From e8caee04edf202a51d63f2ecfe1579baf07571ed Mon Sep 17 00:00:00 2001 From: Maxime Thiebaut <46688461+0xThiebaut@users.noreply.github.com> Date: Sat, 5 Feb 2022 22:42:36 +0100 Subject: [PATCH 1/2] Correct `Event` and `ShadowAttribute`'s `Orgc` and `Org` Both `Event` and `ShadowAttribute`'s objects were missing a depth-level. --- misp-core-format/raw.md | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md index 1c691cd..1cb2dff 100755 --- a/misp-core-format/raw.md +++ b/misp-core-format/raw.md @@ -218,9 +218,9 @@ extends\_uuid represents which event is extended by this event. The extends\_uui extends\_uuid is represented as a JSON string. extends\_uuid **SHOULD** be present. -## Objects +### Event Objects -### Org +#### Org An Org object is composed of an uuid, name and id. @@ -233,7 +233,7 @@ A human-readable identifier **MUST** be represented as an unsigned integer. uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present. -#### Sample Org Object +##### Sample Org Object ~~~~ "Org": { @@ -243,7 +243,7 @@ uuid, name and id are represented as a JSON string. uuid, name and id **MUST** b } ~~~~ -### Orgc +#### Orgc An Orgc object is composed of an uuid, name and id. @@ -650,7 +650,15 @@ last_seen represents a reference time when the attribute was last seen. last_see last_seen is represented as a JSON string. last_seen **MAY** be present. -### Org +#### value + +value represents the payload of an attribute. The format of the value is dependent on the type of the attribute. + +value is represented by a JSON string. value **MUST** be present. + +### ShadowAttribute Objects + +#### Org An Org object is composed of an uuid, name and id. @@ -663,7 +671,7 @@ A human-readable identifier **MUST** be represented as an unsigned integer. uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present. -#### Sample Org Object +##### Sample Org Object ~~~~ "Org": { @@ -673,12 +681,6 @@ uuid, name and id are represented as a JSON string. uuid, name and id **MUST** b } ~~~~ -#### value - -value represents the payload of an attribute. The format of the value is dependent on the type of the attribute. - -value is represented by a JSON string. value **MUST** be present. - ## Object Objects serve as a contextual bond between a list of attributes within an event. Their main purpose is to describe more complex structures than can be described by a single attribute From e53e962a6e39ec8d9af132159882314ccb2bb2ad Mon Sep 17 00:00:00 2001 From: Maxime THIEBAUT <46688461+0xThiebaut@users.noreply.github.com> Date: Sun, 6 Feb 2022 10:55:10 +0100 Subject: [PATCH 2/2] Improve `Sighting`'s JSON representation discription --- misp-core-format/raw.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md index 1c691cd..2894a57 100755 --- a/misp-core-format/raw.md +++ b/misp-core-format/raw.md @@ -1071,7 +1071,7 @@ date_sighting **MUST** be present. date_sighting is expressed in seconds (decima source **MAY** be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process. -id, event_id and attribute_id **MAY** be present. +id, event_id and attribute_id are represented as a JSON string and **MAY** be present. id represents the human-readable identifier of the sighting reference which belongs to a specific MISP instance. event_id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance. @@ -1081,7 +1081,7 @@ org_id **MAY** be present along the JSON object describing the organisation. If org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance. -A human-readable identifier **MUST** be represented as an unsigned integer. +A human-readable identifier **MUST** be considered as an unsigned integer. ### Sample Sighting