From 695b25ab7c8b70892b6b037351b0b123ebbe5406 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Mon, 14 Feb 2022 16:35:27 +0100
Subject: [PATCH] chg: [core] updated output

---
 misp-core-format/raw.md.html | 4687 ++++++++++++++++++++++------------
 misp-core-format/raw.md.txt  | 1642 ++++++------
 misp-core-format/raw.md.xml  | 2847 +++++++++------------
 3 files changed, 5136 insertions(+), 4040 deletions(-)

diff --git a/misp-core-format/raw.md.html b/misp-core-format/raw.md.html
index 7aa2194..12f6de1 100755
--- a/misp-core-format/raw.md.html
+++ b/misp-core-format/raw.md.html
@@ -1,784 +1,1773 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
-  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<!DOCTYPE html>
+<html lang="en" class="Internet-Draft">
+<head>
+<meta charset="utf-8">
+<meta content="Common,Latin" name="scripts">
+<meta content="initial-scale=1.0" name="viewport">
+<title>MISP core format</title>
+<meta content="Alexandre Dulaunoy" name="author">
+<meta content="Andras Iklody" name="author">
+<meta content="
+       This document describes the MISP core format used to exchange indicators and threat information between
+MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.
+The JSON format includes the overall structure along with the semantic associated for each
+respective key. The format is described to support other implementations which reuse the
+format and ensuring an interoperability with existing MISP   software and other Threat Intelligence Platforms. 
+    " name="description">
+<meta content="xml2rfc 3.12.1" name="generator">
+<meta content="draft-00" name="ietf.draft">
+<!-- Generator version information:
+  xml2rfc 3.12.1
+    Python 3.8.10
+    appdirs 1.4.4
+    ConfigArgParse 1.5.3
+    google-i18n-address 2.5.0
+    html5lib 1.1
+    intervaltree 3.1.0
+    Jinja2 2.11.3
+    kitchen 1.2.6
+    lxml 4.7.1
+    pycairo 1.16.2
+    pycountry 22.1.10
+    pyflakes 2.4.0
+    PyYAML 5.4.1
+    requests 2.24.0
+    setuptools 45.2.0
+    six 1.15.0
+-->
+<link href="raw.md.xml" rel="alternate" type="application/rfc+xml">
+<link href="#copyright" rel="license">
+<style type="text/css">/*
 
-<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
-  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
+  NOTE: Changes at the bottom of this file overrides some earlier settings.
 
-  <title>MISP core format</title>
+  Once the style has stabilized and has been adopted as an official RFC style,
+  this can be consolidated so that style settings occur only in one place, but
+  for now the contents of this file consists first of the initial CSS work as
+  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
+  commented changes found necssary during the development of the v3
+  formatters.
 
-  <style type="text/css" title="Xml2Rfc (sans serif)">
-  /*<![CDATA[*/
-	  a {
-	  text-decoration: none;
-	  }
-      /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
-      a.info {
-          /* This is the key. */
-          position: relative;
-          z-index: 24;
-          text-decoration: none;
-      }
-      a.info:hover {
-          z-index: 25;
-          color: #FFF; background-color: #900;
-      }
-      a.info span { display: none; }
-      a.info:hover span.info {
-          /* The span will display just on :hover state. */
-          display: block;
-          position: absolute;
-          font-size: smaller;
-          top: 2em; left: -5em; width: 15em;
-          padding: 2px; border: 1px solid #333;
-          color: #900; background-color: #EEE;
-          text-align: left;
-      }
-	  a.smpl {
-	  color: black;
-	  }
-	  a:hover {
-	  text-decoration: underline;
-	  }
-	  a:active {
-	  text-decoration: underline;
-	  }
-	  address {
-	  margin-top: 1em;
-	  margin-left: 2em;
-	  font-style: normal;
-	  }
-	  body {
-	  color: black;
-	  font-family: verdana, helvetica, arial, sans-serif;
-	  font-size: 10pt;
-	  max-width: 55em;
-	  
-	  }
-	  cite {
-	  font-style: normal;
-	  }
-	  dd {
-	  margin-right: 2em;
-	  }
-	  dl {
-	  margin-left: 2em;
-	  }
-	
-	  ul.empty {
-	  list-style-type: none;
-	  }
-	  ul.empty li {
-	  margin-top: .5em;
-	  }
-	  dl p {
-	  margin-left: 0em;
-	  }
-	  dt {
-	  margin-top: .5em;
-	  }
-	  h1 {
-	  font-size: 14pt;
-	  line-height: 21pt;
-	  page-break-after: avoid;
-	  }
-	  h1.np {
-	  page-break-before: always;
-	  }
-	  h1 a {
-	  color: #333333;
-	  }
-	  h2 {
-	  font-size: 12pt;
-	  line-height: 15pt;
-	  page-break-after: avoid;
-	  }
-	  h3, h4, h5, h6 {
-	  font-size: 10pt;
-	  page-break-after: avoid;
-	  }
-	  h2 a, h3 a, h4 a, h5 a, h6 a {
-	  color: black;
-	  }
-	  img {
-	  margin-left: 3em;
-	  }
-	  li {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  ol {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  ol p {
-	  margin-left: 0em;
-	  }
-	  p {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  pre {
-	  margin-left: 3em;
-	  background-color: lightyellow;
-	  padding: .25em;
-	  }
-	  pre.text2 {
-	  border-style: dotted;
-	  border-width: 1px;
-	  background-color: #f0f0f0;
-	  width: 69em;
-	  }
-	  pre.inline {
-	  background-color: white;
-	  padding: 0em;
-	  }
-	  pre.text {
-	  border-style: dotted;
-	  border-width: 1px;
-	  background-color: #f8f8f8;
-	  width: 69em;
-	  }
-	  pre.drawing {
-	  border-style: solid;
-	  border-width: 1px;
-	  background-color: #f8f8f8;
-	  padding: 2em;
-	  }
-	  table {
-	  margin-left: 2em;
-	  }
-	  table.tt {
-	  vertical-align: top;
-	  }
-	  table.full {
-	  border-style: outset;
-	  border-width: 1px;
-	  }
-	  table.headers {
-	  border-style: outset;
-	  border-width: 1px;
-	  }
-	  table.tt td {
-	  vertical-align: top;
-	  }
-	  table.full td {
-	  border-style: inset;
-	  border-width: 1px;
-	  }
-	  table.tt th {
-	  vertical-align: top;
-	  }
-	  table.full th {
-	  border-style: inset;
-	  border-width: 1px;
-	  }
-	  table.headers th {
-	  border-style: none none inset none;
-	  border-width: 1px;
-	  }
-	  table.left {
-	  margin-right: auto;
-	  }
-	  table.right {
-	  margin-left: auto;
-	  }
-	  table.center {
-	  margin-left: auto;
-	  margin-right: auto;
-	  }
-	  caption {
-	  caption-side: bottom;
-	  font-weight: bold;
-	  font-size: 9pt;
-	  margin-top: .5em;
-	  }
-	
-	  table.header {
-	  border-spacing: 1px;
-	  width: 95%;
-	  font-size: 10pt;
-	  color: white;
-	  }
-	  td.top {
-	  vertical-align: top;
-	  }
-	  td.topnowrap {
-	  vertical-align: top;
-	  white-space: nowrap; 
-	  }
-	  table.header td {
-	  background-color: gray;
-	  width: 50%;
-	  }
-	  table.header a {
-	  color: white;
-	  }
-	  td.reference {
-	  vertical-align: top;
-	  white-space: nowrap;
-	  padding-right: 1em;
-	  }
-	  thead {
-	  display:table-header-group;
-	  }
-	  ul.toc, ul.toc ul {
-	  list-style: none;
-	  margin-left: 1.5em;
-	  margin-right: 0em;
-	  padding-left: 0em;
-	  }
-	  ul.toc li {
-	  line-height: 150%;
-	  font-weight: bold;
-	  font-size: 10pt;
-	  margin-left: 0em;
-	  margin-right: 0em;
-	  }
-	  ul.toc li li {
-	  line-height: normal;
-	  font-weight: normal;
-	  font-size: 9pt;
-	  margin-left: 0em;
-	  margin-right: 0em;
-	  }
-	  li.excluded {
-	  font-size: 0pt;
-	  }
-	  ul p {
-	  margin-left: 0em;
-	  }
-	
-	  .comment {
-	  background-color: yellow;
-	  }
-	  .center {
-	  text-align: center;
-	  }
-	  .error {
-	  color: red;
-	  font-style: italic;
-	  font-weight: bold;
-	  }
-	  .figure {
-	  font-weight: bold;
-	  text-align: center;
-	  font-size: 9pt;
-	  }
-	  .filename {
-	  color: #333333;
-	  font-weight: bold;
-	  font-size: 12pt;
-	  line-height: 21pt;
