From 37c1c14ad3982cdc5dd09820d7b662afe82ab592 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 2 May 2018 09:29:28 +0200 Subject: [PATCH 1/4] add comma and recommended UUID version --- misp-object-template-format/raw.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/misp-object-template-format/raw.md b/misp-object-template-format/raw.md index 3b4b2c4..ca79e49 100755 --- a/misp-object-template-format/raw.md +++ b/misp-object-template-format/raw.md @@ -61,9 +61,9 @@ document are to be interpreted as described in RFC 2119 [@!RFC2119]. MISP object templates are composed of the MISP object template (**MUST**) structure itself and a list of MISP object template elements (**SHOULD**) describing the list of possible attributes belonging to the resulting object, along with their context and settings. -MISP object templates themselves consist of a name (**MUST**), a meta-category (**MUST**) and a description (**SHOULD**). They are identified by a uuid (**MUST**) and a version (**MUST**). The list of requirements when it comes to the contained MISP object template elements is defined in the requirements field (**OPTIONAL**). +MISP object templates themselves consist of a name (**MUST**), a meta-category (**MUST**) and a description (**SHOULD**). They are identified by a uuid (**MUST**) and a version (**MUST**). For any updates or transfer of the same object reference. UUID version 4 is **RECOMMENDED** when assigning it to a new object reference. The list of requirements when it comes to the contained MISP object template elements is defined in the requirements field (**OPTIONAL**). -MISP object template elements consist of an object\_relation (**MUST**) a type (**MUST**) an object\_template\_id (**SHOULD**) a ui\_priority (**SHOULD**) a list of categories (**MAY**), a list of sane\_default values (**MAY**) or a values\_list (**MAY**). +MISP object template elements consist of an object\_relation (**MUST**), a type (**MUST**), an object\_template\_id (**SHOULD**), a ui\_priority (**SHOULD**), a list of categories (**MAY**), a list of sane\_default values (**MAY**) or a values\_list (**MAY**). ## Overview From 143648a54d4ecf51b9970f52c52b874aa0d54b47 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 5 Jun 2018 12:21:50 +0200 Subject: [PATCH 2/4] misp-noticelist-format - first draft [WiP] --- misp-noticelist-format/raw.md | 89 +++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 misp-noticelist-format/raw.md diff --git a/misp-noticelist-format/raw.md b/misp-noticelist-format/raw.md new file mode 100644 index 0000000..302290b --- /dev/null +++ b/misp-noticelist-format/raw.md @@ -0,0 +1,89 @@ +% Title = "MISP noticelist format" +% abbrev = "MISP noticelist format" +% category = "info" +% docName = "draft-dulaunoy-misp-noticelist-format" +% ipr= "trust200902" +% area = "Security" +% +% date = 2018-04-01T00:00:00Z +% +% [[author]] +% initials="A." +% surname="Dulaunoy" +% fullname="Alexandre Dulaunoy" +% abbrev="CIRCL" +% organization = "Computer Incident Response Center Luxembourg" +% [author.address] +% email = "alexandre.dulaunoy@circl.lu" +% phone = "+352 247 88444" +% [author.address.postal] +% street = "16, bd d'Avranches" +% city = "Luxembourg" +% code = "L-1611" +% country = "Luxembourg" +% [[author]] +% initials="A." +% surname="Iklody" +% fullname="Andras Iklody" +% abbrev="CIRCL" +% organization = "Computer Incident Response Center Luxembourg" +% [author.address] +% email = "andras.iklody@circl.lu" +% phone = "+352 247 88444" +% [author.address.postal] +% street = " 16, bd d'Avranches" +% city = "Luxembourg" +% code = "L-1611" +% country = "Luxembourg" +% [[author]] +% initials="D." +% surname="Servili" +% fullname="Deborah Servili" +% abbrev="CIRCL" +% organization = "Computer Incident Response Center Luxembourg" +% [author.address] +% email = "deborah.servili@circl.lu" +% phone = "+352 247 88444" +% [author.address.postal] +% street = " 16, bd d'Avranches" +% city = "Luxembourg" +% code = "L-1611" +% country = "Luxembourg" + +.# Abstract + +This document describes the MISP noticelist format which describes a simple JSON format to represent list of elements + +represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository [@?MISP-G] of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing. + +{mainmatter} + +# Introduction +Sharing threat information became a fundamental requirements on the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. Therefore, there are still information that can not be shared freely to everyone, for several reasons, and it is essential for the user to have a way to know about which information he have to be cautious, as well as an easy way for administrators to give user a reminder of it. + +MISP noticelist is a public repository of list of notices to show to the user about the information he uses or share. + +## Conventions and Terminology + +The key words "**MUST**", "**MUST NOT**", "**REQUIRED**", "**SHALL**", "**SHALL NOT**", +"**SHOULD**", "**SHOULD NOT**", "**RECOMMENDED**", "**MAY**", and "**OPTIONAL**" in this +document are to be interpreted as described in RFC 2119 [@!RFC2119]. + +# Format + +Noticelist are represented as a JSON [@!RFC4627] dictionary. + +## Overview + +The MISP noticelist format uses the JSON [@!RFC4627] format. Each noticelist is represented as a JSON object with meta information including the following fields: name, expended_name, ref, geographical_area and notice. + +name defines the name of the noticelist. It **MUST** match the name of the folder containing the list. The name is represented as a string and **MUST** be present. expended_name defines the full name of the noticelist. The expended_name is represented by a string and **MUST** be present. ref defines the references used to create the notice list. ref is represented as an array containing one or more references and **MUST** pe present. Each reference is a string and **MUST** be