chg: [misp-core] updated to the latest version

2023-12-25 07:20:33 +01:00 · 2023-12-25 07:20:33 +01:00 · 5c4002750b
parent 45fd0e0c94
commit 5c4002750b
4 changed files with 245 additions and 236 deletions
--- a/misp-core-format/raw.md
+++ b/misp-core-format/raw.md
@ -9,7 +9,7 @@ submissiontype = "independent"

 [seriesInfo]
 name = "Internet-Draft"
-value = "draft-16"
+value = "draft-17"
 stream = "independent"
 status = "informational"

--- a/misp-core-format/raw.md.html
+++ b/misp-core-format/raw.md.html
@ -15,7 +15,7 @@ respective key. The format is described to support other implementations which r
 format and ensuring an interoperability with existing MISP   software and other Threat Intelligence Platforms. 
    " name="description">
 <meta content="xml2rfc 3.12.1" name="generator">
-<meta content="draft-00" name="ietf.draft">
+<meta content="draft-17" name="ietf.draft">
 <!-- Generator version information:
  xml2rfc 3.12.1
    Python 3.8.10
@ -24,16 +24,16 @@ format and ensuring an interoperability with existing MISP   software and other
    google-i18n-address 2.5.0
    html5lib 1.1
    intervaltree 3.1.0
-    Jinja2 2.11.3
+    Jinja2 3.1.2
    kitchen 1.2.6
-    lxml 4.7.1
+    lxml 4.9.2
    pycairo 1.16.2
-    pycountry 22.1.10
+    pycountry 22.3.5
    pyflakes 2.4.0
-    PyYAML 5.4.1
-    requests 2.24.0
-    setuptools 45.2.0
-    six 1.15.0
+    PyYAML 6.0
+    requests 2.31.0
+    setuptools 68.1.2
+    six 1.16.0
 -->
 <link href="raw.md.xml" rel="alternate" type="application/rfc+xml">
 <link href="#copyright" rel="license">
@ -1190,11 +1190,11 @@ li > p:last-of-type {
 <thead><tr>
 <td class="left">Internet-Draft</td>
 <td class="center">MISP core format</td>
-<td class="right">February 2022</td>
+<td class="right">December 2023</td>
 </tr></thead>
 <tfoot><tr>
 <td class="left">Dulaunoy &amp; Iklody</td>
-<td class="center">Expires 18 August 2022</td>
+<td class="center">Expires 26 June 2024</td>
 <td class="right">[Page]</td>
 </tr></tfoot>
 </table>
@ -1204,15 +1204,15 @@ li > p:last-of-type {
 <dt class="label-workgroup">Workgroup:</dt>
 <dd class="workgroup">Network Working Group</dd>
 <dt class="label-internet-draft">Internet-Draft:</dt>
-<dd class="internet-draft">draft-00</dd>
+<dd class="internet-draft">draft-17</dd>
 <dt class="label-published">Published:</dt>
 <dd class="published">
-<time datetime="2022-02-14" class="published">14 February 2022</time>
+<time datetime="2023-12-24" class="published">24 December 2023</time>
    </dd>
 <dt class="label-intended-status">Intended Status:</dt>
 <dd class="intended-status">Informational</dd>
 <dt class="label-expires">Expires:</dt>
-<dd class="expires"><time datetime="2022-08-18">18 August 2022</time></dd>
+<dd class="expires"><time datetime="2024-06-26">26 June 2024</time></dd>
 <dt class="label-authors">Authors:</dt>
 <dd class="authors">
 <div class="author">
@ -1254,7 +1254,7 @@ format and ensuring an interoperability with existing MISP <span>[<a href="#MISP
        time. It is inappropriate to use Internet-Drafts as reference
        material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
 <p id="section-boilerplate.1-4">
-        This Internet-Draft will expire on 18 August 2022.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+        This Internet-Draft will expire on 26 June 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="copyright">
@ -1263,7 +1263,7 @@ format and ensuring an interoperability with existing MISP <span>[<a href="#MISP
 <a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
        </h2>
 <p id="section-boilerplate.2-1">
-            Copyright (c) 2022 IETF Trust and the persons identified as the
+            Copyright (c) 2023 IETF Trust and the persons identified as the
            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
 <p id="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
@ -1856,11 +1856,11 @@ represented as an unsigned integer.<a href="#section-2.3.2.2-1" class="pilcrow">
 </dd>
              <dd class="break"></dd>
 <dt id="section-2.3.2.3-3.17">Payload delivery</dt>
