MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

add: text export added

pull/19/merge
Alexandre Dulaunoy 2018-08-08 16:15:55 +02:00
parent bba9452d4e
commit 3852ded49a
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 274 additions and 274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

548
misp-core-format/raw.md.txt
View File

@ -76,15 +76,15 @@ Table of Contents
2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8
2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9
2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 14
2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 15
2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 15
2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 15
2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.6.1. Sample Object object . . . . . . . . . . . . . . . . 21
2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 22
2.6.1. Sample Object object . . . . . . . . . . . . . . . . 22
2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 23
2.7. Object References . . . . . . . . . . . . . . . . . . . . 25
2.7.1. Sample ObjectReference object . . . . . . . . . . . . 25
2.7.1. Sample ObjectReference object . . . . . . . . . . . . 26
2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 26
2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 28
@ -497,7 +497,7 @@ Internet-Draft MISP core format April 2018
MUST be a valid selection for the chosen category. The list of valid
category-type combinations is as follows:
Internal reference
Antivirus detection
@ -506,32 +506,8 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 9]
Internet-Draft MISP core format April 2018
text, link, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Antivirus detection
link, comment, text, hex, attachment, other
Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, ip-src, ip-dst, hostname, domain, email-src,
email-dst, email-subject, email-attachment, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, yara, attachment, malware-
sample, link, malware-type, mime-type, comment, text,
vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
src|port, hostname|port, email-dst-display-name, email-src-
display-name, email-header, email-reply-to, email-x-mailer, email-
mime-boundary, email-thread-index, email-message-id, mobile-
application-id
Artifacts dropped
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5,
@ -539,21 +515,45 @@ Internet-Draft MISP core format April 2018
filename|sha512, filename|sha512/224, filename|sha512/256,
filename|authentihash, filename|ssdeep, filename|tlsh,
filename|imphash, filename|impfuzzy, filename|pehash, regkey,
regkey|value, pattern-in-file, pattern-in-memory, pdb, yara,
sigma, stix2-pattern, gene, attachment, malware-sample, mime-type,
named pipe, mutex, windows-scheduled-task, windows-service-name,
regkey|value, pattern-in-file, pattern-in-memory, pdb,
stix2-pattern, yara, sigma, attachment, malware-sample, named
pipe, mutex, windows-scheduled-task, windows-service-name,
windows-service-displayname, comment, text, hex, x509-fingerprint-
sha1, other
sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other,
cookie, gene, mime-type
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|pehash, pattern-in-file,
mime-type, pattern-in-traffic, pattern-in-memory, yara,
stix2-pattern, vulnerability, attachment, malware-sample, malware-
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrant-
org, whois-registrar, whois-creation-date, comment, text, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
other, dns-soa-email
External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-
traffic, pattern-in-memory, vulnerability, attachment, malware-
sample, link, comment, text, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, github-repository,
other, cortex
Financial fraud
btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number,
prtn, phone-number, comment, text, other, hex
Internal reference
text, link, comment, other, hex
Network activity
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
pattern-in-traffic, attachment, comment, text, x509-fingerprint-
sha1, other, hex, cookie, hostname|port
Other
@ -562,44 +562,46 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 10]
Internet-Draft MISP core format April 2018
type, comment, text, hex, x509-fingerprint-sha1, mobile-
application-id, other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number, boolean
Persistence mechanism
filename, regkey, regkey|value, comment, text, other, text
Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-
dst|port, ip-src|port, hostname, domain, email-src, email-dst,
email-subject, email-attachment, email-body, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma,
mime-type, attachment, malware-sample, link, malware-type,
comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, other, hostname|port,
email-dst-display-name, email-src-display-name, email-header,
email-reply-to, email-x-mailer, email-mime-boundary, email-thread-
index, email-message-id, mobile-application-id, whois-registrant-
email
Network activity
ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri,
user-agent, http-method, AS, snort, pattern-in-file, pattern-in-
traffic, stix2-pattern, attachment, comment, text, x509-
fingerprint-sha1, other, hex, cookie
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-
memory, stix2-pattern, yara, sigma, vulnerability, attachment,
malware-sample, malware-type, comment, text, hex, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
mobile-application-id, other, mime-type
Payload type
comment, text, other
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrar,
whois-creation-date, comment, text, x509-fingerprint-sha1, other
External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url,
user-agent, regkey, regkey|value, AS, snort, pattern-in-file,
pattern-in-traffic, pattern-in-memory, vulnerability, attachment,
malware-sample, link, comment, text, x509-fingerprint-sha1,
github-repository, other
Financial fraud
btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn,
phone-number, comment, text, other, hex
Support tool
attachment, link, comment, text, other, hex
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other
Persistence mechanism
filename, regkey, regkey|value, comment, text, other, hex
Person
first-name, middle-name, last-name, date-of-birth, place-of-birth,
@ -608,8 +610,6 @@ Internet-Draft MISP core format April 2018
primary-residence, country-of-residence, special-service-request,
frequent-flyer-number, travel-details, payment-details, place-
port-of-original-embarkation, place-port-of-clearance, place-port-
of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number
@ -618,9 +618,20 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 11]
Internet-Draft MISP core format April 2018
Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number
of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other, whois-
registrant-email
Support Tool
link, text, attachment, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Attributes are based on the usage within their different communities.