-	  text-align: center;
-	  }
-	  .fn {
-	  font-weight: bold;
-	  }
-	  .hidden {
-	  display: none;
-	  }
-	  .left {
-	  text-align: left;
-	  }
-	  .right {
-	  text-align: right;
-	  }
-	  .title {
-	  color: #990000;
-	  font-size: 18pt;
-	  line-height: 18pt;
-	  font-weight: bold;
-	  text-align: center;
-	  margin-top: 36pt;
-	  }
-	  .vcardline {
-	  display: block;
-	  }
-	  .warning {
-	  font-size: 14pt;
-	  background-color: yellow;
-	  }
-	
-	
-	  @media print {
-	  .noprint {
-		display: none;
-	  }
-	
-	  a {
-		color: black;
-		text-decoration: none;
-	  }
-	
-	  table.header {
-		width: 90%;
-	  }
-	
-	  td.header {
-		width: 50%;
-		color: black;
-		background-color: white;
-		vertical-align: top;
-		font-size: 12pt;
-	  }
-	
-	  ul.toc a::after {
-		content: leader('.') target-counter(attr(href), page);
-	  }
-	
-	  ul.ind li li a {
-		content: target-counter(attr(href), page);
-	  }
-	
-	  .print2col {
-		column-count: 2;
-		-moz-column-count: 2;
-		column-fill: auto;
-	  }
-	  }
-	
-	  @page {
-	  @top-left {
-		   content: "Internet-Draft"; 
-	  } 
-	  @top-right {
-		   content: "December 2010"; 
-	  } 
-	  @top-center {
-		   content: "Abbreviated Title";
-	  } 
-	  @bottom-left {
-		   content: "Doe"; 
-	  } 
-	  @bottom-center {
-		   content: "Expires June 2011"; 
-	  } 
-	  @bottom-right {
-		   content: "[Page " counter(page) "]"; 
-	  } 
-	  }
-	
-	  @page:first { 
-		@top-left {
-		  content: normal;
-		}
-		@top-right {
-		  content: normal;
-		}
-		@top-center {
-		  content: normal;
-		}
-	  }
-  /*]]>*/
-  </style>
+*/
 
-  <link href="#rfc.toc" rel="Contents">
-<link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
-<link href="#rfc.section.1.1" rel="Chapter" title="1.1 Conventions and Terminology">
-<link href="#rfc.section.2" rel="Chapter" title="2 Format">
-<link href="#rfc.section.2.1" rel="Chapter" title="2.1 Overview">
-<link href="#rfc.section.2.2" rel="Chapter" title="2.2 Event">
-<link href="#rfc.section.2.2.1" rel="Chapter" title="2.2.1 Event Attributes">
-<link href="#rfc.section.2.3" rel="Chapter" title="2.3 Objects">
-<link href="#rfc.section.2.3.1" rel="Chapter" title="2.3.1 Org">
-<link href="#rfc.section.2.3.2" rel="Chapter" title="2.3.2 Orgc">
-<link href="#rfc.section.2.4" rel="Chapter" title="2.4 Attribute">
-<link href="#rfc.section.2.4.1" rel="Chapter" title="2.4.1 Sample Attribute Object">
-<link href="#rfc.section.2.4.2" rel="Chapter" title="2.4.2 Attribute Attributes">
-<link href="#rfc.section.2.5" rel="Chapter" title="2.5 ShadowAttribute">
-<link href="#rfc.section.2.5.1" rel="Chapter" title="2.5.1 Sample Attribute Object">
-<link href="#rfc.section.2.5.2" rel="Chapter" title="2.5.2 ShadowAttribute Attributes">
-<link href="#rfc.section.2.5.3" rel="Chapter" title="2.5.3 Org">
-<link href="#rfc.section.2.6" rel="Chapter" title="2.6 Object">
-<link href="#rfc.section.2.6.1" rel="Chapter" title="2.6.1 Sample Object">
-<link href="#rfc.section.2.6.2" rel="Chapter" title="2.6.2 Object Attributes">
-<link href="#rfc.section.2.7" rel="Chapter" title="2.7 Object References">
-<link href="#rfc.section.2.7.1" rel="Chapter" title="2.7.1 Sample ObjectReference object">
-<link href="#rfc.section.2.7.2" rel="Chapter" title="2.7.2 ObjectReference Attributes">
-<link href="#rfc.section.2.8" rel="Chapter" title="2.8 EventReport">
-<link href="#rfc.section.2.8.1" rel="Chapter" title="2.8.1 id">
-<link href="#rfc.section.2.8.2" rel="Chapter" title="2.8.2 UUID">
-<link href="#rfc.section.2.8.3" rel="Chapter" title="2.8.3 event_id">
-<link href="#rfc.section.2.8.4" rel="Chapter" title="2.8.4 name">
-<link href="#rfc.section.2.8.5" rel="Chapter" title="2.8.5 content">
-<link href="#rfc.section.2.8.6" rel="Chapter" title="2.8.6 distribution">
-<link href="#rfc.section.2.8.7" rel="Chapter" title="2.8.7 sharing_group_id">
-<link href="#rfc.section.2.8.8" rel="Chapter" title="2.8.8 timestamp">
-<link href="#rfc.section.2.8.9" rel="Chapter" title="2.8.9 deleted">
-<link href="#rfc.section.2.9" rel="Chapter" title="2.9 Tag">
-<link href="#rfc.section.2.9.1" rel="Chapter" title="2.9.1 Sample Tag">
-<link href="#rfc.section.2.10" rel="Chapter" title="2.10 Sighting">
-<link href="#rfc.section.2.10.1" rel="Chapter" title="2.10.1 Sample Sighting">
-<link href="#rfc.section.2.11" rel="Chapter" title="2.11 Galaxy">
-<link href="#rfc.section.2.11.1" rel="Chapter" title="2.11.1 Sample Galaxy">
-<link href="#rfc.section.3" rel="Chapter" title="3 JSON Schema">
-<link href="#rfc.section.4" rel="Chapter" title="4 Manifest">
-<link href="#rfc.section.4.1" rel="Chapter" title="4.1 Format">
-<link href="#rfc.section.4.1.1" rel="Chapter" title="4.1.1 Sample Manifest">
-<link href="#rfc.section.5" rel="Chapter" title="5 Implementation">
-<link href="#rfc.section.6" rel="Chapter" title="6 Security Considerations">
-<link href="#rfc.section.7" rel="Chapter" title="7 Acknowledgements">
-<link href="#rfc.section.8" rel="Chapter" title="8 References">
-<link href="#rfc.references" rel="Chapter" title="9 References">
-<link href="#rfc.references.1" rel="Chapter" title="9.1 Normative References">
-<link href="#rfc.references.2" rel="Chapter" title="9.2 Informative References">
-<link href="#rfc.authors" rel="Chapter">
+/* fonts */
+@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
+@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
+@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */
+
+@viewport {
+  zoom: 1.0;
+  width: extend-to-zoom;
+}
+@-ms-viewport {
+  width: extend-to-zoom;
+  zoom: 1.0;
+}
+/* general and mobile first */
+html {
+}
+body {
+  max-width: 90%;
+  margin: 1.5em auto;
+  color: #222;
+  background-color: #fff;
+  font-size: 14px;
+  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
+  line-height: 1.6;
+  scroll-behavior: smooth;
+}
+.ears {
+  display: none;
+}
+
+/* headings */
+#title, h1, h2, h3, h4, h5, h6 {
+  margin: 1em 0 0.5em;
+  font-weight: bold;
+  line-height: 1.3;
+}
+#title {
+  clear: both;
+  border-bottom: 1px solid #ddd;
+  margin: 0 0 0.5em 0;
+  padding: 1em 0 0.5em;
+}
+.author {
+  padding-bottom: 4px;
+}
+h1 {
+  font-size: 26px;
+  margin: 1em 0;
+}
+h2 {
+  font-size: 22px;
+  margin-top: -20px;  /* provide offset for in-page anchors */
+  padding-top: 33px;
+}
+h3 {
+  font-size: 18px;
+  margin-top: -36px;  /* provide offset for in-page anchors */
+  padding-top: 42px;
+}
+h4 {
+  font-size: 16px;
+  margin-top: -36px;  /* provide offset for in-page anchors */
+  padding-top: 42px;
+}
+h5, h6 {
+  font-size: 14px;
+}
+#n-copyright-notice {
+  border-bottom: 1px solid #ddd;
+  padding-bottom: 1em;
+  margin-bottom: 1em;
+}
+/* general structure */
+p {
+  padding: 0;
+  margin: 0 0 1em 0;
+  text-align: left;
+}
+div, span {
+  position: relative;
+}
+div {
+  margin: 0;
+}
+.alignRight.art-text {
+  background-color: #f9f9f9;
+  border: 1px solid #eee;
+  border-radius: 3px;
+  padding: 1em 1em 0;
+  margin-bottom: 1.5em;
+}
+.alignRight.art-text pre {
+  padding: 0;
+}
+.alignRight {
+  margin: 1em 0;
+}
+.alignRight > *:first-child {
+  border: none;
+  margin: 0;
+  float: right;
+  clear: both;
+}
+.alignRight > *:nth-child(2) {
+  clear: both;
+  display: block;
+  border: none;
+}
+svg {
+  display: block;
+}
+.alignCenter.art-text {
+  background-color: #f9f9f9;
+  border: 1px solid #eee;
+  border-radius: 3px;
+  padding: 1em 1em 0;
+  margin-bottom: 1.5em;
+}
+.alignCenter.art-text pre {
+  padding: 0;
+}
+.alignCenter {
+  margin: 1em 0;
+}
+.alignCenter > *:first-child {
+  border: none;
+  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
+     support flexbox yet.