-              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.3.2.3-3.18" class="pilcrow">¶</a>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.3.2.3-3.18" class="pilcrow">¶</a>
 </dd>
              <dd class="break"></dd>
 <dt id="section-2.3.2.3-3.19">Payload installation</dt>
-              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.3.2.3-3.20" class="pilcrow">¶</a>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.3.2.3-3.20" class="pilcrow">¶</a>
 </dd>
              <dd class="break"></dd>
 <dt id="section-2.3.2.3-3.21">Payload type</dt>
@ -2155,11 +2155,11 @@ id is represented as a JSON string. id <span class="bcp14">SHALL</span> be prese
 </dd>
              <dd class="break"></dd>
 <dt id="section-2.4.2.3-3.17">Payload delivery</dt>
-              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.4.2.3-3.18" class="pilcrow">¶</a>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.4.2.3-3.18" class="pilcrow">¶</a>
 </dd>
              <dd class="break"></dd>
 <dt id="section-2.4.2.3-3.19">Payload installation</dt>
-              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.4.2.3-3.20" class="pilcrow">¶</a>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.4.2.3-3.20" class="pilcrow">¶</a>
 </dd>
              <dd class="break"></dd>
 <dt id="section-2.4.2.3-3.21">Payload type</dt>
@ -2918,6 +2918,10 @@ be anonymised. Sighting is composed of a JSON array in which each element descri
              <td class="text-left" rowspan="1" colspan="1">2</td>
              <td class="text-center" rowspan="1" colspan="1">denotes an attribute which will be expired at the time of the sighting</td>
            </tr>
+            <tr>
+              <td class="text-left" rowspan="1" colspan="1">3</td>
+              <td class="text-center" rowspan="1" colspan="1">denotes an attribute which has been seen and confirmed as a true-positive</td>
+            </tr>
          </tbody>
        </table>
 <p id="section-2.9-4">uuid <span class="bcp14">MUST</span> be present. uuid references the uuid of the sighted attribute.<a href="#section-2.9-4" class="pilcrow">¶</a></p>
@ -3925,8 +3929,8 @@ for the review of the JSON Schema.<a href="#section-7-1" class="pilcrow">¶</a><
 <address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Alexandre Dulaunoy</span></div>
 <div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
-<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
-<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
+<div dir="auto" class="left"><span class="street-address">122, rue Adolphe Fischer</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1521</span> <span class="locality">Luxembourg</span>
 </div>
 <div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
 <div class="tel">
@ -3941,8 +3945,8 @@ for the review of the JSON Schema.<a href="#section-7-1" class="pilcrow">¶</a><
 <address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Andras Iklody</span></div>
 <div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
-<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
-<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
+<div dir="auto" class="left"><span class="street-address">122, rue Adolphe Fischer</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1521</span> <span class="locality">Luxembourg</span>
 </div>
 <div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
 <div class="tel">
--- a/misp-core-format/raw.md.txt
+++ b/misp-core-format/raw.md.txt
@ -5,11 +5,11 @@
 Network Working Group                                        A. Dulaunoy
 Internet-Draft                                                 A. Iklody
 Intended status: Informational                                     CIRCL
-Expires: 18 August 2022                                 14 February 2022
+Expires: 26 June 2024                                   24 December 2023


                            MISP core format
-                                draft-00
+                                draft-17

 Abstract

@ -37,11 +37,11 @@ Status of This Memo
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

-   This Internet-Draft will expire on 18 August 2022.
+   This Internet-Draft will expire on 26 June 2024.