Attributes can be extended on a regular basis and this reference
@ -656,6 +667,13 @@ Internet-Draft MISP core format April 2018
event_id is represented as a JSON string. event_id MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 12]
Internet-Draft MISP core format April 2018
2.4.2.7. distribution
distribution represents the basic distribution rules of the
@ -666,14 +684,6 @@ Internet-Draft MISP core format April 2018
present and be one of the following options:
0
Dulaunoy & Iklody Expires October 12, 2018 [Page 12]
Internet-Draft MISP core format April 2018
Your Organisation Only
1
@ -712,6 +722,14 @@ Internet-Draft MISP core format April 2018
if distribution level "4" is set. A human-readable identifier MUST
be represented as an unsigned integer.
Dulaunoy & Iklody Expires October 12, 2018 [Page 13]
Internet-Draft MISP core format April 2018
sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the
sharing_group_id MUST be set to "0".
@ -722,14 +740,6 @@ Internet-Draft MISP core format April 2018
Revoked attributes are not actionable and exist merely to inform
other instances of a revocation.
Dulaunoy & Iklody Expires October 12, 2018 [Page 13]
Internet-Draft MISP core format April 2018
deleted is represented by a JSON boolean. deleted MUST be present.
2.4.2.12. data
@ -766,6 +776,16 @@ Internet-Draft MISP core format April 2018
containing attribute's ID in the old_id field and the event's ID in
the event_id field.
Dulaunoy & Iklody Expires October 12, 2018 [Page 14]
Internet-Draft MISP core format April 2018
2.4.2.15. value
value represents the payload of an attribute. The format of the
@ -778,14 +798,6 @@ Internet-Draft MISP core format April 2018
ShadowAttributes are 3rd party created attributes that either propose
to add new information to an event or modify existing information.
They are not meant to be actionable until the event creator accepts
Dulaunoy & Iklody Expires October 12, 2018 [Page 14]
Internet-Draft MISP core format April 2018
them - at which point they will be converted into attributes or
modify an existing attribute.