+  */
+  display: table;
+  margin: 0 auto;
+}
+
+/* lists */
+ol, ul {
+  padding: 0;
+  margin: 0 0 1em 2em;
+}
+ol ol, ul ul, ol ul, ul ol {
+  margin-left: 1em;
+}
+li {
+  margin: 0 0 0.25em 0;
+}
+.ulCompact li {
+  margin: 0;
+}
+ul.empty, .ulEmpty {
+  list-style-type: none;
+}
+ul.empty li, .ulEmpty li {
+  margin-top: 0.5em;
+}
+ul.ulBare, li.ulBare {
+  margin-left: 0em !important;
+}
+ul.compact, .ulCompact,
+ol.compact, .olCompact {
+  line-height: 100%;
+  margin: 0 0 0 2em;
+}
+
+/* definition lists */
+dl {
+}
+dl > dt {
+  float: left;
+  margin-right: 1em;
+}
+/* 
+dl.nohang > dt {
+  float: none;
+}
+*/
+dl > dd {
+  margin-bottom: .8em;
+  min-height: 1.3em;
+}
+dl.compact > dd, .dlCompact > dd {
+  margin-bottom: 0em;
+}
+dl > dd > dl {
+  margin-top: 0.5em;
+  margin-bottom: 0em;
+}
+
+/* links */
+a {
+  text-decoration: none;
+}
+a[href] {
+  color: #22e; /* Arlen: WCAG 2019 */
+}
+a[href]:hover {
+  background-color: #f2f2f2;
+}
+figcaption a[href],
+a[href].selfRef {
+  color: #222;
+}
+/* XXX probably not this:
+a.selfRef:hover {
+  background-color: transparent;
+  cursor: default;
+} */
+
+/* Figures */
+tt, code, pre, code {
+  background-color: #f9f9f9;
+  font-family: 'Roboto Mono', monospace;
+}
+pre {
+  border: 1px solid #eee;
+  margin: 0;
+  padding: 1em;
+}
+img {
+  max-width: 100%;
+}
+figure {
+  margin: 0;
+}
+figure blockquote {
+  margin: 0.8em 0.4em 0.4em;
+}
+figcaption {
+  font-style: italic;
+  margin: 0 0 1em 0;
+}
+@media screen {
+  pre {
+    overflow-x: auto;
+    max-width: 100%;
+    max-width: calc(100% - 22px);
+  }
+}
+
+/* aside, blockquote */
+aside, blockquote {
+  margin-left: 0;
+  padding: 1.2em 2em;
+}
+blockquote {
+  background-color: #f9f9f9;
+  color: #111; /* Arlen: WCAG 2019 */
+  border: 1px solid #ddd;
+  border-radius: 3px;
+  margin: 1em 0;
+}
+cite {
+  display: block;
+  text-align: right;
+  font-style: italic;
+}
+
+/* tables */
+table {
+  width: 100%;
+  margin: 0 0 1em;
+  border-collapse: collapse;
+  border: 1px solid #eee;
+}
+th, td {
+  text-align: left;
+  vertical-align: top;
+  padding: 0.5em 0.75em;
+}
+th {
+  text-align: left;
+  background-color: #e9e9e9;
+}
+tr:nth-child(2n+1) > td {
+  background-color: #f5f5f5;
+}
+table caption {
+  font-style: italic;
+  margin: 0;
+  padding: 0;
+  text-align: left;
+}
+table p {
+  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
+     be allowed within tables more generally, it would be far better to select on a class. */
+  margin: 0;
+}
+
+/* pilcrow */
+a.pilcrow {
+  color: #666; /* Arlen: AHDJ 2019 */
+  text-decoration: none;
+  visibility: hidden;
+  user-select: none;
+  -ms-user-select: none;
+  -o-user-select:none;
+  -moz-user-select: none;
+  -khtml-user-select: none;
+  -webkit-user-select: none;
+  -webkit-touch-callout: none;
+}
+@media screen {
+  aside:hover > a.pilcrow,
+  p:hover > a.pilcrow,
+  blockquote:hover > a.pilcrow,
+  div:hover > a.pilcrow,
+  li:hover > a.pilcrow,
+  pre:hover > a.pilcrow {
+    visibility: visible;
+  }
+  a.pilcrow:hover {
+    background-color: transparent;
+  }
+}
+
+/* misc */
+hr {
+  border: 0;
+  border-top: 1px solid #eee;
+}
+.bcp14 {
+  font-variant: small-caps;
+}
+
+.role {
+  font-variant: all-small-caps;
+}
+
+/* info block */
+#identifiers {
+  margin: 0;
+  font-size: 0.9em;
+}
+#identifiers dt {
+  width: 3em;
+  clear: left;
+}
+#identifiers dd {
+  float: left;
+  margin-bottom: 0;
+}
+/* Fix PDF info block run off issue */
+@media print {
+  #identifiers dd {
+    float: none;
+  }
+}
+#identifiers .authors .author {
+  display: inline-block;
+  margin-right: 1.5em;
+}
+#identifiers .authors .org {
+  font-style: italic;
+}
+
+/* The prepared/rendered info at the very bottom of the page */
+.docInfo {
+  color: #666; /* Arlen: WCAG 2019 */
+  font-size: 0.9em;
+  font-style: italic;
+  margin-top: 2em;
+}
+.docInfo .prepared {
+  float: left;
+}
+.docInfo .prepared {
+  float: right;
+}
+
+/* table of contents */
+#toc  {
+  padding: 0.75em 0 2em 0;
+  margin-bottom: 1em;
+}
+nav.toc ul {
+  margin: 0 0.5em 0 0;
+  padding: 0;
+  list-style: none;
+}
+nav.toc li {
+  line-height: 1.3em;
+  margin: 0.75em 0;
+  padding-left: 1.2em;
+  text-indent: -1.2em;
+}
+/* references */
+.references dt {
+  text-align: right;
+  font-weight: bold;
+  min-width: 7em;
+}
+.references dd {
+  margin-left: 8em;
+  overflow: auto;
+}
+
+.refInstance {
+  margin-bottom: 1.25em;
+}
+
+.references .ascii {
+  margin-bottom: 0.25em;
+}
+
+/* index */
+.index ul {
+  margin: 0 0 0 1em;
+  padding: 0;
+  list-style: none;
+}
+.index ul ul {
+  margin: 0;
+}
+.index li {
+  margin: 0;
+  text-indent: -2em;
+  padding-left: 2em;
+  padding-bottom: 5px;
+}
+.indexIndex {
+  margin: 0.5em 0 1em;
+}
+.index a {
+  font-weight: 700;
+}
+/* make the index two-column on all but the smallest screens */
+@media (min-width: 600px) {
+  .index ul {
+    -moz-column-count: 2;
+    -moz-column-gap: 20px;
+  }
+  .index ul ul {
+    -moz-column-count: 1;
+    -moz-column-gap: 0;
+  }
+}
+
+/* authors */
+address.vcard {
+  font-style: normal;
+  margin: 1em 0;
+}
+
+address.vcard .nameRole {
+  font-weight: 700;
+  margin-left: 0;
+}
+address.vcard .label {
+  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
+  margin: 0.5em 0;
+}
+address.vcard .type {
+  display: none;
+}
+.alternative-contact {
+  margin: 1.5em 0 1em;
+}
+hr.addr {
+  border-top: 1px dashed;
+  margin: 0;
+  color: #ddd;
+  max-width: calc(100% - 16px);
+}
+
+/* temporary notes */
+.rfcEditorRemove::before {
+  position: absolute;
+  top: 0.2em;
+  right: 0.2em;
+  padding: 0.2em;
+  content: "The RFC Editor will remove this note";
+  color: #9e2a00; /* Arlen: WCAG 2019 */
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+}
+.rfcEditorRemove {
+  position: relative;
+  padding-top: 1.8em;
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+  border-radius: 3px;
+}
+.cref {
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+  padding: 2px 4px;
+}
+.crefSource {
+  font-style: italic;
+}
+/* alternative layout for smaller screens */
+@media screen and (max-width: 1023px) {
+  body {
+    padding-top: 2em;
+  }
+  #title {
+    padding: 1em 0;
+  }
+  h1 {
+    font-size: 24px;
+  }
+  h2 {
+    font-size: 20px;
+    margin-top: -18px;  /* provide offset for in-page anchors */
+    padding-top: 38px;
+  }
+  #identifiers dd {
+    max-width: 60%;
+  }
+  #toc {
+    position: fixed;
+    z-index: 2;
+    top: 0;
+    right: 0;
+    padding: 0;
+    margin: 0;
+    background-color: inherit;
+    border-bottom: 1px solid #ccc;
+  }
+  #toc h2 {
+    margin: -1px 0 0 0;
+    padding: 4px 0 4px 6px;
+    padding-right: 1em;
+    min-width: 190px;
+    font-size: 1.1em;
+    text-align: right;
+    background-color: #444;
+    color: white;
+    cursor: pointer;
+  }
+  #toc h2::before { /* css hamburger */
+    float: right;
+    position: relative;
+    width: 1em;
+    height: 1px;
+    left: -164px;
+    margin: 6px 0 0 0;
+    background: white none repeat scroll 0 0;
+    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
+    content: "";
+  }
+  #toc nav {
+    display: none;
+    padding: 0.5em 1em 1em;
+    overflow: auto;
+    height: calc(100vh - 48px);
+    border-left: 1px solid #ddd;
+  }
+}
+
+/* alternative layout for wide screens */
+@media screen and (min-width: 1024px) {
+  body {
+    max-width: 724px;
+    margin: 42px auto;
+    padding-left: 1.5em;
+    padding-right: 29em;
+  }
+  #toc {
+    position: fixed;
+    top: 42px;
+    right: 42px;
+    width: 25%;
+    margin: 0;
+    padding: 0 1em;
+    z-index: 1;
+  }
+  #toc h2 {
+    border-top: none;
+    border-bottom: 1px solid #ddd;
+    font-size: 1em;
+    font-weight: normal;
+    margin: 0;
+    padding: 0.25em 1em 1em 0;
+  }
+  #toc nav {
+    display: block;
+    height: calc(90vh - 84px);
+    bottom: 0;
+    padding: 0.5em 0 0;
+    overflow: auto;
+  }
+  img { /* future proofing */
+    max-width: 100%;
+    height: auto;
+  }
+}
+
+/* pagination */
+@media print {
+  body {
+
+    width: 100%;
+  }
+  p {
+    orphans: 3;
+    widows: 3;
+  }
+  #n-copyright-notice {
+    border-bottom: none;
+  }
+  #toc, #n-introduction {
+    page-break-before: always;
+  }
+  #toc {
+    border-top: none;
+    padding-top: 0;
+  }
+  figure, pre {
+    page-break-inside: avoid;
+  }
+  figure {
+    overflow: scroll;
+  }
+  h1, h2, h3, h4, h5, h6 {
+    page-break-after: avoid;
+  }
+  h2+*, h3+*, h4+*, h5+*, h6+* {
+    page-break-before: avoid;
+  }
+  pre {
+    white-space: pre-wrap;
+    word-wrap: break-word;
+    font-size: 10pt;
+  }
+  table {
+    border: 1px solid #ddd;
+  }
+  td {
+    border-top: 1px solid #ddd;
+  }
+}
+
+/* This is commented out here, as the string-set: doesn't
+   pass W3C validation currently */
+/*
+.ears thead .left {
+  string-set: ears-top-left content();
+}
+
+.ears thead .center {
+  string-set: ears-top-center content();
+}
+
+.ears thead .right {
