From 5c4002750b46bc2326c0eebac7dc18224c6c9f6e Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Mon, 25 Dec 2023 07:20:33 +0100
Subject: [PATCH] chg: [misp-core] updated to the latest version

---
 misp-core-format/raw.md      |   2 +-
 misp-core-format/raw.md.html |  50 +++--
 misp-core-format/raw.md.txt  | 404 +++++++++++++++++------------------
 misp-core-format/raw.md.xml  |  25 ++-
 4 files changed, 245 insertions(+), 236 deletions(-)

diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md
index 9ad2606..d54e479 100755
--- a/misp-core-format/raw.md
+++ b/misp-core-format/raw.md
@@ -9,7 +9,7 @@ submissiontype = "independent"
 
 [seriesInfo]
 name = "Internet-Draft"
-value = "draft-16"
+value = "draft-17"
 stream = "independent"
 status = "informational"
 
diff --git a/misp-core-format/raw.md.html b/misp-core-format/raw.md.html
index 1feb7f7..2e7ef11 100755
--- a/misp-core-format/raw.md.html
+++ b/misp-core-format/raw.md.html
@@ -15,7 +15,7 @@ respective key. The format is described to support other implementations which r
 format and ensuring an interoperability with existing MISP   software and other Threat Intelligence Platforms. 
     " name="description">
 <meta content="xml2rfc 3.12.1" name="generator">
-<meta content="draft-00" name="ietf.draft">
+<meta content="draft-17" name="ietf.draft">
 <!-- Generator version information:
   xml2rfc 3.12.1
     Python 3.8.10
@@ -24,16 +24,16 @@ format and ensuring an interoperability with existing MISP   software and other
     google-i18n-address 2.5.0
     html5lib 1.1
     intervaltree 3.1.0
-    Jinja2 2.11.3
+    Jinja2 3.1.2
     kitchen 1.2.6
-    lxml 4.7.1
+    lxml 4.9.2
     pycairo 1.16.2
-    pycountry 22.1.10
+    pycountry 22.3.5
     pyflakes 2.4.0
-    PyYAML 5.4.1
-    requests 2.24.0
-    setuptools 45.2.0
-    six 1.15.0
+    PyYAML 6.0
+    requests 2.31.0
+    setuptools 68.1.2
+    six 1.16.0
 -->
 <link href="raw.md.xml" rel="alternate" type="application/rfc+xml">
 <link href="#copyright" rel="license">
@@ -1190,11 +1190,11 @@ li > p:last-of-type {
 <thead><tr>
 <td class="left">Internet-Draft</td>
 <td class="center">MISP core format</td>
-<td class="right">February 2022</td>
+<td class="right">December 2023</td>
 </tr></thead>
 <tfoot><tr>
 <td class="left">Dulaunoy &amp; Iklody</td>
-<td class="center">Expires 18 August 2022</td>
+<td class="center">Expires 26 June 2024</td>
 <td class="right">[Page]</td>
 </tr></tfoot>
 </table>
@@ -1204,15 +1204,15 @@ li > p:last-of-type {
 <dt class="label-workgroup">Workgroup:</dt>
 <dd class="workgroup">Network Working Group</dd>
 <dt class="label-internet-draft">Internet-Draft:</dt>
-<dd class="internet-draft">draft-00</dd>
+<dd class="internet-draft">draft-17</dd>
 <dt class="label-published">Published:</dt>
 <dd class="published">
-<time datetime="2022-02-14" class="published">14 February 2022</time>
+<time datetime="2023-12-24" class="published">24 December 2023</time>
     </dd>
 <dt class="label-intended-status">Intended Status:</dt>
 <dd class="intended-status">Informational</dd>
 <dt class="label-expires">Expires:</dt>
-<dd class="expires"><time datetime="2022-08-18">18 August 2022</time></dd>
+<dd class="expires"><time datetime="2024-06-26">26 June 2024</time></dd>
 <dt class="label-authors">Authors:</dt>
 <dd class="authors">
 <div class="author">
@@ -1254,7 +1254,7 @@ format and ensuring an interoperability with existing MISP <span>[<a href="#MISP
         time. It is inappropriate to use Internet-Drafts as reference
         material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
 <p id="section-boilerplate.1-4">
-        This Internet-Draft will expire on 18 August 2022.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+        This Internet-Draft will expire on 26 June 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="copyright">
@@ -1263,7 +1263,7 @@ format and ensuring an interoperability with existing MISP <span>[<a href="#MISP
 <a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
         </h2>
 <p id="section-boilerplate.2-1">
-            Copyright (c) 2022 IETF Trust and the persons identified as the
+            Copyright (c) 2023 IETF Trust and the persons identified as the
             document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
 <p id="section-boilerplate.2-2">
             This document is subject to BCP 78 and the IETF Trust's Legal
@@ -1856,11 +1856,11 @@ represented as an unsigned integer.<a href="#section-2.3.2.2-1" class="pilcrow">
