diff --git a/misp-core-format/raw.md.txt b/misp-core-format/raw.md.txt index 6618c89..3fa2676 100755 --- a/misp-core-format/raw.md.txt +++ b/misp-core-format/raw.md.txt @@ -76,15 +76,15 @@ Table of Contents 2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8 2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9 - 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 14 + 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 15 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 15 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 15 - 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 20 + 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 21 - 2.6.1. Sample Object object . . . . . . . . . . . . . . . . 21 - 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 22 + 2.6.1. Sample Object object . . . . . . . . . . . . . . . . 22 + 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 23 2.7. Object References . . . . . . . . . . . . . . . . . . . . 25 - 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 25 + 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 26 2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 26 2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 28 @@ -497,7 +497,7 @@ Internet-Draft MISP core format April 2018 MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows: - Internal reference + Antivirus detection @@ -506,32 +506,8 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 9] Internet-Draft MISP core format April 2018 - text, link, comment, other, hex - - Targeting data - target-user, target-email, target-machine, target-org, target- - location, target-external, comment - - Antivirus detection link, comment, text, hex, attachment, other - Payload delivery - md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, - filename|md5, filename|sha1, filename|sha224, filename|sha256, - filename|sha384, filename|sha512, filename|sha512/224, - filename|sha512/256, filename|authentihash, filename|ssdeep, - filename|tlsh, filename|imphash, filename|impfuzzy, - filename|pehash, ip-src, ip-dst, hostname, domain, email-src, - email-dst, email-subject, email-attachment, url, user-agent, AS, - pattern-in-file, pattern-in-traffic, yara, attachment, malware- - sample, link, malware-type, mime-type, comment, text, - vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip- - src|port, hostname|port, email-dst-display-name, email-src- - display-name, email-header, email-reply-to, email-x-mailer, email- - mime-boundary, email-thread-index, email-message-id, mobile- - application-id - Artifacts dropped md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, @@ -539,21 +515,45 @@ Internet-Draft MISP core format April 2018 filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, - regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, - sigma, stix2-pattern, gene, attachment, malware-sample, mime-type, - named pipe, mutex, windows-scheduled-task, windows-service-name, + regkey|value, pattern-in-file, pattern-in-memory, pdb, + stix2-pattern, yara, sigma, attachment, malware-sample, named + pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint- - sha1, other + sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, + cookie, gene, mime-type - Payload installation - md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, authentihash, pehash, tlsh, filename, - filename|md5, filename|sha1, filename|sha224, filename|sha256, - filename|sha384, filename|sha512, filename|sha512/224, - filename|sha512/256, filename|authentihash, filename|ssdeep, - filename|tlsh, filename|imphash, filename|pehash, pattern-in-file, - mime-type, pattern-in-traffic, pattern-in-memory, yara, - stix2-pattern, vulnerability, attachment, malware-sample, malware- + Attribution + threat-actor, campaign-name, campaign-id, whois-registrant-phone, + whois-registrant-email, whois-registrant-name, whois-registrant- + org, whois-registrar, whois-creation-date, comment, text, x509- + fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, + other, dns-soa-email + + External analysis + md5, sha1, sha256, filename, filename|md5, filename|sha1, + filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- + address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, + regkey, regkey|value, AS, snort, pattern-in-file, pattern-in- + traffic, pattern-in-memory, vulnerability, attachment, malware- + sample, link, comment, text, x509-fingerprint-sha1, x509- + fingerprint-md5, x509-fingerprint-sha256, github-repository, + other, cortex + + Financial fraud + btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, + prtn, phone-number, comment, text, other, hex + + Internal reference + text, link, comment, other, hex + + Network activity + ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, + domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user- + agent, http-method, AS, snort, pattern-in-file, stix2-pattern, + pattern-in-traffic, attachment, comment, text, x509-fingerprint- + sha1, other, hex, cookie, hostname|port + + Other @@ -562,44 +562,46 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 10] Internet-Draft