+  string-set: ears-top-right content();
+}
+
+.ears tfoot .left {
+  string-set: ears-bottom-left content();
+}
+
+.ears tfoot .center {
+  string-set: ears-bottom-center content();
+}
+
+.ears tfoot .right {
+  string-set: ears-bottom-right content();
+}
+*/
+
+@page :first {
+  padding-top: 0;
+  @top-left {
+    content: normal;
+    border: none;
+  }
+  @top-center {
+    content: normal;
+    border: none;
+  }
+  @top-right {
+    content: normal;
+    border: none;
+  }
+}
+
+@page {
+  size: A4;
+  margin-bottom: 45mm;
+  padding-top: 20px;
+  /* The follwing is commented out here, but set appropriately by in code, as
+     the content depends on the document */
+  /*
+  @top-left {
+    content: 'Internet-Draft';
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-left {
+    content: string(ears-top-left);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-center {
+    content: string(ears-top-center);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-right {
+    content: string(ears-top-right);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @bottom-left {
+    content: string(ears-bottom-left);
+    vertical-align: top;
+    border-top: solid 1px #ccc;
+  }
+  @bottom-center {
+    content: string(ears-bottom-center);
+    vertical-align: top;
+    border-top: solid 1px #ccc;
+  }
+  @bottom-right {
+      content: '[Page ' counter(page) ']';
+      vertical-align: top;
+      border-top: solid 1px #ccc;
+  }
+  */
+
+}
+
+/* Changes introduced to fix issues found during implementation */
+/* Make sure links are clickable even if overlapped by following H* */
+a {
+  z-index: 2;
+}
+/* Separate body from document info even without intervening H1 */
+section {
+  clear: both;
+}
 
 
-  <meta name="generator" content="xml2rfc version 2.23.1 - https://tools.ietf.org/tools/xml2rfc" />
-  <link rel="schema.dct" href="http://purl.org/dc/terms/" />
+/* Top align author divs, to avoid names without organization dropping level with org names */
+.author {
+  vertical-align: top;
+}
 
-  <meta name="dct.creator" content="Dulaunoy, A. and A. Iklody" />
-  <meta name="dct.identifier" content="urn:ietf:id:draft-dulaunoy-misp-core-format" />
-  <meta name="dct.issued" scheme="ISO8601" content="2020-10-21" />
-  <meta name="dct.abstract" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.  The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP  software and other Threat Intelligence Platforms.  " />
-  <meta name="description" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.  The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP  software and other Threat Intelligence Platforms.  " />
+/* Leave room in document info to show Internet-Draft on one line */
+#identifiers dt {
+  width: 8em;
+}
 
+/* Don't waste quite as much whitespace between label and value in doc info */
+#identifiers dd {
+  margin-left: 1em;
+}
+
+/* Give floating toc a background color (needed when it's a div inside section */
+#toc {
+  background-color: white;
+}
+
+/* Make the collapsed ToC header render white on gray also when it's a link */
+@media screen and (max-width: 1023px) {
+  #toc h2 a,
+  #toc h2 a:link,
+  #toc h2 a:focus,
+  #toc h2 a:hover,
+  #toc a.toplink,
+  #toc a.toplink:hover {
+    color: white;
+    background-color: #444;
+    text-decoration: none;
+  }
+}
+
+/* Give the bottom of the ToC some whitespace */
+@media screen and (min-width: 1024px) {
+  #toc {
+    padding: 0 0 1em 1em;
+  }
+}
+
+/* Style section numbers with more space between number and title */
+.section-number {
+  padding-right: 0.5em;
+}
+
+/* prevent monospace from becoming overly large */
+tt, code, pre, code {
+  font-size: 95%;
+}
+
+/* Fix the height/width aspect for ascii art*/
+pre.sourcecode,
+.art-text pre {
+  line-height: 1.12;
+}
+
+
+/* Add styling for a link in the ToC that points to the top of the document */
+a.toplink {
+  float: right;
+  margin-right: 0.5em;
+}
+
+/* Fix the dl styling to match the RFC 7992 attributes */
+dl > dt,
+dl.dlParallel > dt {
+  float: left;
+  margin-right: 1em;
+}
+dl.dlNewline > dt {
+  float: none;
+}
+
+/* Provide styling for table cell text alignment */
+table td.text-left,
+table th.text-left {
+  text-align: left;
+}
+table td.text-center,
+table th.text-center {
+  text-align: center;
+}
+table td.text-right,
+table th.text-right {
+  text-align: right;
+}
+
+/* Make the alternative author contact informatio look less like just another
+   author, and group it closer with the primary author contact information */
+.alternative-contact {
+  margin: 0.5em 0 0.25em 0;
+}
+address .non-ascii {
+  margin: 0 0 0 2em;
+}
+
+/* With it being possible to set tables with alignment
+  left, center, and right, { width: 100%; } does not make sense */
+table {
+  width: auto;
+}
+
+/* Avoid reference text that sits in a block with very wide left margin,
+   because of a long floating dt label.*/
+.references dd {
+  overflow: visible;
+}
+
+/* Control caption placement */
+caption {
+  caption-side: bottom;
+}
+
+/* Limit the width of the author address vcard, so names in right-to-left
+   script don't end up on the other side of the page. */
+
+address.vcard {
+  max-width: 30em;
+  margin-right: auto;
+}
+
+/* For address alignment dependent on LTR or RTL scripts */
+address div.left {
+  text-align: left;
+}
+address div.right {
+  text-align: right;
+}
+
+/* Provide table alignment support.  We can't use the alignX classes above
+   since they do unwanted things with caption and other styling. */
+table.right {
+ margin-left: auto;
+ margin-right: 0;
+}
+table.center {
+ margin-left: auto;
+ margin-right: auto;
+}
+table.left {
+ margin-left: 0;
+ margin-right: auto;
+}
+
+/* Give the table caption label the same styling as the figcaption */
+caption a[href] {
+  color: #222;
+}
+
+@media print {
+  .toplink {
+    display: none;
+  }
+
+  /* avoid overwriting the top border line with the ToC header */
+  #toc {
+    padding-top: 1px;
+  }
+
+  /* Avoid page breaks inside dl and author address entries */
+  .vcard {
+    page-break-inside: avoid;
+  }
+
+}
+/* Tweak the bcp14 keyword presentation */
+.bcp14 {
+  font-variant: small-caps;
+  font-weight: bold;
+  font-size: 0.9em;
+}
+/* Tweak the invisible space above H* in order not to overlay links in text above */
+ h2 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 31px;
+ }
+ h3 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 24px;
+ }
+ h4 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 24px;
+ }
+/* Float artwork pilcrow to the right */
+@media screen {
+  .artwork a.pilcrow {
+    display: block;
+    line-height: 0.7;
+    margin-top: 0.15em;
+  }
+}
+/* Make pilcrows on dd visible */
+@media screen {
+  dd:hover > a.pilcrow {
+    visibility: visible;
+  }
+}
+/* Make the placement of figcaption match that of a table's caption
+   by removing the figure's added bottom margin */
+.alignLeft.art-text,
+.alignCenter.art-text,
+.alignRight.art-text {
+   margin-bottom: 0;
+}
+.alignLeft,
+.alignCenter,
+.alignRight {
+  margin: 1em 0 0 0;
+}
+/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
+   possibly even requiring a new line */
+@media print {
+  a.pilcrow {
+    display: none;
+  }
+}
+/* Styling for the external metadata */
+div#external-metadata {
+  background-color: #eee;
+  padding: 0.5em;
+  margin-bottom: 0.5em;
+  display: none;
+}
+div#internal-metadata {
+  padding: 0.5em;                       /* to match the external-metadata padding */
+}
+/* Styling for title RFC Number */
+h1#rfcnum {
+  clear: both;
+  margin: 0 0 -1em;
+  padding: 1em 0 0 0;
+}
+/* Make .olPercent look the same as <ol><li> */
+dl.olPercent > dd {
+  margin-bottom: 0.25em;
+  min-height: initial;
+}
+/* Give aside some styling to set it apart */
+aside {
+  border-left: 1px solid #ddd;
+  margin: 1em 0 1em 2em;
+  padding: 0.2em 2em;
+}
+aside > dl,
+aside > ol,
+aside > ul,
+aside > table,
+aside > p {
+  margin-bottom: 0.5em;
+}
+/* Additional page break settings */
+@media print {
+  figcaption, table caption {
+    page-break-before: avoid;
+  }
+}
+/* Font size adjustments for print */
+@media print {
+  body  { font-size: 10pt;      line-height: normal; max-width: 96%; }
+  h1    { font-size: 1.72em;    padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
+  h2    { font-size: 1.44em;    padding-top: 1.5em; } /* 1*1.2*1.2 */
+  h3    { font-size: 1.2em;     padding-top: 1.5em; } /* 1*1.2 */
+  h4    { font-size: 1em;       padding-top: 1.5em; }
+  h5, h6 { font-size: 1em;      margin: initial; padding: 0.5em 0 0.3em; }
+}
+/* Sourcecode margin in print, when there's no pilcrow */
+@media print {
+  .artwork,
+  .sourcecode {
+    margin-bottom: 1em;
+  }
+}
+/* Avoid narrow tables forcing too narrow table captions, which may render badly */
+table {
+  min-width: 20em;
+}
+/* ol type a */
+ol.type-a { list-style-type: lower-alpha; }
+ol.type-A { list-style-type: upper-alpha; }