 Copyright Notice

-   Copyright (c) 2022 IETF Trust and the persons identified as the
+   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
@ -53,9 +53,9 @@ Copyright Notice



-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 1]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 1]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 Table of Contents
@ -109,9 +109,9 @@ Table of Contents



-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 2]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 2]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  53
@ -165,9 +165,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 3]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 3]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   uuid is represented as a JSON string. uuid MUST be present.
@ -221,9 +221,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 4]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 4]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   1:  Ongoing
@ -277,9 +277,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 5]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 5]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   org_id is represented as a JSON string. org_id MUST be present.
@ -333,9 +333,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 6]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 6]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 2.2.1.15.  extends_uuid
@ -389,9 +389,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 7]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 7]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   uuid, name and id are represented as a JSON string. uuid, name and id
@ -445,9 +445,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 8]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 8]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 2.3.2.2.  id
@ -501,9 +501,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 9]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 9]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


      pattern-in-traffic, pattern-in-memory, filename-pattern,
@ -549,17 +549,17 @@ Internet-Draft              MISP core format               February 2022
      jarm-fingerprint, hassh-md5, hasshserver-md5, other,
      hostname|port, email-dst-display-name, email-src-display-name,
      email-header, email-reply-to, email-x-mailer, email-mime-boundary,
-      email-thread-index, email-message-id, mobile-application-id,
-      chrome-extension-id, whois-registrant-email, anonymised
+      email-thread-index, email-message-id, azure-application-id,
+      mobile-application-id, chrome-extension-id, whois-registrant-
+      email, anonymised
   Payload installation  md5, sha1, sha224, sha256, sha384, sha512,




-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 10]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 10]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
@ -574,8 +574,9 @@ Internet-Draft              MISP core format               February 2022
      traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
      sigma, vulnerability, cpe, weakness, attachment, malware-sample,
      malware-type, comment, text, hex, x509-fingerprint-sha1, x509-
-      fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
-      chrome-extension-id, other, mime-type, anonymised
+      fingerprint-md5, x509-fingerprint-sha256, azure-application-id,
+      azure-application-id, mobile-application-id, chrome-extension-id,
+      other, mime-type, anonymised
   Payload type  comment, text, other, anonymised
   Persistence mechanism  filename, regkey, regkey|value, comment, text,
      other, hex, anonymised
@ -607,17 +608,20 @@ Internet-Draft              MISP core format               February 2022
   selected by the attribute creator, using a list of pre-defined
   attribute categories.

+
+
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 11]
+
+Internet-Draft              MISP core format               December 2023
+
+
   category is represented as a JSON string. category MUST be present
   and it MUST be a valid selection for the chosen type.  The list of
   valid category-type combinations is mentioned above.

-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 11]
-
-Internet-Draft              MISP core format               February 2022
-
-
 2.3.2.5.  to_ids

   to_ids represents whether the attribute is meant to be actionable.
@ -662,18 +666,18 @@ Internet-Draft              MISP core format               February 2022

   timestamp is represented as a JSON string. timestamp MUST be present.

+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 12]
+
+Internet-Draft              MISP core format               December 2023
+
+
 2.3.2.9.  comment

   comment is a contextual comment field.

-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 12]
-
-Internet-Draft              MISP core format               February 2022
-
-
   comment is represented by a JSON string. comment MAY be present.

