Export added

pull/6/head
Alexandre Dulaunoy 2016-10-05 09:01:33 +02:00
parent 71a1974818
commit 5789bf2990
1 changed files with 93 additions and 37 deletions

View File

@ -70,8 +70,11 @@ Table of Contents
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3
3. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Normative References . . . . . . . . . . . . . . . . . . 5
2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 6
3. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Normative References . . . . . . . . . . . . . . . . . . 6
3.2. Informative References . . . . . . . . . . . . . . . . . 6
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
@ -102,9 +105,6 @@ Table of Contents
A capitalized key (like Event, Org) represent a data model and a non-
capitalized key is just an attribute. This nomenclature can support
an implementation to represent the MISP format in another data
structure.
@ -114,6 +114,9 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 2]
Internet-Draft MISP core format October 2016
an implementation to represent the MISP format in another data
structure.
2.2. Event
An event is a simple meta structure scheme where attributes and meta-
@ -157,11 +160,8 @@ Internet-Draft MISP core format October 2016
info is represented as a JSON string. info MUST be present.
2.2.1.5. threat_level_id
threat_level_id represents the threat level.
0:
@ -170,6 +170,11 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 3]
Internet-Draft MISP core format October 2016
2.2.1.5. threat_level_id
threat_level_id represents the threat level.
0:
Undefined
1:
@ -197,10 +202,10 @@ Internet-Draft MISP core format October 2016
2.2.1.7. timestamp
timestamp represents a reference time when the event, or one of the
attributes within the event was created, or last updated/edited
on the instance. timestamp is expressed in seconds (decimal) since
1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
timestamp represents a reference time when the event, or one of the
attributes within the event was created, or last updated/edited on
the instance. timestamp is expressed in seconds (decimal) since 1st
of January 1970 (Unix timestamp). The time zone MUST be UTC.
timestamp is represented as a JSON string. timestamp MUST be present.
@ -212,11 +217,6 @@ Internet-Draft MISP core format October 2016
each publication of an event, publish_timestamp MUST be updated. The
time zone MUST be UTC.
publish_timestamp is represented as a JSON string. publish_timestamp
MUST be present.
@ -226,21 +226,26 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 4]
Internet-Draft MISP core format October 2016
publish_timestamp is represented as a JSON string. publish_timestamp
MUST be present.
2.2.1.9. org_id
org_id represents the Universally Unique IDentifier (UUID) [RFC4122]
of the organization which generated the event. The org_id MUST be
updated when the event is generated by a new instance.
org_id represents a human-readable identifier referencing an Org
object of the organization which generated the event.
The org_id MUST be updated when the event is generated by a new
instance.
org_id is represented as a JSON string. org_id MUST be present.
2.2.1.10. orgc_id
orgc_id represents the Universally Unique IDentifier (UUID) [RFC4122]
of the organization which created the event. The orgc_id MUST be
preserved for any updates or transfer of the same event. UUID
version 4 is RECOMMENDED when assigning it to a new event. orgc_id
is globally assigned to an organization and SHALL be kept overtime.
orgc_id represents a human-readable identifier referencing an Orgc
object of the organization which created the event.
The orgc_id and Orc object MUST be preserved for any updates or
transfer of the same event.
orgc_id is represented as a JSON string. orgc_id MUST be present.
@ -252,6 +257,45 @@ Internet-Draft MISP core format October 2016
attribute_count is represented as a JSON string. attribute_count
SHALL be present.
2.3. Objects
2.3.1. Org
An Org object is composed of an uuid, name and id.
The uuid represents the Universally Unique IDentifier (UUID)
[RFC4122] of the organization. The uuid is globally assigned to an
organization and SHALL be kept overtime.
uuid is represented as a JSON string. uuid MUST be present.
The name is a readable description of the organization and SHOULD be
present.
Dulaunoy & Iklody Expires April 4, 2017 [Page 5]
Internet-Draft MISP core format October 2016
2.3.2. Orgc
An Orgc object is composed of an uuid, name and id.
The uuid MUST be preserved for any updates or transfer of the same
event. UUID version 4 is RECOMMENDED when assigning it to a new
event. orgc_id is globally assigned to an organization and SHALL be
kept overtime.
The name is a readable description of the organization and SHOULD be
present.
orgc_id is represented as a JSON string. orgc_id SHOULD be present.
3. References
3.1. Normative References
@ -271,17 +315,6 @@ Internet-Draft MISP core format October 2016
DOI 10.17487/RFC4627, July 2006,
<http://www.rfc-editor.org/info/rfc4627>.
Dulaunoy & Iklody Expires April 4, 2017 [Page 5]
Internet-Draft MISP core format October 2016
3.2. Informative References
[MISP-P] MISP, , "MISP Project - Malware Information Sharing
@ -294,6 +327,17 @@ Appendix A. Acknowledgements
Authors' Addresses
Dulaunoy & Iklody Expires April 4, 2017 [Page 6]
Internet-Draft MISP core format October 2016
Alexandre Dulaunoy
Computer Incident Response Center Luxembourg
41, avenue de la gare
@ -333,4 +377,16 @@ Authors' Addresses
Dulaunoy & Iklody Expires April 4, 2017 [Page 6]
Dulaunoy & Iklody Expires April 4, 2017 [Page 7]