+ol.type-i { list-style-type: lower-roman; }
+ol.type-I { list-style-type: lower-roman; }
+/* Apply the print table and row borders in general, on request from the RPC,
+and increase the contrast between border and odd row background sligthtly */
+table {
+  border: 1px solid #ddd;
+}
+td {
+  border-top: 1px solid #ddd;
+}
+tr:nth-child(2n+1) > td {
+  background-color: #f8f8f8;
+}
+/* Use style rules to govern display of the TOC. */
+@media screen and (max-width: 1023px) {
+  #toc nav { display: none; }
+  #toc.active nav { display: block; }
+}
+/* Add support for keepWithNext */
+.keepWithNext {
+  break-after: avoid-page;
+  break-after: avoid-page;
+}
+/* Add support for keepWithPrevious */
+.keepWithPrevious {
+  break-before: avoid-page;
+}
+/* Change the approach to avoiding breaks inside artwork etc. */
+figure, pre, table, .artwork, .sourcecode  {
+  break-before: auto;
+  break-after: auto;
+}
+/* Avoid breaks between <dt> and <dd> */
+dl {
+  break-before: auto;
+  break-inside: auto;
+}
+dt {
+  break-before: auto;
+  break-after: avoid-page;
+}
+dd {
+  break-before: avoid-page;
+  break-after: auto;
+  orphans: 3;
+  widows: 3
+}
+span.break, dd.break {
+  margin-bottom: 0;
+  min-height: 0;
+  break-before: auto;
+  break-inside: auto;
+  break-after: auto;
+}
+/* Undo break-before ToC */
+@media print {
+  #toc {
+    break-before: auto;
+  }
+}
+/* Text in compact lists should not get extra bottim margin space,
+   since that would makes the list not compact */
+ul.compact p, .ulCompact p,
+ol.compact p, .olCompact p {
+ margin: 0;
+}
+/* But the list as a whole needs the extra space at the end */
+section ul.compact,
+section .ulCompact,
+section ol.compact,
+section .olCompact {
+  margin-bottom: 1em;                    /* same as p not within ul.compact etc. */
+}
+/* The tt and code background above interferes with for instance table cell
+   backgrounds.  Changed to something a bit more selective. */
+tt, code {
+  background-color: transparent;
+}
+p tt, p code, li tt, li code {
+  background-color: #f8f8f8;
+}
+/* Tweak the pre margin -- 0px doesn't come out well */
+pre {
+   margin-top: 0.5px;
+}
+/* Tweak the comact list text */
+ul.compact, .ulCompact,
+ol.compact, .olCompact,
+dl.compact, .dlCompact {
+  line-height: normal;
+}
+/* Don't add top margin for nested lists */
+li > ul, li > ol, li > dl,
+dd > ul, dd > ol, dd > dl,
+dl > dd > dl {
+  margin-top: initial;
+}
+/* Elements that should not be rendered on the same line as a <dt> */
+/* This should match the element list in writer.text.TextWriter.render_dl() */
+dd > div.artwork:first-child,
+dd > aside:first-child,
+dd > figure:first-child,
+dd > ol:first-child,
+dd > div:first-child > pre.sourcecode,
+dd > table:first-child,
+dd > ul:first-child {
+  clear: left;
+}
+/* fix for weird browser behaviour when <dd/> is empty */
+dt+dd:empty::before{
+  content: "\00a0";
+}
+/* Make paragraph spacing inside <li> smaller than in body text, to fit better within the list */
+li > p {
+  margin-bottom: 0.5em
+}
+/* Don't let p margin spill out from inside list items */
+li > p:last-of-type {
+  margin-bottom: 0;
+}
+</style>
+<link href="rfc-local.css" rel="stylesheet" type="text/css">
+<script type="application/javascript">async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(let t=0;t<e.length;t++)if(/#identifiers/.exec(e[t].selectorText)){const a=e[t].cssText.replace("#identifiers","#external-updates");document.styleSheets[0].insertRule(a,document.styleSheets[0].cssRules.length)}}catch(e){console.log(e)}const e=document.getElementById("external-metadata");if(e)try{var t,a="",o=function(e){const t=document.getElementsByTagName("meta");for(let a=0;a<t.length;a++)if(t[a].getAttribute("name")===e)return t[a].getAttribute("content");return""}("rfc.number");if(o){t="https://www.rfc-editor.org/rfc/rfc"+o+".json";try{const e=await fetch(t);a=await e.json()}catch(e){t=document.URL.indexOf("html")>=0?document.URL.replace(/html$/,"json"):document.URL+".json";const o=await fetch(t);a=await o.json()}}if(!a)return;e.style.display="block";const s="",d="https://datatracker.ietf.org/doc",n="https://datatracker.ietf.org/ipr/search",c="https://www.rfc-editor.org/info",l=a.doc_id.toLowerCase(),i=a.doc_id.slice(0,3).toLowerCase(),f=a.doc_id.slice(3).replace(/^0+/,""),u={status:"Status",obsoletes:"Obsoletes",obsoleted_by:"Obsoleted By",updates:"Updates",updated_by:"Updated By",see_also:"See Also",errata_url:"Errata"};let h="<dl style='overflow:hidden' id='external-updates'>";["status","obsoletes","obsoleted_by","updates","updated_by","see_also","errata_url"].forEach(e=>{if("status"==e){a[e]=a[e].toLowerCase();var t=a[e].split(" "),o=t.length,w="",p=1;for(let e=0;e<o;e++)p<o?w=w+r(t[e])+" ":w+=r(t[e]),p++;a[e]=w}else if("obsoletes"==e||"obsoleted_by"==e||"updates"==e||"updated_by"==e){var g,m="",b=1;g=a[e].length;for(let t=0;t<g;t++)a[e][t]&&(a[e][t]=String(a[e][t]).toLowerCase(),m=b<g?m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>, ":m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>",b++);a[e]=m}else if("see_also"==e){var y,L="",C=1;y=a[e].length;for(let t=0;t<y;t++)if(a[e][t]){a[e][t]=String(a[e][t]);var _=a[e][t].slice(0,3),v=a[e][t].slice(3).replace(/^0+/,"");L=C<y?"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>, ":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>, ":"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>",C++}a[e]=L}else if("errata_url"==e){var R="";R=a[e]?R+"<a href='"+a[e]+"'>Errata exist</a> | <a href='"+d+"/"+l+"'>Datatracker</a>| <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>":"<a href='"+d+"/"+l+"'>Datatracker</a> | <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>",a[e]=R}""!=a[e]?"Errata"==u[e]?h+=`<dt>More info:</dt><dd>${a[e]}</dd>`:h+=`<dt>${u[e]}:</dt><dd>${a[e]}</dd>`:"Errata"==u[e]&&(h+=`<dt>More info:</dt><dd>${a[e]}</dd>`)}),h+="</dl>",e.innerHTML=h}catch(e){console.log(e)}else console.log("Could not locate metadata <div> element");function r(e){return e.charAt(0).toUpperCase()+e.slice(1)}}window.removeEventListener("load",addMetadata),window.addEventListener("load",addMetadata);</script>
 </head>
-
 <body>
-
-  <table class="header">
-    <tbody>
-    
-    	<tr>
-<td class="left">Network Working Group</td>
-<td class="right">A. Dulaunoy</td>
-</tr>
-<tr>
+<script src="metadata.min.js"></script>
+<table class="ears">
+<thead><tr>
 <td class="left">Internet-Draft</td>
-<td class="right">A. Iklody</td>
-</tr>
-<tr>
-<td class="left">Intended status: Informational</td>
-<td class="right">CIRCL</td>
-</tr>
-<tr>
-<td class="left">Expires: April 24, 2021</td>
-<td class="right">October 21, 2020</td>
-</tr>
-
-    	
-    </tbody>
-  </table>
-
-  <p class="title">MISP core format<br />
-  <span class="filename">draft-dulaunoy-misp-core-format</span></p>
-  
-  <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
-<p>This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.  The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP <a href="#MISP-P" class="xref">[MISP-P]</a> software and other Threat Intelligence Platforms.  </p>
-<h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1>
-<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
-<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF).  Note that other groups may also distribute working documents as Internet-Drafts.  The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
-<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.  It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
-<p>This Internet-Draft will expire on April 24, 2021.</p>
-<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
-<p>Copyright (c) 2020 IETF Trust and the persons identified as the document authors.  All rights reserved.</p>
-<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document.  Please review these documents carefully, as they describe your rights and restrictions with respect to this document.  Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
-
-  
-  <hr class="noprint" />
-  <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
-  <ul class="toc">
-
-  	<li>1.   <a href="#rfc.section.1">Introduction</a>
-</li>
-<ul><li>1.1.   <a href="#rfc.section.1.1">Conventions and Terminology</a>
-</li>
-</ul><li>2.   <a href="#rfc.section.2">Format</a>
-</li>
-<ul><li>2.1.   <a href="#rfc.section.2.1">Overview</a>
-</li>
-<li>2.2.   <a href="#rfc.section.2.2">Event</a>
-</li>
-<ul><li>2.2.1.   <a href="#rfc.section.2.2.1">Event Attributes</a>
-</li>
-</ul><li>2.3.   <a href="#rfc.section.2.3">Objects</a>
-</li>
-<ul><li>2.3.1.   <a href="#rfc.section.2.3.1">Org</a>
-</li>
-<li>2.3.2.   <a href="#rfc.section.2.3.2">Orgc</a>
-</li>
-</ul><li>2.4.   <a href="#rfc.section.2.4">Attribute</a>
-</li>
-<ul><li>2.4.1.   <a href="#rfc.section.2.4.1">Sample Attribute Object</a>
-</li>
-<li>2.4.2.   <a href="#rfc.section.2.4.2">Attribute Attributes</a>
-</li>
-</ul><li>2.5.   <a href="#rfc.section.2.5">ShadowAttribute</a>
-</li>