 2.3.2.10.  sharing_group_id
@ -721,13 +725,9 @@ Internet-Draft              MISP core format               February 2022



-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 13]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 13]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 2.3.2.14.  ShadowAttribute
@ -781,9 +781,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 14]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 14]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 2.4.1.  Sample Attribute Object
@ -837,9 +837,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 15]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 15]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   type is represented as a JSON string. type MUST be present and it
@ -893,9 +893,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 16]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 16]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


      hostname, domain, domain|ip, mac-address, mac-eui-64, email,
@ -929,9 +929,31 @@ Internet-Draft              MISP core format               February 2022
      jarm-fingerprint, hassh-md5, hasshserver-md5, other,
      hostname|port, email-dst-display-name, email-src-display-name,
      email-header, email-reply-to, email-x-mailer, email-mime-boundary,
-      email-thread-index, email-message-id, mobile-application-id,
-      chrome-extension-id, whois-registrant-email, anonymised
+      email-thread-index, email-message-id, azure-application-id,
+      mobile-application-id, chrome-extension-id, whois-registrant-
+      email, anonymised
   Payload installation  md5, sha1, sha224, sha256, sha384, sha512,
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 17]
+
+Internet-Draft              MISP core format               December 2023
+
+
      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
      tlsh, cdhash, filename, filename|md5, filename|sha1,
@ -944,16 +966,9 @@ Internet-Draft              MISP core format               February 2022
      traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
      sigma, vulnerability, cpe, weakness, attachment, malware-sample,
      malware-type, comment, text, hex, x509-fingerprint-sha1, x509-
-      fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
-      chrome-extension-id, other, mime-type, anonymised
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 17]
-
-Internet-Draft              MISP core format               February 2022
-
-
+      fingerprint-md5, x509-fingerprint-sha256, azure-application-id,
+      azure-application-id, mobile-application-id, chrome-extension-id,
+      other, mime-type, anonymised
   Payload type  comment, text, other, anonymised
   Persistence mechanism  filename, regkey, regkey|value, comment, text,
      other, hex, anonymised
@ -985,6 +1000,16 @@ Internet-Draft              MISP core format               February 2022
   selected by the attribute creator, using a list of pre-defined
   attribute categories.

+
+
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 18]
+
+Internet-Draft              MISP core format               December 2023
+
+
   category is represented as a JSON string. category MUST be present
   and it MUST be a valid selection for the chosen type.  The list of
   valid category-type combinations is mentioned above.
@ -999,17 +1024,6 @@ Internet-Draft              MISP core format               February 2022

   to_ids is represented as a JSON boolean. to_ids MUST be present.

-
-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 18]
-
-Internet-Draft              MISP core format               February 2022
-
-
 2.4.2.6.  event_id

   event_id represents a human-readable identifier referencing the Event
@ -1044,6 +1058,14 @@ Internet-Draft              MISP core format               February 2022

   timestamp is represented as a JSON string. timestamp MUST be present.

+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 19]
+
+Internet-Draft              MISP core format               December 2023
+
+
 2.4.2.9.  comment

   comment is a contextual comment field.
@ -1056,16 +1078,6 @@ Internet-Draft              MISP core format               February 2022
   proposal creator's Organisation object.  A human-readable identifier
   MUST be represented as an unsigned integer.

-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 19]
-
-Internet-Draft              MISP core format               February 2022
-
-
   Whilst attributes can only be created by the event creator
   organisation, shadow attributes can be created by third parties.
   org_id tracks the creator organisation.
@ -1102,6 +1114,14 @@ Internet-Draft              MISP core format               February 2022
   data is represented by a JSON string in base64 encoding. data MUST be
   set for shadow attributes of type malware-sample and attachment.

+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 20]
+
+Internet-Draft              MISP core format               December 2023
+
+
 2.4.2.14.  first_seen

   first_seen represents a reference time when the attribute was first
@ -1111,17 +1131,6 @@ Internet-Draft              MISP core format               February 2022
   first_seen is represented as a JSON string. first_seen MAY be
   present.

