MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

add: text export added

pull/19/merge
Alexandre Dulaunoy 2018-08-08 16:15:55 +02:00
parent bba9452d4e
commit 3852ded49a
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 274 additions and 274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

548
misp-core-format/raw.md.txt
View File

@ -76,15 +76,15 @@ Table of Contents
2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8 2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8
2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9 2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9
2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 14 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 15
2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 15 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 15
2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 15 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 15
2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.6.1. Sample Object object . . . . . . . . . . . . . . . . 21 2.6.1. Sample Object object . . . . . . . . . . . . . . . . 22
2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 22 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 23
2.7. Object References . . . . . . . . . . . . . . . . . . . . 25 2.7. Object References . . . . . . . . . . . . . . . . . . . . 25
2.7.1. Sample ObjectReference object . . . . . . . . . . . . 25 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 26
2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 26 2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 26
2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 28 2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 28
@ -497,7 +497,7 @@ Internet-Draft MISP core format April 2018
MUST be a valid selection for the chosen category. The list of valid MUST be a valid selection for the chosen category. The list of valid
category-type combinations is as follows: category-type combinations is as follows:
Internal reference Antivirus detection
@ -506,32 +506,8 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 9]
Internet-Draft MISP core format April 2018 Internet-Draft MISP core format April 2018
text, link, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Antivirus detection
link, comment, text, hex, attachment, other link, comment, text, hex, attachment, other
Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, ip-src, ip-dst, hostname, domain, email-src,
email-dst, email-subject, email-attachment, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, yara, attachment, malware-
sample, link, malware-type, mime-type, comment, text,
vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
src|port, hostname|port, email-dst-display-name, email-src-
display-name, email-header, email-reply-to, email-x-mailer, email-
mime-boundary, email-thread-index, email-message-id, mobile-
application-id
Artifacts dropped Artifacts dropped
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5,
@ -539,21 +515,45 @@ Internet-Draft MISP core format April 2018
filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha512, filename|sha512/224, filename|sha512/256,
filename|authentihash, filename|ssdeep, filename|tlsh, filename|authentihash, filename|ssdeep, filename|tlsh,
filename|imphash, filename|impfuzzy, filename|pehash, regkey, filename|imphash, filename|impfuzzy, filename|pehash, regkey,
regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, regkey|value, pattern-in-file, pattern-in-memory, pdb,
sigma, stix2-pattern, gene, attachment, malware-sample, mime-type, stix2-pattern, yara, sigma, attachment, malware-sample, named
named pipe, mutex, windows-scheduled-task, windows-service-name, pipe, mutex, windows-scheduled-task, windows-service-name,
windows-service-displayname, comment, text, hex, x509-fingerprint- windows-service-displayname, comment, text, hex, x509-fingerprint-
sha1, other sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other,
cookie, gene, mime-type
Payload installation Attribution
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, threat-actor, campaign-name, campaign-id, whois-registrant-phone,
ssdeep, imphash, authentihash, pehash, tlsh, filename, whois-registrant-email, whois-registrant-name, whois-registrant-
filename|md5, filename|sha1, filename|sha224, filename|sha256, org, whois-registrar, whois-creation-date, comment, text, x509-
filename|sha384, filename|sha512, filename|sha512/224, fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
filename|sha512/256, filename|authentihash, filename|ssdeep, other, dns-soa-email
filename|tlsh, filename|imphash, filename|pehash, pattern-in-file,
mime-type, pattern-in-traffic, pattern-in-memory, yara, External analysis
stix2-pattern, vulnerability, attachment, malware-sample, malware- md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-
traffic, pattern-in-memory, vulnerability, attachment, malware-
sample, link, comment, text, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, github-repository,
other, cortex
Financial fraud
btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number,
prtn, phone-number, comment, text, other, hex
Internal reference
text, link, comment, other, hex
Network activity
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
pattern-in-traffic, attachment, comment, text, x509-fingerprint-
sha1, other, hex, cookie, hostname|port
Other
@ -562,44 +562,46 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 10]
Internet-Draft MISP core format April 2018 Internet-Draft MISP core format April 2018
type, comment, text, hex, x509-fingerprint-sha1, mobile- comment, text, other, size-in-bytes, counter, datetime, cpe, port,
application-id, other float, hex, phone-number, boolean
Persistence mechanism Payload delivery