-<ul><li>2.5.1.   <a href="#rfc.section.2.5.1">Sample Attribute Object</a>
-</li>
-<li>2.5.2.   <a href="#rfc.section.2.5.2">ShadowAttribute Attributes</a>
-</li>
-<li>2.5.3.   <a href="#rfc.section.2.5.3">Org</a>
-</li>
-</ul><li>2.6.   <a href="#rfc.section.2.6">Object</a>
-</li>
-<ul><li>2.6.1.   <a href="#rfc.section.2.6.1">Sample Object</a>
-</li>
-<li>2.6.2.   <a href="#rfc.section.2.6.2">Object Attributes</a>
-</li>
-</ul><li>2.7.   <a href="#rfc.section.2.7">Object References</a>
-</li>
-<ul><li>2.7.1.   <a href="#rfc.section.2.7.1">Sample ObjectReference object</a>
-</li>
-<li>2.7.2.   <a href="#rfc.section.2.7.2">ObjectReference Attributes</a>
-</li>
-</ul><li>2.8.   <a href="#rfc.section.2.8">EventReport</a>
-</li>
-<ul><li>2.8.1.   <a href="#rfc.section.2.8.1">id</a>
-</li>
-<li>2.8.2.   <a href="#rfc.section.2.8.2">UUID</a>
-</li>
-<li>2.8.3.   <a href="#rfc.section.2.8.3">event_id</a>
-</li>
-<li>2.8.4.   <a href="#rfc.section.2.8.4">name</a>
-</li>
-<li>2.8.5.   <a href="#rfc.section.2.8.5">content</a>
-</li>
-<li>2.8.6.   <a href="#rfc.section.2.8.6">distribution</a>
-</li>
-<li>2.8.7.   <a href="#rfc.section.2.8.7">sharing_group_id</a>
-</li>
-<li>2.8.8.   <a href="#rfc.section.2.8.8">timestamp</a>
-</li>
-<li>2.8.9.   <a href="#rfc.section.2.8.9">deleted</a>
-</li>
-</ul><li>2.9.   <a href="#rfc.section.2.9">Tag</a>
-</li>
-<ul><li>2.9.1.   <a href="#rfc.section.2.9.1">Sample Tag</a>
-</li>
-</ul><li>2.10.   <a href="#rfc.section.2.10">Sighting</a>
-</li>
-<ul><li>2.10.1.   <a href="#rfc.section.2.10.1">Sample Sighting</a>
-</li>
-</ul><li>2.11.   <a href="#rfc.section.2.11">Galaxy</a>
-</li>
-<ul><li>2.11.1.   <a href="#rfc.section.2.11.1">Sample Galaxy</a>
-</li>
-</ul></ul><li>3.   <a href="#rfc.section.3">JSON Schema</a>
-</li>
-<li>4.   <a href="#rfc.section.4">Manifest</a>
-</li>
-<ul><li>4.1.   <a href="#rfc.section.4.1">Format</a>
-</li>
-<ul><li>4.1.1.   <a href="#rfc.section.4.1.1">Sample Manifest</a>
-</li>
-</ul></ul><li>5.   <a href="#rfc.section.5">Implementation</a>
-</li>
-<li>6.   <a href="#rfc.section.6">Security Considerations</a>
-</li>
-<li>7.   <a href="#rfc.section.7">Acknowledgements</a>
-</li>
-<li>8.   <a href="#rfc.section.8">References</a>
-</li>
-<li>9.   <a href="#rfc.references">References</a>
-</li>
-<ul><li>9.1.   <a href="#rfc.references.1">Normative References</a>
-</li>
-<li>9.2.   <a href="#rfc.references.2">Informative References</a>
-</li>
-</ul><li><a href="#rfc.authors">Authors' Addresses</a>
-</li>
-
-
-  </ul>
-
-  <h1 id="rfc.section.1">
-<a href="#rfc.section.1">1.</a> <a href="#introduction" id="introduction">Introduction</a>
-</h1>
-<p id="rfc.section.1.p.1">Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. MISP <a href="#MISP-P" class="xref">[MISP-P]</a> started as an open source project in late 2011 and the MISP format started to be widely used as an exchange format within the community in the past years. The aim of this document is to describe the specification and the MISP core format.  </p>
-<h1 id="rfc.section.1.1">
-<a href="#rfc.section.1.1">1.1.</a> <a href="#conventions-and-terminology" id="conventions-and-terminology">Conventions and Terminology</a>
-</h1>
-<p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 <a href="#RFC2119" class="xref">[RFC2119]</a>.  </p>
-<h1 id="rfc.section.2">
-<a href="#rfc.section.2">2.</a> <a href="#format" id="format">Format</a>
-</h1>
-<h1 id="rfc.section.2.1">
-<a href="#rfc.section.2.1">2.1.</a> <a href="#overview" id="overview">Overview</a>
-</h1>
-<p id="rfc.section.2.1.p.1">The MISP core format is in the JSON <a href="#RFC8259" class="xref">[RFC8259]</a> format. In MISP, an event is composed of a single JSON object.  </p>
-<p id="rfc.section.2.1.p.2">A capitalized key (like Event, Org) represent a data model and a non-capitalised key is just an attribute. This nomenclature can support an implementation to represent the MISP format in another data structure.  </p>
-<h1 id="rfc.section.2.2">
-<a href="#rfc.section.2.2">2.2.</a> <a href="#event" id="event">Event</a>
-</h1>
-<p id="rfc.section.2.2.p.1">An event is a simple meta structure scheme where attributes and meta-data are embedded to compose a coherent set of indicators. An event can be composed from an incident, a security analysis report or a specific threat actor analysis. The meaning of an event only depends of the information embedded in the event.  </p>
-<h1 id="rfc.section.2.2.1">
-<a href="#rfc.section.2.2.1">2.2.1.</a> <a href="#event-attributes" id="event-attributes">Event Attributes</a>
-</h1>
-<h1 id="rfc.section.2.2.1.1">
-<a href="#rfc.section.2.2.1.1">2.2.1.1.</a> <a href="#uuid" id="uuid">uuid</a>
-</h1>
-<p id="rfc.section.2.2.1.1.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the event. The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.  </p>
-<p id="rfc.section.2.2.1.1.p.2">uuid is represented as a JSON string. uuid MUST be present.  </p>
-<h1 id="rfc.section.2.2.1.2">
-<a href="#rfc.section.2.2.1.2">2.2.1.2.</a> <a href="#id" id="id">id</a>
-</h1>
-<p id="rfc.section.2.2.1.2.p.1">id represents the human-readable identifier associated to the event for a specific MISP instance.  A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.2.1.2.p.2">id is represented as a JSON string. id SHALL be present.  </p>
-<h1 id="rfc.section.2.2.1.3">
-<a href="#rfc.section.2.2.1.3">2.2.1.3.</a> <a href="#published" id="published">published</a>
-</h1>
-<p id="rfc.section.2.2.1.3.p.1">published represents the event publication state. If the event was published, the published value MUST be true.  In any other publication state, the published value MUST be false.  </p>
-<p id="rfc.section.2.2.1.3.p.2">published is represented as a JSON boolean. published MUST be present.  </p>
-<h1 id="rfc.section.2.2.1.4">
-<a href="#rfc.section.2.2.1.4">2.2.1.4.</a> <a href="#info" id="info">info</a>
-</h1>
-<p id="rfc.section.2.2.1.4.p.1">info represents the information field of the event. info is a free-text value to provide a human-readable summary of the event. info SHOULD NOT be bigger than 256 characters and SHOULD NOT include new-lines.  </p>
-<p id="rfc.section.2.2.1.4.p.2">info is represented as a JSON string. info MUST be present.  </p>
-<h1 id="rfc.section.2.2.1.5">
-<a href="#rfc.section.2.2.1.5">2.2.1.5.</a> <a href="#threatlevelid" id="threatlevelid">threat_level_id</a>
-</h1>
-<p id="rfc.section.2.2.1.5.p.1">threat_level_id represents the threat level.  </p>
-<p></p>
-
-<dl>
-<dt>4:</dt>
-<dd style="margin-left: 8">
-<br> Undefined</dd>
-<dt>3:</dt>
-<dd style="margin-left: 8">
-<br> Low</dd>
-<dt>2:</dt>
-<dd style="margin-left: 8">
-<br> Medium</dd>
-<dt>1:</dt>
-<dd style="margin-left: 8">
-<br> High</dd>
+<td class="center">MISP core format</td>
+<td class="right">February 2022</td>
+</tr></thead>
+<tfoot><tr>
+<td class="left">Dulaunoy &amp; Iklody</td>
+<td class="center">Expires 18 August 2022</td>
+<td class="right">[Page]</td>
+</tr></tfoot>
+</table>
+<div id="external-metadata" class="document-information"></div>
+<div id="internal-metadata" class="document-information">
+<dl id="identifiers">
+<dt class="label-workgroup">Workgroup:</dt>
+<dd class="workgroup">Network Working Group</dd>
+<dt class="label-internet-draft">Internet-Draft:</dt>
+<dd class="internet-draft">draft-00</dd>
+<dt class="label-published">Published:</dt>
+<dd class="published">
+<time datetime="2022-02-14" class="published">14 February 2022</time>
+    </dd>
+<dt class="label-intended-status">Intended Status:</dt>
+<dd class="intended-status">Informational</dd>
+<dt class="label-expires">Expires:</dt>
+<dd class="expires"><time datetime="2022-08-18">18 August 2022</time></dd>
+<dt class="label-authors">Authors:</dt>
+<dd class="authors">
+<div class="author">
+      <div class="author-name">A. Dulaunoy</div>
+<div class="org">CIRCL</div>
+</div>
+<div class="author">
+      <div class="author-name">A. Iklody</div>
+<div class="org">CIRCL</div>
+</div>
+</dd>
 </dl>
-
-<p> </p>
-<p id="rfc.section.2.2.1.5.p.3">If a higher granularity is required, a MISP taxonomy applied as a Tag SHOULD be preferred.  </p>
-<p id="rfc.section.2.2.1.5.p.4">threat_level_id is represented as a JSON string. threat_level_id SHALL be present.  </p>
-<h1 id="rfc.section.2.2.1.6">
-<a href="#rfc.section.2.2.1.6">2.2.1.6.</a> <a href="#analysis" id="analysis">analysis</a>
-</h1>
-<p id="rfc.section.2.2.1.6.p.1">analysis represents the analysis level.  </p>
-<p></p>
-
-<dl>
-<dt>0:</dt>
-<dd style="margin-left: 8">
-<br> Initial</dd>
-<dt>1:</dt>
-<dd style="margin-left: 8">
-<br> Ongoing</dd>
-<dt>2:</dt>
-<dd style="margin-left: 8">
-<br> Complete</dd>
+</div>
+<h1 id="title">MISP core format</h1>
+<section id="section-abstract">
+      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
+<p id="section-abstract-1">This document describes the MISP core format used to exchange indicators and threat information between
+MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.