-
-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 20]
-
-Internet-Draft              MISP core format               February 2022
-
-
 2.4.2.15.  last_seen

   last_seen represents a reference time when the attribute was last
@ -1157,27 +1166,24 @@ Internet-Draft              MISP core format               February 2022

 2.4.3.1.1.  Sample Org Object

+
+
+
+
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 21]
+
+Internet-Draft              MISP core format               December 2023
+
+
   "Org": {
           "id": "2",
           "name": "CIRCL",
           "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
          }

-
-
-
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 21]
-
-Internet-Draft              MISP core format               February 2022
-
-
 2.5.  Object

   Objects serve as a contextual bond between a list of attributes
@ -1223,15 +1229,9 @@ Internet-Draft              MISP core format               February 2022



-
-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 22]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 22]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 "Object": {
@ -1285,9 +1285,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 23]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 23]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 2.5.2.1.  uuid
@ -1341,9 +1341,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 24]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 24]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   template_uuid is represented as a JSON string. template_uuid MUST be
@ -1397,9 +1397,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 25]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 25]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 2.5.2.11.  sharing_group_id
@ -1453,9 +1453,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 26]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 26]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   last_seen is represented as a JSON string. last_seen MAY be present.
@ -1509,9 +1509,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 27]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 27]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 2.6.2.3.  timestamp
@ -1565,9 +1565,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 28]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 28]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   relationship_type is represented as a JSON string. relationship_type
@ -1621,9 +1621,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 29]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 29]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 2.7.2.  UUID
@ -1677,9 +1677,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 30]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 30]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   2  Connected Communities
@ -1733,9 +1733,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 31]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 31]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 2.8.1.  Sample Tag
@ -1768,6 +1768,9 @@ Internet-Draft              MISP core format               February 2022
       +---------------+------------------------------------------+
       | 2             |    denotes an attribute which will be    |
       |               |   expired at the time of the sighting    |
+       +---------------+------------------------------------------+
+       | 3             | denotes an attribute which has been seen |
+       |               |     and confirmed as a true-positive     |
       +---------------+------------------------------------------+

                                 Table 1
@ -1780,20 +1783,22 @@ Internet-Draft              MISP core format               February 2022
   date_sighting represents when the referenced attribute, designated by
   its uuid, is sighted.

+
+
+
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 32]
+
+Internet-Draft              MISP core format               December 2023
+
+
   source MAY be present. source is represented as a JSON string and
   represents the human-readable version of the sighting source, which
   can be a given piece of software (e.g.  SIEM), device or a specific
   analytical process.

-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 32]
-
-Internet-Draft              MISP core format               February 2022
-
-
   id, event_id and attribute_id are represented as a JSON string and
   MAY be present.

@ -1840,14 +1845,9 @@ Internet-Draft              MISP core format               February 2022



-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 33]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 33]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 "Sighting": [
@ -1901,9 +1901,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 34]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 34]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 "Galaxy": [ {
@ -1957,9 +1957,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 35]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 35]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


 3.  JSON Schema
@ -2013,9 +2013,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 36]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 36]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


       "type": "object",
@ -2069,9 +2069,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 37]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 37]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


           "items": {
@ -2125,9 +2125,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 38]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 38]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


           "type": "string"
@ -2181,9 +2181,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 39]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 39]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


           "type": "string"
@ -2237,9 +2237,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 40]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 40]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


       "properties": {
@ -2293,9 +2293,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 41]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 41]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


       "properties": {
@ -2349,9 +2349,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 42]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 42]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


       "properties": {
@ -2405,9 +2405,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 43]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 43]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


         },
@ -2461,9 +2461,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 44]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 44]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


         },
@ -2517,9 +2517,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 45]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 45]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


           "type": "string"
@ -2573,9 +2573,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 46]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 46]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


           "uniqueItems": true,
@ -2629,9 +2629,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 47]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 47]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


           "type": "boolean"
@ -2685,9 +2685,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 48]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 48]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


       "type": "object",
@ -2741,9 +2741,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 49]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 49]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


     "Event": {
@ -2797,9 +2797,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 50]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 50]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   If a detached PGP signature is used for each MISP event, a detached
@ -2853,9 +2853,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 51]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 51]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