 </dd>
               <dd class="break"></dd>
 <dt id="section-2.3.2.3-3.17">Payload delivery</dt>
-              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.3.2.3-3.18" class="pilcrow">¶</a>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.3.2.3-3.18" class="pilcrow">¶</a>
 </dd>
               <dd class="break"></dd>
 <dt id="section-2.3.2.3-3.19">Payload installation</dt>
-              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.3.2.3-3.20" class="pilcrow">¶</a>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.3.2.3-3.20" class="pilcrow">¶</a>
 </dd>
               <dd class="break"></dd>
 <dt id="section-2.3.2.3-3.21">Payload type</dt>
@@ -2155,11 +2155,11 @@ id is represented as a JSON string. id <span class="bcp14">SHALL</span> be prese
 </dd>
               <dd class="break"></dd>
 <dt id="section-2.4.2.3-3.17">Payload delivery</dt>
-              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.4.2.3-3.18" class="pilcrow">¶</a>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.4.2.3-3.18" class="pilcrow">¶</a>
 </dd>
               <dd class="break"></dd>
 <dt id="section-2.4.2.3-3.19">Payload installation</dt>
-              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.4.2.3-3.20" class="pilcrow">¶</a>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.4.2.3-3.20" class="pilcrow">¶</a>
 </dd>
               <dd class="break"></dd>
 <dt id="section-2.4.2.3-3.21">Payload type</dt>
@@ -2918,6 +2918,10 @@ be anonymised. Sighting is composed of a JSON array in which each element descri
               <td class="text-left" rowspan="1" colspan="1">2</td>
               <td class="text-center" rowspan="1" colspan="1">denotes an attribute which will be expired at the time of the sighting</td>
             </tr>
+            <tr>
+              <td class="text-left" rowspan="1" colspan="1">3</td>
+              <td class="text-center" rowspan="1" colspan="1">denotes an attribute which has been seen and confirmed as a true-positive</td>
+            </tr>
           </tbody>
         </table>
 <p id="section-2.9-4">uuid <span class="bcp14">MUST</span> be present. uuid references the uuid of the sighted attribute.<a href="#section-2.9-4" class="pilcrow">¶</a></p>
@@ -3925,8 +3929,8 @@ for the review of the JSON Schema.<a href="#section-7-1" class="pilcrow">¶</a><
 <address class="vcard">
         <div dir="auto" class="left"><span class="fn nameRole">Alexandre Dulaunoy</span></div>
 <div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
-<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
-<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
+<div dir="auto" class="left"><span class="street-address">122, rue Adolphe Fischer</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1521</span> <span class="locality">Luxembourg</span>
 </div>
 <div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
 <div class="tel">
@@ -3941,8 +3945,8 @@ for the review of the JSON Schema.<a href="#section-7-1" class="pilcrow">¶</a><
 <address class="vcard">
         <div dir="auto" class="left"><span class="fn nameRole">Andras Iklody</span></div>
 <div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
-<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
-<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
+<div dir="auto" class="left"><span class="street-address">122, rue Adolphe Fischer</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1521</span> <span class="locality">Luxembourg</span>
 </div>
 <div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
 <div class="tel">
diff --git a/misp-core-format/raw.md.txt b/misp-core-format/raw.md.txt
index 0b5ee7e..568210e 100755
--- a/misp-core-format/raw.md.txt
+++ b/misp-core-format/raw.md.txt
@@ -5,11 +5,11 @@
 Network Working Group                                        A. Dulaunoy
 Internet-Draft                                                 A. Iklody
 Intended status: Informational                                     CIRCL
-Expires: 18 August 2022                                 14 February 2022
+Expires: 26 June 2024                                   24 December 2023
 
 
                             MISP core format
-                                draft-00
+                                draft-17
 
 Abstract
 
@@ -37,11 +37,11 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on 18 August 2022.
+   This Internet-Draft will expire on 26 June 2024.
 