filename, regkey, regkey|value, comment, text, other, text md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-
dst|port, ip-src|port, hostname, domain, email-src, email-dst,
email-subject, email-attachment, email-body, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma,
mime-type, attachment, malware-sample, link, malware-type,
comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, other, hostname|port,
email-dst-display-name, email-src-display-name, email-header,
email-reply-to, email-x-mailer, email-mime-boundary, email-thread-
index, email-message-id, mobile-application-id, whois-registrant-
email
Network activity Payload installation
ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri, md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
user-agent, http-method, AS, snort, pattern-in-file, pattern-in- ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
traffic, stix2-pattern, attachment, comment, text, x509- filename|md5, filename|sha1, filename|sha224, filename|sha256,
fingerprint-sha1, other, hex, cookie filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-
memory, stix2-pattern, yara, sigma, vulnerability, attachment,
malware-sample, malware-type, comment, text, hex, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
mobile-application-id, other, mime-type
Payload type Payload type
comment, text, other comment, text, other
Attribution Persistence mechanism
threat-actor, campaign-name, campaign-id, whois-registrant-phone, filename, regkey, regkey|value, comment, text, other, hex
whois-registrant-email, whois-registrant-name, whois-registrar,
whois-creation-date, comment, text, x509-fingerprint-sha1, other
External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url,
user-agent, regkey, regkey|value, AS, snort, pattern-in-file,
pattern-in-traffic, pattern-in-memory, vulnerability, attachment,
malware-sample, link, comment, text, x509-fingerprint-sha1,
github-repository, other
Financial fraud
btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn,
phone-number, comment, text, other, hex
Support tool
attachment, link, comment, text, other, hex
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other
Person Person
first-name, middle-name, last-name, date-of-birth, place-of-birth, first-name, middle-name, last-name, date-of-birth, place-of-birth,
@ -608,8 +610,6 @@ Internet-Draft MISP core format April 2018
primary-residence, country-of-residence, special-service-request, primary-residence, country-of-residence, special-service-request,
frequent-flyer-number, travel-details, payment-details, place- frequent-flyer-number, travel-details, payment-details, place-
port-of-original-embarkation, place-port-of-clearance, place-port- port-of-original-embarkation, place-port-of-clearance, place-port-
of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number
@ -618,9 +618,20 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 11]
Internet-Draft MISP core format April 2018 Internet-Draft MISP core format April 2018
Other of-onward-foreign-destination, passenger-name-record-locator-
comment, text, other, size-in-bytes, counter, datetime, cpe, port, number, comment, text, other, phone-number, identity-card-number
float, hex, phone-number
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other, whois-
registrant-email
Support Tool
link, text, attachment, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Attributes are based on the usage within their different communities. Attributes are based on the usage within their different communities.
Attributes can be extended on a regular basis and this reference Attributes can be extended on a regular basis and this reference
@ -656,6 +667,13 @@ Internet-Draft MISP core format April 2018
event_id is represented as a JSON string. event_id MUST be present. event_id is represented as a JSON string. event_id MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 12]
Internet-Draft MISP core format April 2018
2.4.2.7. distribution 2.4.2.7. distribution
distribution represents the basic distribution rules of the distribution represents the basic distribution rules of the
@ -666,14 +684,6 @@ Internet-Draft MISP core format April 2018
present and be one of the following options: present and be one of the following options:
0 0
Dulaunoy & Iklody Expires October 12, 2018 [Page 12]
Internet-Draft MISP core format April 2018
Your Organisation Only Your Organisation Only
1 1
@ -712,6 +722,14 @@ Internet-Draft MISP core format April 2018
if distribution level "4" is set. A human-readable identifier MUST if distribution level "4" is set. A human-readable identifier MUST
be represented as an unsigned integer. be represented as an unsigned integer.
Dulaunoy & Iklody Expires October 12, 2018 [Page 13]
Internet-Draft MISP core format April 2018
sharing_group_id is represented by a JSON string and SHOULD be sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the present. If a distribution level other than "4" is chosen the
sharing_group_id MUST be set to "0". sharing_group_id MUST be set to "0".
@ -722,14 +740,6 @@ Internet-Draft MISP core format April 2018
Revoked attributes are not actionable and exist merely to inform Revoked attributes are not actionable and exist merely to inform
other instances of a revocation. other instances of a revocation.
Dulaunoy & Iklody Expires October 12, 2018 [Page 13]
Internet-Draft MISP core format April 2018
deleted is represented by a JSON boolean. deleted MUST be present. deleted is represented by a JSON boolean. deleted MUST be present.
2.4.2.12. data 2.4.2.12. data
@ -766,6 +776,16 @@ Internet-Draft MISP core format April 2018
containing attribute's ID in the old_id field and the event's ID in containing attribute's ID in the old_id field and the event's ID in
the event_id field. the event_id field.