MISP core format April 2018 - type, comment, text, hex, x509-fingerprint-sha1, mobile- - application-id, other + comment, text, other, size-in-bytes, counter, datetime, cpe, port, + float, hex, phone-number, boolean - Persistence mechanism - filename, regkey, regkey|value, comment, text, other, text + Payload delivery + md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, + ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, + filename|md5, filename|sha1, filename|sha224, filename|sha256, + filename|sha384, filename|sha512, filename|sha512/224, + filename|sha512/256, filename|authentihash, filename|ssdeep, + filename|tlsh, filename|imphash, filename|impfuzzy, + filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip- + dst|port, ip-src|port, hostname, domain, email-src, email-dst, + email-subject, email-attachment, email-body, url, user-agent, AS, + pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, + mime-type, attachment, malware-sample, link, malware-type, + comment, text, hex, vulnerability, x509-fingerprint-sha1, x509- + fingerprint-md5, x509-fingerprint-sha256, other, hostname|port, + email-dst-display-name, email-src-display-name, email-header, + email-reply-to, email-x-mailer, email-mime-boundary, email-thread- + index, email-message-id, mobile-application-id, whois-registrant- + email - Network activity - ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri, - user-agent, http-method, AS, snort, pattern-in-file, pattern-in- - traffic, stix2-pattern, attachment, comment, text, x509- - fingerprint-sha1, other, hex, cookie + Payload installation + md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, + ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, + filename|md5, filename|sha1, filename|sha224, filename|sha256, + filename|sha384, filename|sha512, filename|sha512/224, + filename|sha512/256, filename|authentihash, filename|ssdeep, + filename|tlsh, filename|imphash, filename|impfuzzy, + filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in- + memory, stix2-pattern, yara, sigma, vulnerability, attachment, + malware-sample, malware-type, comment, text, hex, x509- + fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, + mobile-application-id, other, mime-type Payload type comment, text, other - Attribution - threat-actor, campaign-name, campaign-id, whois-registrant-phone, - whois-registrant-email, whois-registrant-name, whois-registrar, - whois-creation-date, comment, text, x509-fingerprint-sha1, other - - External analysis - md5, sha1, sha256, filename, filename|md5, filename|sha1, - filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url, - user-agent, regkey, regkey|value, AS, snort, pattern-in-file, - pattern-in-traffic, pattern-in-memory, vulnerability, attachment, - malware-sample, link, comment, text, x509-fingerprint-sha1, - github-repository, other - - Financial fraud - btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, - phone-number, comment, text, other, hex - - Support tool - attachment, link, comment, text, other, hex - - Social network - github-username, github-repository, github-organisation, jabber- - id, twitter-id, email-src, email-dst, comment, text, other + Persistence mechanism + filename, regkey, regkey|value, comment, text, other, hex Person first-name, middle-name, last-name, date-of-birth, place-of-birth, @@ -608,8 +610,6 @@ Internet-Draft MISP core format April 2018 primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place- port-of-original-embarkation, place-port-of-clearance, place-port- - of-onward-foreign-destination, passenger-name-record-locator- - number, comment, text, other, phone-number, identity-card-number @@ -618,9 +618,20 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 11] Internet-Draft MISP core format April 2018 - Other - comment, text, other, size-in-bytes, counter, datetime, cpe, port, - float, hex, phone-number + of-onward-foreign-destination, passenger-name-record-locator- + number, comment, text, other, phone-number, identity-card-number + + Social network + github-username, github-repository, github-organisation, jabber- + id, twitter-id, email-src, email-dst, comment, text, other, whois- + registrant-email + + Support Tool + link, text, attachment, comment, other, hex + + Targeting data + target-user, target-email, target-machine, target-org, target- + location, target-external, comment Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference @@ -656,6 +667,13 @@ Internet-Draft MISP core format April 2018 event_id is represented as a JSON string. event_id MUST be present. + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 12] + +Internet-Draft MISP core format April 2018 + + 2.4.2.7. distribution distribution represents the basic distribution rules of the @@ -666,14 +684,6 @@ Internet-Draft MISP core format April 2018 present and be one of the following options: 0 - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 12] - -Internet-Draft MISP core format April 2018 - - Your Organisation Only 1 @@ -712,6 +722,14 @@ Internet-Draft MISP core format April 2018 if distribution level "4" is set. A human-readable identifier MUST be represented as an unsigned integer. + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 13] + +Internet-Draft MISP core format April 2018 + + sharing_group_id is represented by a JSON string and SHOULD be present. If a distribution level other than "4" is chosen the sharing_group_id MUST be set to "0". @@ -722,14 +740,6 @@ Internet-Draft MISP core format April 2018 Revoked attributes are not actionable and exist merely to inform other instances of a revocation. - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 13] - -Internet-Draft MISP core format April 2018 - - deleted is represented by a JSON boolean. deleted MUST be present. 