+The JSON format includes the overall structure along with the semantic associated for each
+respective key. The format is described to support other implementations which reuse the
+format and ensuring an interoperability with existing MISP <span>[<a href="#MISP-P" class="xref">MISP-P</a>]</span> software and other Threat Intelligence Platforms.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
+</section>
+<div id="status-of-memo">
+<section id="section-boilerplate.1">
+        <h2 id="name-status-of-this-memo">
+<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
+        </h2>
+<p id="section-boilerplate.1-1">
+        This Internet-Draft is submitted in full conformance with the
+        provisions of BCP 78 and BCP 79.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-2">
+        Internet-Drafts are working documents of the Internet Engineering Task
+        Force (IETF). Note that other groups may also distribute working
+        documents as Internet-Drafts. The list of current Internet-Drafts is
+        at <span><a href="https://datatracker.ietf.org/drafts/current/">https://datatracker.ietf.org/drafts/current/</a></span>.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-3">
+        Internet-Drafts are draft documents valid for a maximum of six months
+        and may be updated, replaced, or obsoleted by other documents at any
+        time. It is inappropriate to use Internet-Drafts as reference
+        material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-4">
+        This Internet-Draft will expire on 18 August 2022.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="copyright">
+<section id="section-boilerplate.2">
+        <h2 id="name-copyright-notice">
+<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
+        </h2>
+<p id="section-boilerplate.2-1">
+            Copyright (c) 2022 IETF Trust and the persons identified as the
+            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.2-2">
+            This document is subject to BCP 78 and the IETF Trust's Legal
+            Provisions Relating to IETF Documents
+            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
+            publication of this document. Please review these documents
+            carefully, as they describe your rights and restrictions with
+            respect to this document.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="toc">
+<section id="section-toc.1">
+        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
+<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
+        </h2>
+<nav class="toc"><ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
+            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1.2.1">
+                <p id="section-toc.1-1.1.2.1.1" class="keepWithNext"><a href="#section-1.1" class="xref">1.1</a>.  <a href="#name-conventions-and-terminology" class="xref">Conventions and Terminology</a></p>
+</li>
+            </ul>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
+            <p id="section-toc.1-1.2.1"><a href="#section-2" class="xref">2</a>.  <a href="#name-format" class="xref">Format</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.1">
+                <p id="section-toc.1-1.2.2.1.1" class="keepWithNext"><a href="#section-2.1" class="xref">2.1</a>.  <a href="#name-overview" class="xref">Overview</a></p>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2">
+                <p id="section-toc.1-1.2.2.2.1"><a href="#section-2.2" class="xref">2.2</a>.  <a href="#name-event" class="xref">Event</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2.2.1">
+                    <p id="section-toc.1-1.2.2.2.2.1.1"><a href="#section-2.2.1" class="xref">2.2.1</a>.  <a href="#name-event-attributes" class="xref">Event Attributes</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2.2.2">
+                    <p id="section-toc.1-1.2.2.2.2.2.1"><a href="#section-2.2.2" class="xref">2.2.2</a>.  <a href="#name-event-objects" class="xref">Event Objects</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.3">
+                <p id="section-toc.1-1.2.2.3.1"><a href="#section-2.3" class="xref">2.3</a>.  <a href="#name-attribute" class="xref">Attribute</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.3.2.1">
+                    <p id="section-toc.1-1.2.2.3.2.1.1"><a href="#section-2.3.1" class="xref">2.3.1</a>.  <a href="#name-sample-attribute-object" class="xref">Sample Attribute Object</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.3.2.2">
+                    <p id="section-toc.1-1.2.2.3.2.2.1"><a href="#section-2.3.2" class="xref">2.3.2</a>.  <a href="#name-attribute-attributes" class="xref">Attribute Attributes</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.4">
+                <p id="section-toc.1-1.2.2.4.1"><a href="#section-2.4" class="xref">2.4</a>.  <a href="#name-shadowattribute-2" class="xref">ShadowAttribute</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.4.2.1">
+                    <p id="section-toc.1-1.2.2.4.2.1.1"><a href="#section-2.4.1" class="xref">2.4.1</a>.  <a href="#name-sample-attribute-object-2" class="xref">Sample Attribute Object</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.4.2.2">
+                    <p id="section-toc.1-1.2.2.4.2.2.1"><a href="#section-2.4.2" class="xref">2.4.2</a>.  <a href="#name-shadowattribute-attributes" class="xref">ShadowAttribute Attributes</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.4.2.3">
+                    <p id="section-toc.1-1.2.2.4.2.3.1"><a href="#section-2.4.3" class="xref">2.4.3</a>.  <a href="#name-shadowattribute-objects" class="xref">ShadowAttribute Objects</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.5">
+                <p id="section-toc.1-1.2.2.5.1"><a href="#section-2.5" class="xref">2.5</a>.  <a href="#name-object" class="xref">Object</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.5.2.1">
+                    <p id="section-toc.1-1.2.2.5.2.1.1"><a href="#section-2.5.1" class="xref">2.5.1</a>.  <a href="#name-sample-object" class="xref">Sample Object</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.5.2.2">
+                    <p id="section-toc.1-1.2.2.5.2.2.1"><a href="#section-2.5.2" class="xref">2.5.2</a>.  <a href="#name-object-attributes" class="xref">Object Attributes</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.6">
+                <p id="section-toc.1-1.2.2.6.1"><a href="#section-2.6" class="xref">2.6</a>.  <a href="#name-object-references" class="xref">Object References</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.6.2.1">
+                    <p id="section-toc.1-1.2.2.6.2.1.1"><a href="#section-2.6.1" class="xref">2.6.1</a>.  <a href="#name-sample-objectreference-obje" class="xref">Sample ObjectReference object</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.6.2.2">
+                    <p id="section-toc.1-1.2.2.6.2.2.1"><a href="#section-2.6.2" class="xref">2.6.2</a>.  <a href="#name-objectreference-attributes" class="xref">ObjectReference Attributes</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.7">
+                <p id="section-toc.1-1.2.2.7.1"><a href="#section-2.7" class="xref">2.7</a>.  <a href="#name-eventreport" class="xref">EventReport</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.7.2.1">
+                    <p id="section-toc.1-1.2.2.7.2.1.1"><a href="#section-2.7.1" class="xref">2.7.1</a>.  <a href="#name-id-6" class="xref">id</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.7.2.2">
+                    <p id="section-toc.1-1.2.2.7.2.2.1"><a href="#section-2.7.2" class="xref">2.7.2</a>.  <a href="#name-uuid-6" class="xref">UUID</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.7.2.3">
+                    <p id="section-toc.1-1.2.2.7.2.3.1"><a href="#section-2.7.3" class="xref">2.7.3</a>.  <a href="#name-event_id-5" class="xref">event_id</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.7.2.4">
+                    <p id="section-toc.1-1.2.2.7.2.4.1"><a href="#section-2.7.4" class="xref">2.7.4</a>.  <a href="#name-name-2" class="xref">name</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.7.2.5">
+                    <p id="section-toc.1-1.2.2.7.2.5.1"><a href="#section-2.7.5" class="xref">2.7.5</a>.  <a href="#name-content" class="xref">content</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.7.2.6">
+                    <p id="section-toc.1-1.2.2.7.2.6.1"><a href="#section-2.7.6" class="xref">2.7.6</a>.  <a href="#name-distribution-4" class="xref">distribution</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.7.2.7">
+                    <p id="section-toc.1-1.2.2.7.2.7.1"><a href="#section-2.7.7" class="xref">2.7.7</a>.  <a href="#name-sharing_group_id-4" class="xref">sharing_group_id</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.7.2.8">
+                    <p id="section-toc.1-1.2.2.7.2.8.1"><a href="#section-2.7.8" class="xref">2.7.8</a>.  <a href="#name-timestamp-6" class="xref">timestamp</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.7.2.9">
+                    <p id="section-toc.1-1.2.2.7.2.9.1"><a href="#section-2.7.9" class="xref">2.7.9</a>.  <a href="#name-deleted-5" class="xref">deleted</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.8">
+                <p id="section-toc.1-1.2.2.8.1"><a href="#section-2.8" class="xref">2.8</a>.  <a href="#name-tag" class="xref">Tag</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.8.2.1">
+                    <p id="section-toc.1-1.2.2.8.2.1.1"><a href="#section-2.8.1" class="xref">2.8.1</a>.  <a href="#name-sample-tag" class="xref">Sample Tag</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.9">
+                <p id="section-toc.1-1.2.2.9.1"><a href="#section-2.9" class="xref">2.9</a>.  <a href="#name-sighting" class="xref">Sighting</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.9.2.1">
+                    <p id="section-toc.1-1.2.2.9.2.1.1"><a href="#section-2.9.1" class="xref">2.9.1</a>.  <a href="#name-sample-sighting" class="xref">Sample Sighting</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.10">
+                <p id="section-toc.1-1.2.2.10.1"><a href="#section-2.10" class="xref">2.10</a>. <a href="#name-galaxy" class="xref">Galaxy</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.10.2.1">
+                    <p id="section-toc.1-1.2.2.10.2.1.1"><a href="#section-2.10.1" class="xref">2.10.1</a>.  <a href="#name-sample-galaxy" class="xref">Sample Galaxy</a></p>
+</li>
+                </ul>
+</li>
+            </ul>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
+            <p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>.  <a href="#name-json-schema" class="xref">JSON Schema</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
+            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-manifest" class="xref">Manifest</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.1">
+                <p id="section-toc.1-1.4.2.1.1"><a href="#section-4.1" class="xref">4.1</a>.  <a href="#name-format-2" class="xref">Format</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.1.2.1">
+                    <p id="section-toc.1-1.4.2.1.2.1.1"><a href="#section-4.1.1" class="xref">4.1.1</a>.  <a href="#name-sample-manifest" class="xref">Sample Manifest</a></p>
+</li>
+                </ul>
+</li>