Dulaunoy & Iklody Expires October 12, 2018 [Page 14]
Internet-Draft MISP core format April 2018
2.4.2.15. value 2.4.2.15. value
value represents the payload of an attribute. The format of the value represents the payload of an attribute. The format of the
@ -778,14 +798,6 @@ Internet-Draft MISP core format April 2018
ShadowAttributes are 3rd party created attributes that either propose ShadowAttributes are 3rd party created attributes that either propose
to add new information to an event or modify existing information. to add new information to an event or modify existing information.
They are not meant to be actionable until the event creator accepts They are not meant to be actionable until the event creator accepts
Dulaunoy & Iklody Expires October 12, 2018 [Page 14]
Internet-Draft MISP core format April 2018
them - at which point they will be converted into attributes or them - at which point they will be converted into attributes or
modify an existing attribute. modify an existing attribute.
@ -818,6 +830,18 @@ Internet-Draft MISP core format April 2018
2.5.2. ShadowAttribute Attributes 2.5.2. ShadowAttribute Attributes
Dulaunoy & Iklody Expires October 12, 2018 [Page 15]
Internet-Draft MISP core format April 2018
2.5.2.1. uuid 2.5.2.1. uuid
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
@ -834,14 +858,6 @@ Internet-Draft MISP core format April 2018
represented as an unsigned integer. id is represented as a JSON represented as an unsigned integer. id is represented as a JSON
string. id SHALL be present. string. id SHALL be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 15]
Internet-Draft MISP core format April 2018
2.5.2.3. type 2.5.2.3. type
type represents the means through which an attribute tries to type represents the means through which an attribute tries to
@ -852,33 +868,9 @@ Internet-Draft MISP core format April 2018
MUST be a valid selection for the chosen category. The list of valid MUST be a valid selection for the chosen category. The list of valid
category-type combinations is as follows: category-type combinations is as follows:
Internal reference
text, link, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Antivirus detection Antivirus detection
link, comment, text, hex, attachment, other link, comment, text, hex, attachment, other
Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, ip-src, ip-dst, hostname, domain, email-src,
email-dst, email-subject, email-attachment, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, yara, attachment, malware-
sample, link, malware-type, mime-type, comment, text,
vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
src|port, hostname|port, email-dst-display-name, email-src-
display-name, email-header, email-reply-to, email-x-mailer, email-
mime-boundary, email-thread-index, email-message-id, mobile-
application-id
Artifacts dropped Artifacts dropped
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5,
@ -886,9 +878,17 @@ Internet-Draft MISP core format April 2018
filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha512, filename|sha512/224, filename|sha512/256,
filename|authentihash, filename|ssdeep, filename|tlsh, filename|authentihash, filename|ssdeep, filename|tlsh,
filename|imphash, filename|impfuzzy, filename|pehash, regkey, filename|imphash, filename|impfuzzy, filename|pehash, regkey,
regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, regkey|value, pattern-in-file, pattern-in-memory, pdb,
sigma, gene, stix2-pattern, attachment, malware-sample, mime-type, stix2-pattern, yara, sigma, attachment, malware-sample, named
named pipe, mutex, windows-scheduled-task, windows-service-name, pipe, mutex, windows-scheduled-task, windows-service-name,
windows-service-displayname, comment, text, hex, x509-fingerprint-
sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other,
cookie, gene, mime-type
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrant-
org, whois-registrar, whois-creation-date, comment, text, x509-
@ -898,53 +898,53 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 16]
Internet-Draft MISP core format April 2018 Internet-Draft MISP core format April 2018
windows-service-displayname, comment, text, hex, x509-fingerprint- fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
sha1, other other, dns-soa-email
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|pehash, mime-type,
pattern-in-file, pattern-in-traffic, pattern-in-memory, yara,
stix2-pattern, vulnerability, attachment, malware-sample, malware-
type, comment, text, hex, x509-fingerprint-sha1, mobile-
application-id, other
Persistence mechanism
filename, regkey, regkey|value, comment, text, other, text
Network activity
ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri,
user-agent, http-method, AS, snort, pattern-in-file, pattern-in-
traffic, stix2-pattern, attachment, comment, text, x509-
fingerprint-sha1, other, hex, cookie
Payload type
comment, text, other
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrant-
org, whois-registrar, whois-creation-date, comment, text, x509-
fingerprint-sha1, other
External analysis External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1, md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
user-agent, regkey, regkey|value, AS, snort, pattern-in-file, address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
pattern-in-traffic, pattern-in-memory, vulnerability, attachment, regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-
malware-sample, link, comment, text, x509-fingerprint-sha1, traffic, pattern-in-memory, vulnerability, attachment, malware-
github-repository, other sample, link, comment, text, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, github-repository,
other, cortex
Financial fraud Financial fraud
btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number,
phone-number, comment, text, other, hex prtn, phone-number, comment, text, other, hex
Support tool Internal reference
attachment, link, comment, text, other, hex text, link, comment, other, hex