 Copyright Notice
 
-   Copyright (c) 2022 IETF Trust and the persons identified as the
+   Copyright (c) 2023 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
@@ -53,9 +53,9 @@ Copyright Notice
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 1]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 1]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 Table of Contents
@@ -109,9 +109,9 @@ Table of Contents
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 2]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 2]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  53
@@ -165,9 +165,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 3]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 3]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    uuid is represented as a JSON string. uuid MUST be present.
@@ -221,9 +221,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 4]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 4]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    1:  Ongoing
@@ -277,9 +277,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 5]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 5]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    org_id is represented as a JSON string. org_id MUST be present.
@@ -333,9 +333,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 6]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 6]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 2.2.1.15.  extends_uuid
@@ -389,9 +389,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 7]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 7]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    uuid, name and id are represented as a JSON string. uuid, name and id
@@ -445,9 +445,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 8]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 8]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 2.3.2.2.  id
@@ -501,9 +501,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                 [Page 9]
+Dulaunoy & Iklody         Expires 26 June 2024                  [Page 9]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
       pattern-in-traffic, pattern-in-memory, filename-pattern,
@@ -549,17 +549,17 @@ Internet-Draft              MISP core format               February 2022
       jarm-fingerprint, hassh-md5, hasshserver-md5, other,
       hostname|port, email-dst-display-name, email-src-display-name,
       email-header, email-reply-to, email-x-mailer, email-mime-boundary,
-      email-thread-index, email-message-id, mobile-application-id,
-      chrome-extension-id, whois-registrant-email, anonymised
+      email-thread-index, email-message-id, azure-application-id,
+      mobile-application-id, chrome-extension-id, whois-registrant-
+      email, anonymised
    Payload installation  md5, sha1, sha224, sha256, sha384, sha512,
 
 
 
 
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 10]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 10]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
       sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
@@ -574,8 +574,9 @@ Internet-Draft              MISP core format               February 2022
       traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
       sigma, vulnerability, cpe, weakness, attachment, malware-sample,
       malware-type, comment, text, hex, x509-fingerprint-sha1, x509-
-      fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
-      chrome-extension-id, other, mime-type, anonymised
+      fingerprint-md5, x509-fingerprint-sha256, azure-application-id,
+      azure-application-id, mobile-application-id, chrome-extension-id,
+      other, mime-type, anonymised
    Payload type  comment, text, other, anonymised
    Persistence mechanism  filename, regkey, regkey|value, comment, text,
       other, hex, anonymised
@@ -607,17 +608,20 @@ Internet-Draft              MISP core format               February 2022
    selected by the attribute creator, using a list of pre-defined
    attribute categories.
 
+
+
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 11]
+
+Internet-Draft              MISP core format               December 2023
+
+
    category is represented as a JSON string. category MUST be present
    and it MUST be a valid selection for the chosen type.  The list of
    valid category-type combinations is mentioned above.
 
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 11]
-
-Internet-Draft              MISP core format               February 2022
-
-
 2.3.2.5.  to_ids
 
    to_ids represents whether the attribute is meant to be actionable.
@@ -662,18 +666,18 @@ Internet-Draft              MISP core format               February 2022
 
    timestamp is represented as a JSON string. timestamp MUST be present.
 
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 12]
+
+Internet-Draft              MISP core format               December 2023
+
+
 2.3.2.9.  comment
 
    comment is a contextual comment field.
 
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 12]
-
-Internet-Draft              MISP core format               February 2022
-
-
    comment is represented by a JSON string. comment MAY be present.
 