present. geographical_area defines the geographical area affected by this noticelist. geographical_area is represented as an array containing one or more descriptions of geographical area ans **SHOULD** be present. Each geographical area is a string and **SHOULD** be present. + +notice is represented as an array containing one or more values and **MUST** be present. notice defines all values available in the noticelist. + +## notice + +The notice array contains one or more JSON objects which represent all the possible values in the noticelist. The JSON object contains five fields: scope, +field, value, tags and message. + +scope is represented as an array containing one or more scopes to apply the notice ans **MUST** be present. Each scope is a string and **MUST** be present. field is represented as an array containing one or more fields to apply the notice ans **MUST** be present. Each field is a string and **MUST** be present. value is represented as an array containing one or more values and **MUST** be present. Each value is a string and **MUST** be present. tags is represented as an array containing one or more values and **MUST** be present. Each tag is a string and **MUST** be present. message is represented as a JSON dictionary containing one or more messages translated in different languages and **MUST** be present. Each element in the message dictionary is a couple name/value where the name designate a language and the value contains a string representing a message to display to the user. These elements **MUST** be present. From 8d79d8192e65dc5044a791addd8a9fe5c74fbacb Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 5 Jun 2018 12:22:32 +0200 Subject: [PATCH 3/4] add example --- misp-noticelist-format/raw.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/misp-noticelist-format/raw.md b/misp-noticelist-format/raw.md index 302290b..9250484 100644 --- a/misp-noticelist-format/raw.md +++ b/misp-noticelist-format/raw.md @@ -87,3 +87,23 @@ The notice array contains one or more JSON objects which represent all the possi field, value, tags and message. scope is represented as an array containing one or more scopes to apply the notice ans **MUST** be present. Each scope is a string and **MUST** be present. field is represented as an array containing one or more fields to apply the notice ans **MUST** be present. Each field is a string and **MUST** be present. value is represented as an array containing one or more values and **MUST** be present. Each value is a string and **MUST** be present. tags is represented as an array containing one or more values and **MUST** be present. Each tag is a string and **MUST** be present. message is represented as a JSON dictionary containing one or more messages translated in different languages and **MUST** be present. Each element in the message dictionary is a couple name/value where the name designate a language and the value contains a string representing a message to display to the user. These elements **MUST** be present. + +Example of an element of the notice array + +~~~~ +{ + "scope": ["attribute"], + "field": ["category", "meta-category"], + "value": [ + "Targeting data", + "Attribution", + "Financial fraud", + "Social network", + "Person" + ], + "tags": ["fpf:degrees-of-identifiability='explicitly-personal'"], + "message": { + "en": "This attribute is likely to contain personal data and the data subject is likely to be directly identifiable. Please verify that the processing of personal data is necessary and proportionate to the purposes (e.g. ensuring network and information security) and that you have a legal ground to share those personal data. Where applicable, please ensure that you have taken the necessary steps to ensure transparency towards the data subject in relation to the processing of their personal data." + } +} +~~~~ From 4d2a92eaa990b1ad9a71e8e0049d1a541cd27523 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 5 Jun 2018 16:33:39 +0200 Subject: [PATCH 4/4] fix remaining parts from galaxy format --- misp-noticelist-format/raw.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/misp-noticelist-format/raw.md b/misp-noticelist-format/raw.md index 9250484..6be6dbe 100644 --- a/misp-noticelist-format/raw.md +++ b/misp-noticelist-format/raw.md @@ -52,14 +52,16 @@ .# Abstract -This document describes the MISP noticelist format which describes a simple JSON format to represent list of elements +This document describes the MISP noticelist format which describes a simple JSON format to represent list of notices used to inform MISP users of the legal, privacy, policy or even technical implications of using specific attributes, categories or objects. -represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository [@?MISP-G] of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing. +MISP noticelist is a public repository of noticelist used to provide information to the user. {mainmatter} # Introduction -Sharing threat information became a fundamental requirements on the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. Therefore, there are still information that can not be shared freely to everyone, for several reasons, and it is essential for the user to have a way to know about which information he have to be cautious, as well as an easy way for administrators to give user a reminder of it. + +As the user navigates through the MISP interface, he can sometimes be lost about what to do or not to do on the plaform. Noticelist have been created in order to help and guide the user during his use of MISP, by showing several information to him, or giving him easy reminders. +For instance, due to GDRP, users are expected to be more careful about the information they share, and the GDPR noticelist can be used to help them with this new regulation. MISP noticelist is a public repository of list of notices to show to the user about the information he uses or share.