Network activity
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
pattern-in-traffic, attachment, comment, text, x509-fingerprint-
sha1, other, hex, cookie, hostname|port
Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number, boolean
Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-
dst|port, ip-src|port, hostname, domain, email-src, email-dst,
email-subject, email-attachment, email-body, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma,
mime-type, attachment, malware-sample, link, malware-type,
comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, other, hostname|port,
email-dst-display-name, email-src-display-name, email-header,
email-reply-to, email-x-mailer, email-mime-boundary, email-thread-
@ -954,9 +954,27 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 17]
Internet-Draft MISP core format April 2018 Internet-Draft MISP core format April 2018
Social network index, email-message-id, mobile-application-id, whois-registrant-
github-username, github-repository, github-organisation, jabber- email
id, twitter-id, email-src, email-dst, comment, text, other
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-
memory, stix2-pattern, yara, sigma, vulnerability, attachment,
malware-sample, malware-type, comment, text, hex, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
mobile-application-id, other, mime-type
Payload type
comment, text, other
Persistence mechanism
filename, regkey, regkey|value, comment, text, other, hex
Person Person
first-name, middle-name, last-name, date-of-birth, place-of-birth, first-name, middle-name, last-name, date-of-birth, place-of-birth,
@ -968,14 +986,30 @@ Internet-Draft MISP core format April 2018
of-onward-foreign-destination, passenger-name-record-locator- of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number number, comment, text, other, phone-number, identity-card-number
Other Social network
comment, text, other, size-in-bytes, counter, datetime, cpe, port, github-username, github-repository, github-organisation, jabber-
float, hex, phone-number id, twitter-id, email-src, email-dst, comment, text, other, whois-
registrant-email
Support Tool
link, text, attachment, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Attributes are based on the usage within their different communities. Attributes are based on the usage within their different communities.
Attributes can be extended on a regular basis and this reference Attributes can be extended on a regular basis and this reference
document is updated accordingly. document is updated accordingly.
Dulaunoy & Iklody Expires October 12, 2018 [Page 18]
Internet-Draft MISP core format April 2018
2.5.2.4. category 2.5.2.4. category
category represents the intent of what the attribute is describing as category represents the intent of what the attribute is describing as
@ -1001,15 +1035,6 @@ Internet-Draft MISP core format April 2018
event_id represents a human-readable identifier referencing the Event event_id represents a human-readable identifier referencing the Event
object that the ShadowAttribute belongs to. object that the ShadowAttribute belongs to.
Dulaunoy & Iklody Expires October 12, 2018 [Page 18]
Internet-Draft MISP core format April 2018
The event_id SHOULD be updated when the event is imported to reflect The event_id SHOULD be updated when the event is imported to reflect
the newly created event's id on the instance. the newly created event's id on the instance.
@ -1031,6 +1056,16 @@ Internet-Draft MISP core format April 2018
old_id is represented as a JSON string. old_id MUST be present. old_id is represented as a JSON string. old_id MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 19]
Internet-Draft MISP core format April 2018
2.5.2.8. timestamp 2.5.2.8. timestamp
timestamp represents a reference time when the attribute was created timestamp represents a reference time when the attribute was created
@ -1057,15 +1092,6 @@ Internet-Draft MISP core format April 2018
org_id is represented by a JSON string and MUST be present. org_id is represented by a JSON string and MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 19]
Internet-Draft MISP core format April 2018
2.5.2.11. proposal_to_delete 2.5.2.11. proposal_to_delete
proposal_to_delete is a boolean flag that sets whether the shadow proposal_to_delete is a boolean flag that sets whether the shadow
@ -1086,6 +1112,16 @@ Internet-Draft MISP core format April 2018
deleted is represented by a JSON boolean. deleted SHOULD be present. deleted is represented by a JSON boolean. deleted SHOULD be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 20]
Internet-Draft MISP core format April 2018
2.5.2.13. data 2.5.2.13. data
data contains the base64 encoded contents of an attachment or a data contains the base64 encoded contents of an attachment or a
@ -1112,16 +1148,6 @@ Internet-Draft MISP core format April 2018
uuid, name and id are represented as a JSON string. uuid, name and id uuid, name and id are represented as a JSON string. uuid, name and id
MUST be present. MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 20]
Internet-Draft MISP core format April 2018
2.5.3.1. Sample Org Object 2.5.3.1. Sample Org Object
"Org": { "Org": {
@ -1143,6 +1169,15 @@ Internet-Draft MISP core format April 2018
within an event. Their main purpose is to describe more complex within an event. Their main purpose is to describe more complex
structures than can be described by a single attribute Each object is structures than can be described by a single attribute Each object is
created using an Object Template and carries the meta-data of the created using an Object Template and carries the meta-data of the
Dulaunoy & Iklody Expires October 12, 2018 [Page 21]
Internet-Draft MISP core format April 2018
template used for its creation within. Objects belong to a meta- template used for its creation within. Objects belong to a meta-
category and are defined by a name. category and are defined by a name.