 2.3.2.10.  sharing_group_id
@@ -721,13 +725,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 13]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 13]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 2.3.2.14.  ShadowAttribute
@@ -781,9 +781,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 14]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 14]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 2.4.1.  Sample Attribute Object
@@ -837,9 +837,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 15]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 15]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    type is represented as a JSON string. type MUST be present and it
@@ -893,9 +893,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 16]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 16]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
       hostname, domain, domain|ip, mac-address, mac-eui-64, email,
@@ -929,9 +929,31 @@ Internet-Draft              MISP core format               February 2022
       jarm-fingerprint, hassh-md5, hasshserver-md5, other,
       hostname|port, email-dst-display-name, email-src-display-name,
       email-header, email-reply-to, email-x-mailer, email-mime-boundary,
-      email-thread-index, email-message-id, mobile-application-id,
-      chrome-extension-id, whois-registrant-email, anonymised
+      email-thread-index, email-message-id, azure-application-id,
+      mobile-application-id, chrome-extension-id, whois-registrant-
+      email, anonymised
    Payload installation  md5, sha1, sha224, sha256, sha384, sha512,
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 17]
+
+Internet-Draft              MISP core format               December 2023
+
+
       sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
       ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
       tlsh, cdhash, filename, filename|md5, filename|sha1,
@@ -944,16 +966,9 @@ Internet-Draft              MISP core format               February 2022
       traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
       sigma, vulnerability, cpe, weakness, attachment, malware-sample,
       malware-type, comment, text, hex, x509-fingerprint-sha1, x509-
-      fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
-      chrome-extension-id, other, mime-type, anonymised
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 17]
-
-Internet-Draft              MISP core format               February 2022
-
-
+      fingerprint-md5, x509-fingerprint-sha256, azure-application-id,
+      azure-application-id, mobile-application-id, chrome-extension-id,
+      other, mime-type, anonymised
    Payload type  comment, text, other, anonymised
    Persistence mechanism  filename, regkey, regkey|value, comment, text,
       other, hex, anonymised
@@ -985,6 +1000,16 @@ Internet-Draft              MISP core format               February 2022
    selected by the attribute creator, using a list of pre-defined
    attribute categories.
 
+
+
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 18]
+
+Internet-Draft              MISP core format               December 2023
+
+
    category is represented as a JSON string. category MUST be present
    and it MUST be a valid selection for the chosen type.  The list of
    valid category-type combinations is mentioned above.
@@ -999,17 +1024,6 @@ Internet-Draft              MISP core format               February 2022
 
    to_ids is represented as a JSON boolean. to_ids MUST be present.
 
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 18]
-
-Internet-Draft              MISP core format               February 2022
-
-
 2.4.2.6.  event_id
 
    event_id represents a human-readable identifier referencing the Event
@@ -1044,6 +1058,14 @@ Internet-Draft              MISP core format               February 2022
 
    timestamp is represented as a JSON string. timestamp MUST be present.
 
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 19]
+
+Internet-Draft              MISP core format               December 2023
+
+
 2.4.2.9.  comment
 
    comment is a contextual comment field.
@@ -1056,16 +1078,6 @@ Internet-Draft              MISP core format               February 2022
    proposal creator's Organisation object.  A human-readable identifier
    MUST be represented as an unsigned integer.
 
-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 19]
-
-Internet-Draft              MISP core format               February 2022
-
-
    Whilst attributes can only be created by the event creator
    organisation, shadow attributes can be created by third parties.
    org_id tracks the creator organisation.
@@ -1102,6 +1114,14 @@ Internet-Draft              MISP core format               February 2022
    data is represented by a JSON string in base64 encoding. data MUST be
    set for shadow attributes of type malware-sample and attachment.
 
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 20]
+
+Internet-Draft              MISP core format               December 2023
+
+
 2.4.2.14.  first_seen
 
    first_seen represents a reference time when the attribute was first
@@ -1111,17 +1131,6 @@ Internet-Draft              MISP core format               February 2022
    first_seen is represented as a JSON string. first_seen MAY be
    present.
 