@ -818,6 +830,18 @@ Internet-Draft MISP core format April 2018
2.5.2. ShadowAttribute Attributes
Dulaunoy & Iklody Expires October 12, 2018 [Page 15]
Internet-Draft MISP core format April 2018
2.5.2.1. uuid
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
@ -834,14 +858,6 @@ Internet-Draft MISP core format April 2018
represented as an unsigned integer. id is represented as a JSON
string. id SHALL be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 15]
Internet-Draft MISP core format April 2018
2.5.2.3. type
type represents the means through which an attribute tries to
@ -852,33 +868,9 @@ Internet-Draft MISP core format April 2018
MUST be a valid selection for the chosen category. The list of valid
category-type combinations is as follows:
Internal reference
text, link, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Antivirus detection
link, comment, text, hex, attachment, other
Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, ip-src, ip-dst, hostname, domain, email-src,
email-dst, email-subject, email-attachment, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, yara, attachment, malware-
sample, link, malware-type, mime-type, comment, text,
vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
src|port, hostname|port, email-dst-display-name, email-src-
display-name, email-header, email-reply-to, email-x-mailer, email-
mime-boundary, email-thread-index, email-message-id, mobile-
application-id
Artifacts dropped
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5,
@ -886,9 +878,17 @@ Internet-Draft MISP core format April 2018
filename|sha512, filename|sha512/224, filename|sha512/256,
filename|authentihash, filename|ssdeep, filename|tlsh,
filename|imphash, filename|impfuzzy, filename|pehash, regkey,
regkey|value, pattern-in-file, pattern-in-memory, pdb, yara,
sigma, gene, stix2-pattern, attachment, malware-sample, mime-type,
named pipe, mutex, windows-scheduled-task, windows-service-name,
regkey|value, pattern-in-file, pattern-in-memory, pdb,
stix2-pattern, yara, sigma, attachment, malware-sample, named
pipe, mutex, windows-scheduled-task, windows-service-name,
windows-service-displayname, comment, text, hex, x509-fingerprint-
sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other,
cookie, gene, mime-type
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrant-
org, whois-registrar, whois-creation-date, comment, text, x509-
@ -898,53 +898,53 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 16]
Internet-Draft MISP core format April 2018
windows-service-displayname, comment, text, hex, x509-fingerprint-
sha1, other
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|pehash, mime-type,
pattern-in-file, pattern-in-traffic, pattern-in-memory, yara,
stix2-pattern, vulnerability, attachment, malware-sample, malware-
type, comment, text, hex, x509-fingerprint-sha1, mobile-
application-id, other
Persistence mechanism
filename, regkey, regkey|value, comment, text, other, text
Network activity
ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri,
user-agent, http-method, AS, snort, pattern-in-file, pattern-in-
traffic, stix2-pattern, attachment, comment, text, x509-
fingerprint-sha1, other, hex, cookie
Payload type
comment, text, other
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrant-
org, whois-registrar, whois-creation-date, comment, text, x509-
fingerprint-sha1, other
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
other, dns-soa-email
External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url,
user-agent, regkey, regkey|value, AS, snort, pattern-in-file,
pattern-in-traffic, pattern-in-memory, vulnerability, attachment,
malware-sample, link, comment, text, x509-fingerprint-sha1,
github-repository, other
filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-
traffic, pattern-in-memory, vulnerability, attachment, malware-
sample, link, comment, text, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, github-repository,
other, cortex
Financial fraud
btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn,
phone-number, comment, text, other, hex
btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number,
prtn, phone-number, comment, text, other, hex
Support tool
attachment, link, comment, text, other, hex
Internal reference
text, link, comment, other, hex
Network activity
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
pattern-in-traffic, attachment, comment, text, x509-fingerprint-
sha1, other, hex, cookie, hostname|port
Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number, boolean
Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-
dst|port, ip-src|port, hostname, domain, email-src, email-dst,
email-subject, email-attachment, email-body, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma,
mime-type, attachment, malware-sample, link, malware-type,
comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, other, hostname|port,
email-dst-display-name, email-src-display-name, email-header,
email-reply-to, email-x-mailer, email-mime-boundary, email-thread-
@ -954,9 +954,27 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 17]
Internet-Draft MISP core format April 2018
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other
index, email-message-id, mobile-application-id, whois-registrant-
email
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-
memory, stix2-pattern, yara, sigma, vulnerability, attachment,
malware-sample, malware-type, comment, text, hex, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
mobile-application-id, other, mime-type
Payload type
comment, text, other
Persistence mechanism
filename, regkey, regkey|value, comment, text, other, hex
Person
first-name, middle-name, last-name, date-of-birth, place-of-birth,
@ -968,14 +986,30 @@ Internet-Draft MISP core format April 2018
of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number
Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other, whois-
registrant-email
Support Tool
link, text, attachment, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Attributes are based on the usage within their different communities.
Attributes can be extended on a regular basis and this reference
document is updated accordingly.
Dulaunoy & Iklody Expires October 12, 2018 [Page 18]
Internet-Draft MISP core format April 2018
2.5.2.4. category
category represents the intent of what the attribute is describing as
@ -1001,15 +1035,6 @@ Internet-Draft MISP core format April 2018
event_id represents a human-readable identifier referencing the Event
object that the ShadowAttribute belongs to.
Dulaunoy & Iklody Expires October 12, 2018 [Page 18]
Internet-Draft MISP core format April 2018
The event_id SHOULD be updated when the event is imported to reflect
the newly created event's id on the instance.