@ -1155,29 +1190,6 @@ Internet-Draft MISP core format April 2018
2.6.1. Sample Object object 2.6.1. Sample Object object
Dulaunoy & Iklody Expires October 12, 2018 [Page 21]
Internet-Draft MISP core format April 2018
"Object": { "Object": {
"id": "588", "id": "588",
"name": "file", "name": "file",
@ -1215,6 +1227,13 @@ Internet-Draft MISP core format April 2018
] ]
} }
Dulaunoy & Iklody Expires October 12, 2018 [Page 22]
Internet-Draft MISP core format April 2018
2.6.2. Object Attributes 2.6.2. Object Attributes
2.6.2.1. uuid 2.6.2.1. uuid
@ -1224,16 +1243,6 @@ Internet-Draft MISP core format April 2018
of the same object. UUID version 4 is RECOMMENDED when assigning it of the same object. UUID version 4 is RECOMMENDED when assigning it
to a new object. to a new object.
Dulaunoy & Iklody Expires October 12, 2018 [Page 22]
Internet-Draft MISP core format April 2018
2.6.2.2. id 2.6.2.2. id
id represents the human-readable identifier associated to the object id represents the human-readable identifier associated to the object
@ -1273,6 +1282,14 @@ Internet-Draft MISP core format April 2018
for creation. UUID version 4 is RECOMMENDED when assigning it to a for creation. UUID version 4 is RECOMMENDED when assigning it to a
new object. new object.
Dulaunoy & Iklody Expires October 12, 2018 [Page 23]
Internet-Draft MISP core format April 2018
2.6.2.7. template_version 2.6.2.7. template_version
template_version represents a numeric incrementing version of the template_version represents a numeric incrementing version of the
@ -1283,13 +1300,6 @@ Internet-Draft MISP core format April 2018
version is represented as a JSON string. version MUST be present. version is represented as a JSON string. version MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 23]
Internet-Draft MISP core format April 2018
2.6.2.8. event_id 2.6.2.8. event_id
event_id represents the human-readable identifier of the event that event_id represents the human-readable identifier of the event that
@ -1328,6 +1338,14 @@ Internet-Draft MISP core format April 2018
All Communities All Communities
4 4
Dulaunoy & Iklody Expires October 12, 2018 [Page 24]
Internet-Draft MISP core format April 2018
Sharing Group Sharing Group
2.6.2.11. sharing_group_id 2.6.2.11. sharing_group_id
@ -1337,15 +1355,6 @@ Internet-Draft MISP core format April 2018
distribution level "4" is set. A human-readable identifier MUST be distribution level "4" is set. A human-readable identifier MUST be
represented as an unsigned integer. represented as an unsigned integer.
Dulaunoy & Iklody Expires October 12, 2018 [Page 24]
Internet-Draft MISP core format April 2018
sharing_group_id is represented by a JSON string and SHOULD be sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the present. If a distribution level other than "4" is chosen the
sharing_group_id MUST be set to "0". sharing_group_id MUST be set to "0".
@ -1385,15 +1394,6 @@ Internet-Draft MISP core format April 2018
All Object References MUST contain an object_uuid, a referenced_uuid All Object References MUST contain an object_uuid, a referenced_uuid
and a relationship type. and a relationship type.
2.7.1. Sample ObjectReference object
@ -1402,6 +1402,8 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 25]
Internet-Draft MISP core format April 2018 Internet-Draft MISP core format April 2018
2.7.1. Sample ObjectReference object
"ObjectReference": { "ObjectReference": {
"id": "195", "id": "195",
"uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1", "uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1",
@ -1451,8 +1453,6 @@ Internet-Draft MISP core format April 2018
Dulaunoy & Iklody Expires October 12, 2018 [Page 26] Dulaunoy & Iklody Expires October 12, 2018 [Page 26]
Internet-Draft MISP core format April 2018 Internet-Draft MISP core format April 2018