MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

Export added

pull/6/head
Alexandre Dulaunoy 2016-10-05 09:01:33 +02:00
parent 71a1974818
commit 5789bf2990
1 changed files with 93 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
misp-core-format/raw.md.txt
View File

@ -70,8 +70,11 @@ Table of Contents
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3 2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3
3. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Normative References . . . . . . . . . . . . . . . . . . 5 2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 6
3. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Normative References . . . . . . . . . . . . . . . . . . 6
3.2. Informative References . . . . . . . . . . . . . . . . . 6 3.2. Informative References . . . . . . . . . . . . . . . . . 6
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 6 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
@ -102,9 +105,6 @@ Table of Contents
A capitalized key (like Event, Org) represent a data model and a non- A capitalized key (like Event, Org) represent a data model and a non-
capitalized key is just an attribute. This nomenclature can support capitalized key is just an attribute. This nomenclature can support
an implementation to represent the MISP format in another data
structure.
@ -114,6 +114,9 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 2]
Internet-Draft MISP core format October 2016 Internet-Draft MISP core format October 2016
an implementation to represent the MISP format in another data
structure.
2.2. Event 2.2. Event
An event is a simple meta structure scheme where attributes and meta- An event is a simple meta structure scheme where attributes and meta-
@ -157,11 +160,8 @@ Internet-Draft MISP core format October 2016
info is represented as a JSON string. info MUST be present. info is represented as a JSON string. info MUST be present.
2.2.1.5. threat_level_id
threat_level_id represents the threat level.
0:
@ -170,6 +170,11 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 3]
Internet-Draft MISP core format October 2016 Internet-Draft MISP core format October 2016
2.2.1.5. threat_level_id
threat_level_id represents the threat level.
0:
Undefined Undefined
1: 1:
@ -197,10 +202,10 @@ Internet-Draft MISP core format October 2016
2.2.1.7. timestamp 2.2.1.7. timestamp
timestamp represents a reference time when the event, or one of the timestamp represents a reference time when the event, or one of the
attributes within the event was created, or last updated/edited attributes within the event was created, or last updated/edited on
on the instance. timestamp is expressed in seconds (decimal) since the instance. timestamp is expressed in seconds (decimal) since 1st
1st of January 1970 (Unix timestamp). The time zone MUST be UTC. of January 1970 (Unix timestamp). The time zone MUST be UTC.
timestamp is represented as a JSON string. timestamp MUST be present. timestamp is represented as a JSON string. timestamp MUST be present.
@ -212,11 +217,6 @@ Internet-Draft MISP core format October 2016
each publication of an event, publish_timestamp MUST be updated. The each publication of an event, publish_timestamp MUST be updated. The
time zone MUST be UTC. time zone MUST be UTC.
publish_timestamp is represented as a JSON string. publish_timestamp
MUST be present.
@ -226,21 +226,26 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 4]
Internet-Draft MISP core format October 2016 Internet-Draft MISP core format October 2016
publish_timestamp is represented as a JSON string. publish_timestamp
MUST be present.
2.2.1.9. org_id 2.2.1.9. org_id
org_id represents the Universally Unique IDentifier (UUID) [RFC4122] org_id represents a human-readable identifier referencing an Org
of the organization which generated the event. The org_id MUST be object of the organization which generated the event.
updated when the event is generated by a new instance.
The org_id MUST be updated when the event is generated by a new
instance.
org_id is represented as a JSON string. org_id MUST be present. org_id is represented as a JSON string. org_id MUST be present.
2.2.1.10. orgc_id 2.2.1.10. orgc_id
orgc_id represents the Universally Unique IDentifier (UUID) [RFC4122] orgc_id represents a human-readable identifier referencing an Orgc
of the organization which created the event. The orgc_id MUST be object of the organization which created the event.
preserved for any updates or transfer of the same event. UUID
version 4 is RECOMMENDED when assigning it to a new event. orgc_id The orgc_id and Orc object MUST be preserved for any updates or
is globally assigned to an organization and SHALL be kept overtime. transfer of the same event.
orgc_id is represented as a JSON string. orgc_id MUST be present. orgc_id is represented as a JSON string. orgc_id MUST be present.
@ -252,6 +257,45 @@ Internet-Draft MISP core format October 2016
attribute_count is represented as a JSON string. attribute_count attribute_count is represented as a JSON string. attribute_count
SHALL be present. SHALL be present.
2.3. Objects
2.3.1. Org
An Org object is composed of an uuid, name and id.
The uuid represents the Universally Unique IDentifier (UUID)
[RFC4122] of the organization. The uuid is globally assigned to an
organization and SHALL be kept overtime.
uuid is represented as a JSON string. uuid MUST be present.
The name is a readable description of the organization and SHOULD be
present.
Dulaunoy & Iklody Expires April 4, 2017 [Page 5]
Internet-Draft MISP core format October 2016
2.3.2. Orgc
An Orgc object is composed of an uuid, name and id.
The uuid MUST be preserved for any updates or transfer of the same
event. UUID version 4 is RECOMMENDED when assigning it to a new
event. orgc_id is globally assigned to an organization and SHALL be
kept overtime.
The name is a readable description of the organization and SHOULD be
present.
orgc_id is represented as a JSON string. orgc_id SHOULD be present.
3. References 3. References
3.1. Normative References 3.1. Normative References
@ -271,17 +315,6 @@ Internet-Draft MISP core format October 2016
DOI 10.17487/RFC4627, July 2006, DOI 10.17487/RFC4627, July 2006,
<http://www.rfc-editor.org/info/rfc4627>. <http://www.rfc-editor.org/info/rfc4627>.
Dulaunoy & Iklody Expires April 4, 2017 [Page 5]
Internet-Draft MISP core format October 2016
3.2. Informative References 3.2. Informative References
[MISP-P] MISP, , "MISP Project - Malware Information Sharing [MISP-P] MISP, , "MISP Project - Malware Information Sharing
@ -294,6 +327,17 @@ Appendix A. Acknowledgements
Authors' Addresses Authors' Addresses
Dulaunoy & Iklody Expires April 4, 2017 [Page 6]
Internet-Draft MISP core format October 2016
Alexandre Dulaunoy Alexandre Dulaunoy
Computer Incident Response Center Luxembourg Computer Incident Response Center Luxembourg
41, avenue de la gare 41, avenue de la gare
@ -333,4 +377,16 @@ Authors' Addresses
Dulaunoy & Iklody Expires April 4, 2017 [Page 6]
Dulaunoy & Iklody Expires April 4, 2017 [Page 7]