From 35c858665f3c05f6c2feb6bd000d76dca6dc819e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 27 Aug 2020 18:48:30 +0200 Subject: [PATCH] chg: [misp-core] updated ascii output --- misp-core-format/raw.md.txt | 332 ++++++++++++++++++------------------ 1 file changed, 166 insertions(+), 166 deletions(-) diff --git a/misp-core-format/raw.md.txt b/misp-core-format/raw.md.txt index 41262ce..92dd681 100755 --- a/misp-core-format/raw.md.txt +++ b/misp-core-format/raw.md.txt @@ -80,7 +80,7 @@ Table of Contents 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 16 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 16 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 22 - 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 22 + 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.6.1. Sample Object . . . . . . . . . . . . . . . . . . . . 23 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 24 2.7. Object References . . . . . . . . . . . . . . . . . . . . 28 @@ -511,17 +511,20 @@ Internet-Draft MISP core format May 2020 Artifacts dropped md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, - filename|md5, filename|sha1, filename|sha224, filename|sha256, - filename|sha384, filename|sha512, filename|sha512/224, - filename|sha512/256, filename|authentihash, filename|ssdeep, - filename|tlsh, filename|imphash, filename|impfuzzy, - filename|pehash, regkey, regkey|value, pattern-in-file, pattern- - in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware- - sample, named pipe, mutex, windows-scheduled-task, windows- - service-name, windows-service-displayname, comment, text, hex, - x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- - sha256, other, cookie, gene, kusto-query, mime-type, anonymised + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, + authentihash, vhash, cdhash, filename, filename|md5, + filename|sha1, filename|sha224, filename|sha256, filename|sha384, + filename|sha512, filename|sha512/224, filename|sha512/256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, filename|authentihash, filename|vhash, + filename|ssdeep, filename|tlsh, filename|imphash, + filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern- + in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, + attachment, malware-sample, named pipe, mutex, windows-scheduled- + task, windows-service-name, windows-service-displayname, comment, + text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509- + fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, + anonymised Attribution threat-actor, campaign-name, campaign-id, whois-registrant-phone, @@ -531,8 +534,10 @@ Internet-Draft MISP core format May 2020 other, dns-soa-email, anonymised External analysis - md5, sha1, sha256, filename, filename|md5, filename|sha1, - filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- + md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, + filename, filename|md5, filename|sha1, filename|sha256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, weakness, @@ -549,11 +554,6 @@ Internet-Draft MISP core format May 2020 text, link, comment, other, hex, anonymised, git-commit-id Network activity - ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, - domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, - url, uri, user-agent, http-method, AS, snort, pattern-in-file, - stix2-pattern, pattern-in-traffic, attachment, comment, text, - x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint- @@ -562,6 +562,11 @@ Dulaunoy & Iklody Expires November 27, 2020 [Page 10] Internet-Draft MISP core format May 2020 + ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, + domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, + url, uri, user-agent, http-method, AS, snort, pattern-in-file, + stix2-pattern, pattern-in-traffic, attachment, comment, text, + x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint- sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject @@ -572,10 +577,12 @@ Internet-Draft MISP core format May 2020 Payload delivery md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, - filename, filename|md5, filename|sha1, filename|sha224, - filename|sha256, filename|sha384, filename|sha512, - filename|sha512/224, filename|sha512/256, filename|authentihash, + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, + authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, + filename|sha1, filename|sha224, filename|sha256, filename|sha384, + filename|sha512, filename|sha512/224, filename|sha512/256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email- @@ -592,15 +599,25 @@ Internet-Draft MISP core format May 2020 Payload installation md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, - filename, filename|md5, filename|sha1, filename|sha224, - filename|sha256, filename|sha384, filename|sha512, - filename|sha512/224, filename|sha512/256, filename|authentihash, + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, + authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, + filename|sha1, filename|sha224, filename|sha256, filename|sha384, + filename|sha512, filename|sha512/224, filename|sha512/256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, + + + +Dulaunoy & Iklody Expires November 27, 2020 [Page 11] + +Internet-Draft MISP core format May 2020 + + x509-fingerprint-sha256, mobile-application-id, chrome-extension- id, other, mime-type, anonymised @@ -611,13 +628,6 @@ Internet-Draft MISP core format May 2020 filename, regkey, regkey|value, comment, text, other, hex, anonymised - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 11] - -Internet-Draft MISP core format May 2020 - - Person first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, @@ -655,16 +665,6 @@ Internet-Draft MISP core format May 2020 and it MUST be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above. -2.4.2.5. to_ids - - to_ids represents whether the attribute is meant to be actionable. - Actionable defined attributes that can be used in automated processes - as a pattern for detection in Local or Network Intrusion Detection - System, log analysis tools or even filtering mechanisms. - - to_ids is represented as a JSON boolean. to_ids MUST be present. - - @@ -674,6 +674,15 @@ Dulaunoy & Iklody Expires November 27, 2020 [Page 12] Internet-Draft MISP core format May 2020 +2.4.2.5. to_ids + + to_ids represents whether the attribute is meant to be actionable. + Actionable defined attributes that can be used in automated processes + as a pattern for detection in Local or Network Intrusion Detection + System, log analysis tools or even filtering mechanisms. + + to_ids is represented as a JSON boolean. to_ids MUST be present. + 2.4.2.6. event_id event_id represents a human-readable identifier referencing the Event @@ -712,15 +721,6 @@ Internet-Draft MISP core format May 2020 5 Inherit Event -2.4.2.8. timestamp - - timestamp represents a reference time when the attribute was created - or last modified. timestamp is expressed in seconds (decimal) since - 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. - - timestamp is represented as a JSON string. timestamp MUST be present. - - @@ -730,6 +730,14 @@ Dulaunoy & Iklody Expires November 27, 2020 [Page 13] Internet-Draft MISP core format May 2020 +2.4.2.8. timestamp + + timestamp represents a reference time when the attribute was created + or last modified. timestamp is expressed in seconds (decimal) since + 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. + + timestamp is represented as a JSON string. timestamp MUST be present. + 2.4.2.9. comment comment is a contextual comment field. @@ -770,14 +778,6 @@ Internet-Draft MISP core format May 2020 RelatedAttribute is an array of attributes correlating with the current attribute. Each element in the array represents an JSON object which contains an Attribute dictionnary with the external - attributes who correlate. Each Attribute MUST include the id, - org_id, info and a value. Only the correlations found on the local - instance are shown in RelatedAttribute. - - RelatedAttribute MAY be present. - - - @@ -786,6 +786,12 @@ Dulaunoy & Iklody Expires November 27, 2020 [Page 14] Internet-Draft MISP core format May 2020 + attributes who correlate. Each Attribute MUST include the id, + org_id, info and a value. Only the correlations found on the local + instance are shown in RelatedAttribute. + + RelatedAttribute MAY be present. + 2.4.2.14. ShadowAttribute ShadowAttribute is an array of shadow attributes that serve as @@ -828,12 +834,6 @@ Internet-Draft MISP core format May 2020 ShadowAttributes are 3rd party created attributes that either propose to add new information to an event or modify existing information. They are not meant to be actionable until the event creator accepts - them - at which point they will be converted into attributes or - modify an existing attribute. - - They are similar in structure to Attributes but additionally carry a - reference to the creator of the ShadowAttribute as well as a - revocation flag. @@ -842,6 +842,13 @@ Dulaunoy & Iklody Expires November 27, 2020 [Page 15] Internet-Draft MISP core format May 2020 + them - at which point they will be converted into attributes or + modify an existing attribute. + + They are similar in structure to Attributes but additionally carry a + reference to the creator of the ShadowAttribute as well as a + revocation flag. + 2.5.1. Sample Attribute Object "ShadowAttribute": { @@ -882,6 +889,15 @@ Internet-Draft MISP core format May 2020 id represents the human-readable identifier associated to the event for a specific MISP instance. human-readable identifier MUST be + + + + +Dulaunoy & Iklody Expires November 27, 2020 [Page 16] + +Internet-Draft MISP core format May 2020 + + represented as an unsigned integer. id is represented as a JSON string. id SHALL be present. @@ -891,13 +907,6 @@ Internet-Draft MISP core format May 2020 describe the intent of the attribute creator, using a list of pre- defined attribute types. - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 16] - -Internet-Draft MISP core format May 2020 - - type is represented as a JSON string. type MUST be present and it MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows: @@ -907,17 +916,20 @@ Internet-Draft MISP core format May 2020 Artifacts dropped md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, - filename|md5, filename|sha1, filename|sha224, filename|sha256, - filename|sha384, filename|sha512, filename|sha512/224, - filename|sha512/256, filename|authentihash, filename|ssdeep, - filename|tlsh, filename|imphash, filename|impfuzzy, - filename|pehash, regkey, regkey|value, pattern-in-file, pattern- - in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware- - sample, named pipe, mutex, windows-scheduled-task, windows- - service-name, windows-service-displayname, comment, text, hex, - x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- - sha256, other, cookie, gene, kusto-query, mime-type, anonymised + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, + authentihash, vhash, cdhash, filename, filename|md5, + filename|sha1, filename|sha224, filename|sha256, filename|sha384, + filename|sha512, filename|sha512/224, filename|sha512/256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, filename|authentihash, filename|vhash, + filename|ssdeep, filename|tlsh, filename|imphash, + filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern- + in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, + attachment, malware-sample, named pipe, mutex, windows-scheduled- + task, windows-service-name, windows-service-displayname, comment, + text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509- + fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, + anonymised