2.4.2.12. data @@ -766,6 +776,16 @@ Internet-Draft MISP core format April 2018 containing attribute's ID in the old_id field and the event's ID in the event_id field. + + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 14] + +Internet-Draft MISP core format April 2018 + + 2.4.2.15. value value represents the payload of an attribute. The format of the @@ -778,14 +798,6 @@ Internet-Draft MISP core format April 2018 ShadowAttributes are 3rd party created attributes that either propose to add new information to an event or modify existing information. They are not meant to be actionable until the event creator accepts - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 14] - -Internet-Draft MISP core format April 2018 - - them - at which point they will be converted into attributes or modify an existing attribute. @@ -818,6 +830,18 @@ Internet-Draft MISP core format April 2018 2.5.2. ShadowAttribute Attributes + + + + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 15] + +Internet-Draft MISP core format April 2018 + + 2.5.2.1. uuid uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of @@ -834,14 +858,6 @@ Internet-Draft MISP core format April 2018 represented as an unsigned integer. id is represented as a JSON string. id SHALL be present. - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 15] - -Internet-Draft MISP core format April 2018 - - 2.5.2.3. type type represents the means through which an attribute tries to @@ -852,33 +868,9 @@ Internet-Draft MISP core format April 2018 MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows: - Internal reference - text, link, comment, other, hex - - Targeting data - target-user, target-email, target-machine, target-org, target- - location, target-external, comment - Antivirus detection link, comment, text, hex, attachment, other - Payload delivery - md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, - filename|md5, filename|sha1, filename|sha224, filename|sha256, - filename|sha384, filename|sha512, filename|sha512/224, - filename|sha512/256, filename|authentihash, filename|ssdeep, - filename|tlsh, filename|imphash, filename|impfuzzy, - filename|pehash, ip-src, ip-dst, hostname, domain, email-src, - email-dst, email-subject, email-attachment, url, user-agent, AS, - pattern-in-file, pattern-in-traffic, yara, attachment, malware- - sample, link, malware-type, mime-type, comment, text, - vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip- - src|port, hostname|port, email-dst-display-name, email-src- - display-name, email-header, email-reply-to, email-x-mailer, email- - mime-boundary, email-thread-index, email-message-id, mobile- - application-id - Artifacts dropped md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, @@ -886,9 +878,17 @@ Internet-Draft MISP core format April 2018 filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, - regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, - sigma, gene, stix2-pattern, attachment, malware-sample, mime-type, - named pipe, mutex, windows-scheduled-task, windows-service-name, + regkey|value, pattern-in-file, pattern-in-memory, pdb, + stix2-pattern, yara, sigma, attachment, malware-sample, named + pipe, mutex, windows-scheduled-task, windows-service-name, + windows-service-displayname, comment, text, hex, x509-fingerprint- + sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, + cookie, gene, mime-type + + Attribution + threat-actor, campaign-name, campaign-id, whois-registrant-phone, + whois-registrant-email, whois-registrant-name, whois-registrant- + org, whois-registrar, whois-creation-date, comment, text, x509- @@ -898,53 +898,53 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 16] Internet-Draft MISP core format April 2018 - windows-service-displayname, comment, text, hex, x509-fingerprint- - sha1, other - - Payload installation - md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, authentihash, pehash, tlsh, filename, - filename|md5, filename|sha1, filename|sha224, filename|sha256, - filename|sha384, filename|sha512, filename|sha512/224, - filename|sha512/256, filename|authentihash, filename|ssdeep, - filename|tlsh, filename|imphash, filename|pehash, mime-type, - pattern-in-file, pattern-in-traffic, pattern-in-memory, yara, - stix2-pattern, vulnerability, attachment, malware-sample, malware- - type, comment, text, hex, x509-fingerprint-sha1, mobile- - application-id, other - - Persistence mechanism - filename, regkey, regkey|value, comment, text, other, text - - Network activity - ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri, - user-agent, http-method, AS, snort, pattern-in-file, pattern-in- - traffic, stix2-pattern, attachment, comment, text, x509- - fingerprint-sha1, other, hex, cookie - - Payload type - comment, text, other - - Attribution - threat-actor, campaign-name, campaign-id, whois-registrant-phone, - whois-registrant-email, whois-registrant-name, whois-registrant- - org, whois-registrar, whois-creation-date, comment, text, x509- - fingerprint-sha1, other + fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, + other, dns-soa-email External analysis md5, sha1, sha256, filename, filename|md5, filename|sha1, - filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url, - user-agent, regkey, regkey|value, AS, snort, pattern-in-file, - pattern-in-traffic, pattern-in-memory, vulnerability, attachment, - malware-sample, link, comment, text, x509-fingerprint-sha1, - github-repository, other + filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- + address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, + regkey, regkey|value, AS, snort, pattern-in-file, pattern-in- + traffic, pattern-in-memory, vulnerability, attachment, malware- + sample, link, comment, text, x509-fingerprint-sha1, x509- + fingerprint-md5, x509-fingerprint-sha256, github-repository, + other, cortex Financial fraud - btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, - phone-number, comment, text, other, hex + btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, + prtn, phone-number, comment, text, other, hex - Support tool - attachment, link, comment, text, other, hex + Internal reference + text, link, comment, other, hex + + Network activity + ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, + domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user- + agent, http-method, AS, snort, pattern-in-file, stix2-pattern, + pattern-in-traffic, attachment, comment, text, x509-fingerprint- + sha1, other, hex, cookie, hostname|port + + Other + comment, text, other, size-in-bytes, counter, datetime, cpe, port, + float, hex, phone-number, boolean + + Payload delivery + md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, + ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, + filename|md5, filename|sha1, filename|sha224, filename|sha256, + filename|sha384, filename|sha512, filename|sha512/224, + filename|sha512/256, filename|authentihash, filename|ssdeep, + filename|tlsh, filename|imphash, filename|impfuzzy, + filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip- + dst|port, ip-src|port, hostname, domain, email-src, email-dst, + email-subject, email-attachment, email-body, url, user-agent, AS, + pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, + mime-type, attachment, malware-sample, link, malware-type, + comment, text, hex, vulnerability, x509-fingerprint-sha1, x509- + fingerprint-md5, x509-fingerprint-sha256, other, hostname|port, + email-dst-display-name, email-src-display-name, email-header, + email-reply-to, email-x-mailer, email-mime-boundary, email-thread- @@ -954,9 +954,27 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 17] Internet-Draft MISP core format April 2018 - Social network - github-username, github-repository, github-organisation, jabber- - id, twitter-id, email-src, email-dst, comment, text, other + index, email-message-id, mobile-application-id, whois-registrant- + email + + Payload installation + md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, + ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, + filename|md5, filename|sha1, filename|sha224, filename|sha256, + filename|sha384, filename|sha512, filename|sha512/224, + filename|sha512/256, filename|authentihash, filename|ssdeep, + filename|tlsh, filename|imphash, filename|impfuzzy, + filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in- + memory, stix2-pattern, yara, sigma, vulnerability, attachment, + malware-sample, malware-type, comment, text, hex, x509- + fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, + mobile-application-id, other, mime-type + + Payload type + comment, text, other + + Persistence mechanism + filename, regkey, regkey|value, comment, text, other, hex Person first-name, middle-name, last-name, date-of-birth, place-of-birth, @@ -968,14 +986,30 @@ Internet-Draft MISP core format April 2018 of-onward-foreign-destination, passenger-name-record-locator- number, comment, text, other, phone-number, identity-card-number - Other - comment, text, other, size-in-bytes, counter, datetime, cpe, port, - float, hex, phone-number + Social network + github-username, github-repository, github-organisation, jabber- + id, twitter-id, email-src, email-dst, comment, text, other, whois- + registrant-email + + Support Tool + link, text, attachment, comment, other, hex + + Targeting data + target-user, target-email, target-machine, target-org, target- + location, target-external, comment Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly. + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 18] + +Internet-Draft