@ -1031,6 +1056,16 @@ Internet-Draft MISP core format April 2018
old_id is represented as a JSON string. old_id MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 19]
Internet-Draft MISP core format April 2018
2.5.2.8. timestamp
timestamp represents a reference time when the attribute was created
@ -1057,15 +1092,6 @@ Internet-Draft MISP core format April 2018
org_id is represented by a JSON string and MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 19]
Internet-Draft MISP core format April 2018
2.5.2.11. proposal_to_delete
proposal_to_delete is a boolean flag that sets whether the shadow
@ -1086,6 +1112,16 @@ Internet-Draft MISP core format April 2018
deleted is represented by a JSON boolean. deleted SHOULD be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 20]
Internet-Draft MISP core format April 2018
2.5.2.13. data
data contains the base64 encoded contents of an attachment or a
@ -1112,16 +1148,6 @@ Internet-Draft MISP core format April 2018
uuid, name and id are represented as a JSON string. uuid, name and id
MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 20]
Internet-Draft MISP core format April 2018
2.5.3.1. Sample Org Object
"Org": {
@ -1143,6 +1169,15 @@ Internet-Draft MISP core format April 2018
within an event. Their main purpose is to describe more complex
structures than can be described by a single attribute Each object is
created using an Object Template and carries the meta-data of the
Dulaunoy & Iklody Expires October 12, 2018 [Page 21]
Internet-Draft MISP core format April 2018
template used for its creation within. Objects belong to a meta-
category and are defined by a name.
@ -1155,29 +1190,6 @@ Internet-Draft MISP core format April 2018
2.6.1. Sample Object object
Dulaunoy & Iklody Expires October 12, 2018 [Page 21]
Internet-Draft MISP core format April 2018
"Object": {
"id": "588",
"name": "file",
@ -1215,6 +1227,13 @@ Internet-Draft MISP core format April 2018
]
}
Dulaunoy & Iklody Expires October 12, 2018 [Page 22]
Internet-Draft MISP core format April 2018
2.6.2. Object Attributes
2.6.2.1. uuid
@ -1224,16 +1243,6 @@ Internet-Draft MISP core format April 2018
of the same object. UUID version 4 is RECOMMENDED when assigning it
to a new object.
Dulaunoy & Iklody Expires October 12, 2018 [Page 22]
Internet-Draft MISP core format April 2018
2.6.2.2. id
id represents the human-readable identifier associated to the object
@ -1273,6 +1282,14 @@ Internet-Draft MISP core format April 2018
for creation. UUID version 4 is RECOMMENDED when assigning it to a
new object.
Dulaunoy & Iklody Expires October 12, 2018 [Page 23]
Internet-Draft MISP core format April 2018
2.6.2.7. template_version
template_version represents a numeric incrementing version of the
@ -1283,13 +1300,6 @@ Internet-Draft MISP core format April 2018
version is represented as a JSON string. version MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 23]
Internet-Draft MISP core format April 2018
2.6.2.8. event_id
event_id represents the human-readable identifier of the event that
@ -1328,6 +1338,14 @@ Internet-Draft MISP core format April 2018
All Communities
4
Dulaunoy & Iklody Expires October 12, 2018 [Page 24]
Internet-Draft MISP core format April 2018
Sharing Group
2.6.2.11. sharing_group_id
@ -1337,15 +1355,6 @@ Internet-Draft MISP core format April 2018
distribution level "4" is set. A human-readable identifier MUST be
represented as an unsigned integer.
Dulaunoy & Iklody Expires October 12, 2018 [Page 24]
Internet-Draft MISP core format April 2018
sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the
sharing_group_id MUST be set to "0".
@ -1385,15 +1394,6 @@ Internet-Draft MISP core format April 2018
All Object References MUST contain an object_uuid, a referenced_uuid
and a relationship type.
2.7.1. Sample ObjectReference object
@ -1402,6 +1402,8 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 25]
Internet-Draft MISP core format April 2018
2.7.1. Sample ObjectReference object
"ObjectReference": {
"id": "195",
"uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1",
@ -1451,8 +1453,6 @@ Internet-Draft MISP core format April 2018
Dulaunoy & Iklody Expires October 12, 2018 [Page 26]
Internet-Draft MISP core format April 2018