Attribution threat-actor, campaign-name, campaign-id, whois-registrant-phone, @@ -927,11 +939,21 @@ Internet-Draft MISP core format May 2020 other, dns-soa-email, anonymised External analysis - md5, sha1, sha256, filename, filename|md5, filename|sha1, - filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- + md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, + filename, filename|md5, filename|sha1, filename|sha256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, weakness, + + + +Dulaunoy & Iklody Expires November 27, 2020 [Page 17] + +Internet-Draft MISP core format May 2020 + + attachment, malware-sample, link, comment, text, x509-fingerprint- sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3- fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, @@ -945,15 +967,6 @@ Internet-Draft MISP core format May 2020 text, link, comment, other, hex, anonymised, git-commit-id Network activity - - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 17] - -Internet-Draft MISP core format May 2020 - - ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, @@ -969,10 +982,12 @@ Internet-Draft MISP core format May 2020 Payload delivery md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, - filename, filename|md5, filename|sha1, filename|sha224, - filename|sha256, filename|sha384, filename|sha512, - filename|sha512/224, filename|sha512/256, filename|authentihash, + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, + authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, + filename|sha1, filename|sha224, filename|sha256, filename|sha384, + filename|sha512, filename|sha512/224, filename|sha512/256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email- @@ -987,12 +1002,22 @@ Internet-Draft MISP core format May 2020 email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised + + + +Dulaunoy & Iklody Expires November 27, 2020 [Page 18] + +Internet-Draft MISP core format May 2020 + + Payload installation md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, - filename, filename|md5, filename|sha1, filename|sha224, - filename|sha256, filename|sha384, filename|sha512, - filename|sha512/224, filename|sha512/256, filename|authentihash, + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, + authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, + filename|sha1, filename|sha224, filename|sha256, filename|sha384, + filename|sha512, filename|sha512/224, filename|sha512/256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- traffic, pattern-in-memory, stix2-pattern, yara, sigma, @@ -1002,14 +1027,6 @@ Internet-Draft MISP core format May 2020 id, other, mime-type, anonymised Payload type - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 18] - -Internet-Draft MISP core format May 2020 - - comment, text, other, anonymised Persistence mechanism @@ -1039,6 +1056,16 @@ Internet-Draft MISP core format May 2020 target-user, target-email, target-machine, target-org, target- location, target-external, comment, anonymised + + + + + +Dulaunoy & Iklody Expires November 27, 2020 [Page 19] + +Internet-Draft MISP core format May 2020 + + Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly. @@ -1058,14 +1085,6 @@ Internet-Draft MISP core format May 2020 to_ids represents whether the Attribute to be created if the ShadowAttribute is accepted is meant to be actionable. Actionable defined attributes that can be used in automated processes as a - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 19] - -Internet-Draft MISP core format May 2020 - - pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms. @@ -1095,6 +1114,14 @@ Internet-Draft MISP core format May 2020 the ShadowAttribute proposes the creation of a new Attribute, it should be set to 0. + + + +Dulaunoy & Iklody Expires November 27, 2020 [Page 20] + +Internet-Draft MISP core format May 2020 + + old_id is represented as a JSON string. old_id MUST be present. 2.5.2.8. timestamp @@ -1111,17 +1138,6 @@ Internet-Draft MISP core format May 2020 comment is represented by a JSON string. comment MAY be present. - - - - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 20] - -Internet-Draft MISP core format May 2020 - - 2.5.2.10. org_id org_id represents a human-readable identifier referencing the @@ -1154,6 +1170,14 @@ Internet-Draft MISP core format May 2020 deleted is represented by a JSON boolean. deleted SHOULD be present. + + + +Dulaunoy & Iklody Expires November 27, 2020 [Page 21] + +Internet-Draft MISP core format May 2020 + + 2.5.2.13. data data contains the base64 encoded contents of an attachment or a @@ -1170,14 +1194,6 @@ Internet-Draft MISP core format May 2020 seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support. - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 21] - -Internet-Draft MISP core format May 2020 - - first_seen is represented as a JSON string. first_seen MAY be present. @@ -1207,6 +1223,17 @@ Internet-Draft MISP core format May 2020 2.5.3.1. Sample Org Object + + + + + + +Dulaunoy & Iklody Expires November 27, 2020 [Page 22] + +Internet-Draft MISP core format May 2020 + + "Org": { "id": "2", "name": "CIRCL", @@ -1226,14 +1253,6 @@ Internet-Draft MISP core format May 2020 within an event. Their main purpose is to describe more complex structures than can be described by a single attribute Each object is created using an Object Template and carries the meta-data of the - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 22] - -Internet-Draft MISP core format May 2020 - - template used for its creation within. Objects belong to a meta- category and are defined by a name. @@ -1264,25 +1283,6 @@ Internet-Draft MISP core format May 2020 - - - - - - - - - - - - - - - - - - - Dulaunoy & Iklody Expires November 27, 2020 [Page 23]