,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 23]
Dulaunoy & Iklody Expires October 12, 2018 [Page 23]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
2.6.2.8. event_id
@ -1341,9 +1341,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 24]
Dulaunoy & Iklody Expires October 12, 2018 [Page 24]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
sharing_group_id is represented by a JSON string and SHOULD be
@ -1397,9 +1397,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 25]
Dulaunoy & Iklody Expires October 12, 2018 [Page 25]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
"ObjectReference": {
@ -1453,9 +1453,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 26]
Dulaunoy & Iklody Expires October 12, 2018 [Page 26]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
2.7.2.5. event_id
@ -1509,9 +1509,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 27]
Dulaunoy & Iklody Expires October 12, 2018 [Page 27]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
2.7.2.11. object_uuid
@ -1565,9 +1565,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 28]
Dulaunoy & Iklody Expires October 12, 2018 [Page 28]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
element describes one singular instance of a sighting. A sighting
@ -1621,9 +1621,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 29]
Dulaunoy & Iklody Expires October 12, 2018 [Page 29]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
2.9.1. Sample Sighting
@ -1677,9 +1677,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 30]
Dulaunoy & Iklody Expires October 12, 2018 [Page 30]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
"Galaxy": [ {
@ -1733,9 +1733,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 31]
Dulaunoy & Iklody Expires October 12, 2018 [Page 31]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
3. JSON Schema
@ -1789,9 +1789,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 32]
Dulaunoy & Iklody Expires October 12, 2018 [Page 32]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
"type": "object",
@ -1845,9 +1845,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 33]
Dulaunoy & Iklody Expires October 12, 2018 [Page 33]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
"items": {
@ -1901,9 +1901,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 34]
Dulaunoy & Iklody Expires October 12, 2018 [Page 34]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
"type": "string"
@ -1957,9 +1957,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 35]
Dulaunoy & Iklody Expires October 12, 2018 [Page 35]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
"type": "string"
@ -2013,9 +2013,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 36]
Dulaunoy & Iklody Expires October 12, 2018 [Page 36]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
"properties": {
@ -2069,9 +2069,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 37]
Dulaunoy & Iklody Expires October 12, 2018 [Page 37]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
},
@ -2125,9 +2125,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 38]
Dulaunoy & Iklody Expires October 12, 2018 [Page 38]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
}
@ -2181,9 +2181,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 39]
Dulaunoy & Iklody Expires October 12, 2018 [Page 39]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
"description": {
@ -2237,9 +2237,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 40]
Dulaunoy & Iklody Expires October 12, 2018 [Page 40]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
}
@ -2293,9 +2293,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 41]
Dulaunoy & Iklody Expires October 12, 2018 [Page 41]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
o timestamp (MUST)
@ -2349,9 +2349,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 42]
Dulaunoy & Iklody Expires October 12, 2018 [Page 42]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
"info": "Malspam 2016-04-27 - Locky",
@ -2405,9 +2405,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 43]
Dulaunoy & Iklody Expires October 12, 2018 [Page 43]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
7. Acknowledgements
@ -2461,9 +2461,9 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 44]
Dulaunoy & Iklody Expires October 12, 2018 [Page 44]
Internet-Draft MISP core format February 2018
Internet-Draft MISP core format April 2018
Authors' Addresses
@ -2517,4 +2517,4 @@ Authors' Addresses
Dulaunoy & Iklody Expires August 13, 2018 [Page 45]
Dulaunoy & Iklody Expires October 12, 2018 [Page 45]