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 20]
-
-Internet-Draft              MISP core format               February 2022
-
-
 2.4.2.15.  last_seen
 
    last_seen represents a reference time when the attribute was last
@@ -1157,27 +1166,24 @@ Internet-Draft              MISP core format               February 2022
 
 2.4.3.1.1.  Sample Org Object
 
+
+
+
+
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 21]
+
+Internet-Draft              MISP core format               December 2023
+
+
    "Org": {
            "id": "2",
            "name": "CIRCL",
            "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
           }
 
-
-
-
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 21]
-
-Internet-Draft              MISP core format               February 2022
-
-
 2.5.  Object
 
    Objects serve as a contextual bond between a list of attributes
@@ -1223,15 +1229,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 22]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 22]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 "Object": {
@@ -1285,9 +1285,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 23]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 23]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 2.5.2.1.  uuid
@@ -1341,9 +1341,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 24]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 24]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    template_uuid is represented as a JSON string. template_uuid MUST be
@@ -1397,9 +1397,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 25]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 25]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 2.5.2.11.  sharing_group_id
@@ -1453,9 +1453,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 26]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 26]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    last_seen is represented as a JSON string. last_seen MAY be present.
@@ -1509,9 +1509,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 27]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 27]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 2.6.2.3.  timestamp
@@ -1565,9 +1565,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 28]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 28]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    relationship_type is represented as a JSON string. relationship_type
@@ -1621,9 +1621,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 29]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 29]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 2.7.2.  UUID
@@ -1677,9 +1677,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 30]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 30]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    2  Connected Communities
@@ -1733,9 +1733,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 31]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 31]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 2.8.1.  Sample Tag
@@ -1768,6 +1768,9 @@ Internet-Draft              MISP core format               February 2022
        +---------------+------------------------------------------+
        | 2             |    denotes an attribute which will be    |
        |               |   expired at the time of the sighting    |
+       +---------------+------------------------------------------+
+       | 3             | denotes an attribute which has been seen |
+       |               |     and confirmed as a true-positive     |
        +---------------+------------------------------------------+
 
                                  Table 1
@@ -1780,20 +1783,22 @@ Internet-Draft              MISP core format               February 2022
    date_sighting represents when the referenced attribute, designated by
    its uuid, is sighted.
 
+
+
+
+
+
+
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 32]
+
+Internet-Draft              MISP core format               December 2023
+
+
    source MAY be present. source is represented as a JSON string and
    represents the human-readable version of the sighting source, which
    can be a given piece of software (e.g.  SIEM), device or a specific
    analytical process.
 
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 32]
-
-Internet-Draft              MISP core format               February 2022
-
-
    id, event_id and attribute_id are represented as a JSON string and
    MAY be present.
 
@@ -1840,14 +1845,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-
-
-
-
-
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 33]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 33]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 "Sighting": [
@@ -1901,9 +1901,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 34]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 34]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 "Galaxy": [ {
@@ -1957,9 +1957,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 35]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 35]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
 3.  JSON Schema
@@ -2013,9 +2013,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 36]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 36]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
        "type": "object",
@@ -2069,9 +2069,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 37]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 37]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
            "items": {
@@ -2125,9 +2125,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 38]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 38]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
            "type": "string"
@@ -2181,9 +2181,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 39]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 39]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
            "type": "string"
@@ -2237,9 +2237,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 40]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 40]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
        "properties": {
@@ -2293,9 +2293,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 41]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 41]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
        "properties": {
@@ -2349,9 +2349,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 42]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 42]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
        "properties": {
@@ -2405,9 +2405,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 43]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 43]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
          },
@@ -2461,9 +2461,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 44]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 44]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
          },
@@ -2517,9 +2517,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 45]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 45]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
            "type": "string"
@@ -2573,9 +2573,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 46]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 46]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
            "uniqueItems": true,
@@ -2629,9 +2629,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 47]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 47]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
            "type": "boolean"
@@ -2685,9 +2685,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 48]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 48]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
        "type": "object",
@@ -2741,9 +2741,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 49]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 49]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
      "Event": {
@@ -2797,9 +2797,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 50]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 50]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    If a detached PGP signature is used for each MISP event, a detached
@@ -2853,9 +2853,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 51]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 51]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
         "name": "malware_classification:malware-category=\"Ransomware\""
@@ -2909,9 +2909,9 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 52]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 52]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
@@ -2952,8 +2952,8 @@ Authors' Addresses
 