        "name": "malware_classification:malware-category=\"Ransomware\""
@ -2909,9 +2909,9 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 52]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 52]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
@ -2952,8 +2952,8 @@ Authors' Addresses

   Alexandre Dulaunoy
   Computer Incident Response Center Luxembourg
-   16, bd d'Avranches
-   L-L-1160 Luxembourg
+   122, rue Adolphe Fischer
+   L-L-1521 Luxembourg
   Luxembourg

   Phone: +352 247 88444
@ -2965,15 +2965,15 @@ Authors' Addresses



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 53]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 53]

-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023


   Andras Iklody
   Computer Incident Response Center Luxembourg
-   16, bd d'Avranches
-   L-L-1160 Luxembourg
+   122, rue Adolphe Fischer
+   L-L-1521 Luxembourg
   Luxembourg

   Phone: +352 247 88444
@ -3021,4 +3021,4 @@ Internet-Draft              MISP core format               February 2022



-Dulaunoy & Iklody        Expires 18 August 2022                [Page 54]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 54]
--- a/misp-core-format/raw.md.xml
+++ b/misp-core-format/raw.md.xml
@ -1,18 +1,18 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.miek.nl" -->
-<rfc version="3" ipr="trust200902" docName="draft-00" submissionType="independent" category="info" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" indexInclude="true">
+<rfc version="3" ipr="trust200902" docName="draft-17" submissionType="independent" category="info" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" indexInclude="true">

 <front>
-<title abbrev="MISP core format">MISP core format</title><seriesInfo value="draft-00" stream="independent" status="informational" name="Internet-Draft"></seriesInfo>
-<author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>16, bd d'Avranches</street>
+<title abbrev="MISP core format">MISP core format</title><seriesInfo value="draft-17" stream="independent" status="informational" name="Internet-Draft"></seriesInfo>
+<author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>122, rue Adolphe Fischer</street>
 <city>Luxembourg</city>
-<code>L-1160</code>
+<code>L-1521</code>
 <country>Luxembourg</country>
 </postal><phone>+352 247 88444</phone>
 <email>alexandre.dulaunoy@circl.lu</email>
-</address></author><author initials="A." surname="Iklody" fullname="Andras Iklody"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>16, bd d'Avranches</street>
+</address></author><author initials="A." surname="Iklody" fullname="Andras Iklody"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>122, rue Adolphe Fischer</street>
 <city>Luxembourg</city>
-<code>L-1160</code>
+<code>L-1521</code>
 <country>Luxembourg</country>
 </postal><phone>+352 247 88444</phone>
 <email>andras.iklody@circl.lu</email>
@ -278,9 +278,9 @@ represented as an unsigned integer.</t>
 <dt>Other</dt>
 <dd>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
 <dt>Payload delivery</dt>
-<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
 <dt>Payload installation</dt>
-<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
 <dt>Payload type</dt>
 <dd>comment, text, other, anonymised</dd>
 <dt>Persistence mechanism</dt>
@ -454,9 +454,9 @@ id is represented as a JSON string. id <bcp14>SHALL</bcp14> be present.</t>
 <dt>Other</dt>
 <dd>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
 <dt>Payload delivery</dt>
-<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
 <dt>Payload installation</dt>
-<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
 <dt>Payload type</dt>
 <dd>comment, text, other, anonymised</dd>
 <dt>Persistence mechanism</dt>
@ -923,6 +923,11 @@ be anonymised. Sighting is composed of a JSON array in which each element descri
 <td>2</td>
 <td align="center">denotes an attribute which will be expired at the time of the sighting</td>
 </tr>
+
+<tr>
+<td>3</td>
+<td align="center">denotes an attribute which has been seen and confirmed as a true-positive</td>
+</tr>
 </tbody>
 </table><t>uuid <bcp14>MUST</bcp14> be present. uuid references the uuid of the sighted attribute.</t>
 <t>date_sighting <bcp14>MUST</bcp14> be present. date_sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.</t>