MISP core format April 2018 + + 2.5.2.4. category category represents the intent of what the attribute is describing as @@ -1001,15 +1035,6 @@ Internet-Draft MISP core format April 2018 event_id represents a human-readable identifier referencing the Event object that the ShadowAttribute belongs to. - - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 18] - -Internet-Draft MISP core format April 2018 - - The event_id SHOULD be updated when the event is imported to reflect the newly created event's id on the instance. @@ -1031,6 +1056,16 @@ Internet-Draft MISP core format April 2018 old_id is represented as a JSON string. old_id MUST be present. + + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 19] + +Internet-Draft MISP core format April 2018 + + 2.5.2.8. timestamp timestamp represents a reference time when the attribute was created @@ -1057,15 +1092,6 @@ Internet-Draft MISP core format April 2018 org_id is represented by a JSON string and MUST be present. - - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 19] - -Internet-Draft MISP core format April 2018 - - 2.5.2.11. proposal_to_delete proposal_to_delete is a boolean flag that sets whether the shadow @@ -1086,6 +1112,16 @@ Internet-Draft MISP core format April 2018 deleted is represented by a JSON boolean. deleted SHOULD be present. + + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 20] + +Internet-Draft MISP core format April 2018 + + 2.5.2.13. data data contains the base64 encoded contents of an attachment or a @@ -1112,16 +1148,6 @@ Internet-Draft MISP core format April 2018 uuid, name and id are represented as a JSON string. uuid, name and id MUST be present. - - - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 20] - -Internet-Draft MISP core format April 2018 - - 2.5.3.1. Sample Org Object "Org": { @@ -1143,6 +1169,15 @@ Internet-Draft MISP core format April 2018 within an event. Their main purpose is to describe more complex structures than can be described by a single attribute Each object is created using an Object Template and carries the meta-data of the + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 21] + +Internet-Draft MISP core format April 2018 + + template used for its creation within. Objects belong to a meta- category and are defined by a name. @@ -1155,29 +1190,6 @@ Internet-Draft MISP core format April 2018 2.6.1. Sample Object object - - - - - - - - - - - - - - - - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 21] - -Internet-Draft MISP core format April 2018 - - "Object": { "id": "588", "name": "file", @@ -1215,6 +1227,13 @@ Internet-Draft MISP core format April 2018 ] } + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 22] + +Internet-Draft MISP core format April 2018 + + 2.6.2. Object Attributes 2.6.2.1. uuid @@ -1224,16 +1243,6 @@ Internet-Draft MISP core format April 2018 of the same object. UUID version 4 is RECOMMENDED when assigning it to a new object. - - - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 22] - -Internet-Draft MISP core format April 2018 - - 2.6.2.2. id id represents the human-readable identifier associated to the object @@ -1273,6 +1282,14 @@ Internet-Draft MISP core format April 2018 for creation. UUID version 4 is RECOMMENDED when assigning it to a new object. + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 23] + +Internet-Draft MISP core format April 2018 + + 2.6.2.7. template_version template_version represents a numeric incrementing version of the @@ -1283,13 +1300,6 @@ Internet-Draft MISP core format April 2018 version is represented as a JSON string. version MUST be present. - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 23] - -Internet-Draft MISP core format April 2018 - - 2.6.2.8. event_id event_id represents the human-readable identifier of the event that @@ -1328,6 +1338,14 @@ Internet-Draft MISP core format April 2018 All Communities 4 + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 24] + +Internet-Draft MISP core format April 2018 + + Sharing Group 2.6.2.11. sharing_group_id @@ -1337,15 +1355,6 @@ Internet-Draft MISP core format April 2018 distribution level "4" is set. A human-readable identifier MUST be represented as an unsigned integer. - - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 24] - -Internet-Draft MISP core format April 2018 - - sharing_group_id is represented by a JSON string and SHOULD be present. If a distribution level other than "4" is chosen the sharing_group_id MUST be set to "0". @@ -1385,15 +1394,6 @@ Internet-Draft MISP core format April 2018 All Object References MUST contain an object_uuid, a referenced_uuid and a relationship type. -2.7.1. Sample ObjectReference object - - - - - - - - @@ -1402,6 +1402,8 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 25] Internet-Draft MISP core format April 2018 +2.7.1. Sample ObjectReference object + "ObjectReference": { "id": "195", "uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1", @@ -1451,8 +1453,6 @@ Internet-Draft MISP core format April 2018 - - Dulaunoy & Iklody Expires October 12, 2018 [Page 26] Internet-Draft MISP core format April 2018