    Alexandre Dulaunoy
    Computer Incident Response Center Luxembourg
-   16, bd d'Avranches
-   L-L-1160 Luxembourg
+   122, rue Adolphe Fischer
+   L-L-1521 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
@@ -2965,15 +2965,15 @@ Authors' Addresses
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 53]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 53]
 
-Internet-Draft              MISP core format               February 2022
+Internet-Draft              MISP core format               December 2023
 
 
    Andras Iklody
    Computer Incident Response Center Luxembourg
-   16, bd d'Avranches
-   L-L-1160 Luxembourg
+   122, rue Adolphe Fischer
+   L-L-1521 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
@@ -3021,4 +3021,4 @@ Internet-Draft              MISP core format               February 2022
 
 
 
-Dulaunoy & Iklody        Expires 18 August 2022                [Page 54]
+Dulaunoy & Iklody         Expires 26 June 2024                 [Page 54]
diff --git a/misp-core-format/raw.md.xml b/misp-core-format/raw.md.xml
index 847f5bf..5a3a6c9 100755
--- a/misp-core-format/raw.md.xml
+++ b/misp-core-format/raw.md.xml
@@ -1,18 +1,18 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.miek.nl" -->
-<rfc version="3" ipr="trust200902" docName="draft-00" submissionType="independent" category="info" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" indexInclude="true">
+<rfc version="3" ipr="trust200902" docName="draft-17" submissionType="independent" category="info" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" indexInclude="true">
 
 <front>
-<title abbrev="MISP core format">MISP core format</title><seriesInfo value="draft-00" stream="independent" status="informational" name="Internet-Draft"></seriesInfo>
-<author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>16, bd d'Avranches</street>
+<title abbrev="MISP core format">MISP core format</title><seriesInfo value="draft-17" stream="independent" status="informational" name="Internet-Draft"></seriesInfo>
+<author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>122, rue Adolphe Fischer</street>
 <city>Luxembourg</city>
-<code>L-1160</code>
+<code>L-1521</code>
 <country>Luxembourg</country>
 </postal><phone>+352 247 88444</phone>
 <email>alexandre.dulaunoy@circl.lu</email>
-</address></author><author initials="A." surname="Iklody" fullname="Andras Iklody"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>16, bd d'Avranches</street>
+</address></author><author initials="A." surname="Iklody" fullname="Andras Iklody"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>122, rue Adolphe Fischer</street>
 <city>Luxembourg</city>
-<code>L-1160</code>
+<code>L-1521</code>
 <country>Luxembourg</country>
 </postal><phone>+352 247 88444</phone>
 <email>andras.iklody@circl.lu</email>
@@ -278,9 +278,9 @@ represented as an unsigned integer.</t>
 <dt>Other</dt>
 <dd>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
 <dt>Payload delivery</dt>
-<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
 <dt>Payload installation</dt>
-<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
 <dt>Payload type</dt>
 <dd>comment, text, other, anonymised</dd>
 <dt>Persistence mechanism</dt>
@@ -454,9 +454,9 @@ id is represented as a JSON string. id <bcp14>SHALL</bcp14> be present.</t>
 <dt>Other</dt>
 <dd>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
 <dt>Payload delivery</dt>
-<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
 <dt>Payload installation</dt>
-<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
 <dt>Payload type</dt>
 <dd>comment, text, other, anonymised</dd>
 <dt>Persistence mechanism</dt>
@@ -923,6 +923,11 @@ be anonymised. Sighting is composed of a JSON array in which each element descri
 <td>2</td>
 <td align="center">denotes an attribute which will be expired at the time of the sighting</td>
 </tr>
+
+<tr>
+<td>3</td>
+<td align="center">denotes an attribute which has been seen and confirmed as a true-positive</td>
+</tr>
 </tbody>
 </table><t>uuid <bcp14>MUST</bcp14> be present. uuid references the uuid of the sighted attribute.</t>
 <t>date_sighting <bcp14>MUST</bcp14> be present. date_sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.</t>