+            </ul>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
+            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-implementation" class="xref">Implementation</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
+            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-security-considerations" class="xref">Security Considerations</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
+            <p id="section-toc.1-1.7.1"><a href="#section-7" class="xref">7</a>.  <a href="#name-acknowledgements" class="xref">Acknowledgements</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
+            <p id="section-toc.1-1.8.1"><a href="#section-8" class="xref">8</a>.  <a href="#name-references" class="xref">References</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
+            <p id="section-toc.1-1.9.1"><a href="#section-9" class="xref">9</a>.  <a href="#name-normative-references" class="xref">Normative References</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
+            <p id="section-toc.1-1.10.1"><a href="#section-10" class="xref">10</a>. <a href="#name-informative-references" class="xref">Informative References</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11">
+            <p id="section-toc.1-1.11.1"><a href="#appendix-A" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a></p>
+</li>
+        </ul>
+</nav>
+</section>
+</div>
+<div id="introduction">
+<section id="section-1">
+      <h2 id="name-introduction">
+<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
+      </h2>
+<p id="section-1-1">Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat
+information can include indicators of compromise, malicious file indicators, financial fraud indicators
+or even detailed information about a threat actor. MISP <span>[<a href="#MISP-P" class="xref">MISP-P</a>]</span> started as an open source project in late 2011 and
+the MISP format started to be widely used as an exchange format within the community in the past years. The aim of this document
+is to describe the specification and the MISP core format.<a href="#section-1-1" class="pilcrow">¶</a></p>
+<div id="conventions-and-terminology">
+<section id="section-1.1">
+        <h3 id="name-conventions-and-terminology">
+<a href="#section-1.1" class="section-number selfRef">1.1. </a><a href="#name-conventions-and-terminology" class="section-name selfRef">Conventions and Terminology</a>
+        </h3>
+<p id="section-1.1-1">The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>", "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>",
+"<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>", "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this
+document are to be interpreted as described in RFC 2119 <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span>.<a href="#section-1.1-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="format">
+<section id="section-2">
+      <h2 id="name-format">
+<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-format" class="section-name selfRef">Format</a>
+      </h2>
+<div id="overview">
+<section id="section-2.1">
+        <h3 id="name-overview">
+<a href="#section-2.1" class="section-number selfRef">2.1. </a><a href="#name-overview" class="section-name selfRef">Overview</a>
+        </h3>
+<p id="section-2.1-1">The MISP core format is in the JSON <span>[<a href="#RFC8259" class="xref">RFC8259</a>]</span> format. In MISP, an event is composed of a single JSON object.<a href="#section-2.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.1-2">A capitalized key (like Event, Org) represent a data model and a non-capitalised key is just an attribute. This nomenclature
+can support an implementation to represent the MISP format in another data structure.<a href="#section-2.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event">
+<section id="section-2.2">
+        <h3 id="name-event">
+<a href="#section-2.2" class="section-number selfRef">2.2. </a><a href="#name-event" class="section-name selfRef">Event</a>
+        </h3>
+<p id="section-2.2-1">An event is a simple meta structure scheme where attributes and meta-data are embedded to compose a coherent set
+of indicators. An event can be composed from an incident, a security analysis report or a specific threat actor
+analysis. The meaning of an event only depends of the information embedded in the event.<a href="#section-2.2-1" class="pilcrow">¶</a></p>
+<div id="event-attributes">
+<section id="section-2.2.1">
+          <h4 id="name-event-attributes">
+<a href="#section-2.2.1" class="section-number selfRef">2.2.1. </a><a href="#name-event-attributes" class="section-name selfRef">Event Attributes</a>
+          </h4>
+<div id="uuid">
+<section id="section-2.2.1.1">
+            <h5 id="name-uuid">
+<a href="#section-2.2.1.1" class="section-number selfRef">2.2.1.1. </a><a href="#name-uuid" class="section-name selfRef">uuid</a>
+            </h5>
+<p id="section-2.2.1.1-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the event. The uuid <span class="bcp14">MUST</span> be preserved
+for any updates or transfer of the same event. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new event.<a href="#section-2.2.1.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.1-2">uuid is represented as a JSON string. uuid <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="id">
+<section id="section-2.2.1.2">
+            <h5 id="name-id">
+<a href="#section-2.2.1.2" class="section-number selfRef">2.2.1.2. </a><a href="#name-id" class="section-name selfRef">id</a>
+            </h5>
+<p id="section-2.2.1.2-1">id represents the human-readable identifier associated to the event for a specific MISP instance.  A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.2.1.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.2-2">id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.2.1.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="published">
+<section id="section-2.2.1.3">
+            <h5 id="name-published">
+<a href="#section-2.2.1.3" class="section-number selfRef">2.2.1.3. </a><a href="#name-published" class="section-name selfRef">published</a>
+            </h5>
+<p id="section-2.2.1.3-1">published represents the event publication state. If the event was published, the published value <span class="bcp14">MUST</span> be true.
+In any other publication state, the published value <span class="bcp14">MUST</span> be false.<a href="#section-2.2.1.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.3-2">published is represented as a JSON boolean. published <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.3-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="info">
+<section id="section-2.2.1.4">
+            <h5 id="name-info">
+<a href="#section-2.2.1.4" class="section-number selfRef">2.2.1.4. </a><a href="#name-info" class="section-name selfRef">info</a>
+            </h5>
+<p id="section-2.2.1.4-1">info represents the information field of the event. info is a free-text value to provide a human-readable summary
+of the event. info <span class="bcp14">SHOULD</span> NOT be bigger than 256 characters and <span class="bcp14">SHOULD</span> NOT include new-lines.<a href="#section-2.2.1.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.4-2">info is represented as a JSON string. info <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="threat-level-id">
+<section id="section-2.2.1.5">
+            <h5 id="name-threat_level_id">
+<a href="#section-2.2.1.5" class="section-number selfRef">2.2.1.5. </a><a href="#name-threat_level_id" class="section-name selfRef">threat_level_id</a>
+            </h5>
+<p id="section-2.2.1.5-1">threat_level_id represents the threat level.<a href="#section-2.2.1.5-1" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlCompact dlParallel" id="section-2.2.1.5-2">
+              <dt id="section-2.2.1.5-2.1">4:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.5-2.2">Undefined<a href="#section-2.2.1.5-2.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.5-2.3">3:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.5-2.4">Low<a href="#section-2.2.1.5-2.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.5-2.5">2:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.5-2.6">Medium<a href="#section-2.2.1.5-2.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.5-2.7">1:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.5-2.8">High<a href="#section-2.2.1.5-2.8" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<p id="rfc.section.2.2.1.6.p.3">If a higher granularity is required, a MISP taxonomy applied as a Tag SHOULD be preferred.  </p>
-<p id="rfc.section.2.2.1.6.p.4">analysis is represented as a JSON string. analysis SHALL be present.  </p>
-<h1 id="rfc.section.2.2.1.7">
-<a href="#rfc.section.2.2.1.7">2.2.1.7.</a> <a href="#date" id="date">date</a>
-</h1>
-<p id="rfc.section.2.2.1.7.p.1">date represents a reference date to the event in ISO 8601 format (date only: YYYY-MM-DD). This date corresponds to the date the event occurred, which may be in the past.  </p>
-<p id="rfc.section.2.2.1.7.p.2">date is represented as a JSON string. date MUST be present.  </p>
-<h1 id="rfc.section.2.2.1.8">
-<a href="#rfc.section.2.2.1.8">2.2.1.8.</a> <a href="#timestamp" id="timestamp">timestamp</a>
-</h1>
-<p id="rfc.section.2.2.1.8.p.1">timestamp represents a reference time when the event, or one of the attributes within the event was created, or last updated/edited on the instance. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.  </p>
-<p id="rfc.section.2.2.1.8.p.2">timestamp is represented as a JSON string. timestamp MUST be present.  </p>
-<h1 id="rfc.section.2.2.1.9">
-<a href="#rfc.section.2.2.1.9">2.2.1.9.</a> <a href="#publishtimestamp" id="publishtimestamp">publish_timestamp</a>
-</h1>
-<p id="rfc.section.2.2.1.9.p.1">publish_timestamp represents a reference time when the event was published on the instance. published_timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). At each publication of an event, publish_timestamp MUST be updated. The time zone MUST be UTC. If the published_timestamp is present and the published flag is set to false, the publish_timestamp represents the previous publication timestamp. If the event was never published, the published_timestamp MUST be set to 0.  </p>
-<p id="rfc.section.2.2.1.9.p.2">publish_timestamp is represented as a JSON string. publish_timestamp MUST be present.  </p>
-<h1 id="rfc.section.2.2.1.10">
-<a href="#rfc.section.2.2.1.10">2.2.1.10.</a> <a href="#orgid" id="orgid">org_id</a>
-</h1>
-<p id="rfc.section.2.2.1.10.p.1">org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.2.1.10.p.2">The org_id MUST be updated when the event is generated by a new instance.  </p>
-<p id="rfc.section.2.2.1.10.p.3">org_id is represented as a JSON string. org_id MUST be present.  </p>
-<h1 id="rfc.section.2.2.1.11">
-<a href="#rfc.section.2.2.1.11">2.2.1.11.</a> <a href="#orgcid" id="orgcid">orgc_id</a>
-</h1>
-<p id="rfc.section.2.2.1.11.p.1">orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event.  </p>
-<p id="rfc.section.2.2.1.11.p.2">The orgc_id and Org object MUST be preserved for any updates or transfer of the same event.  </p>
-<p id="rfc.section.2.2.1.11.p.3">orgc_id is represented as a JSON string. orgc_id MUST be present.  </p>
-<h1 id="rfc.section.2.2.1.12">
-<a href="#rfc.section.2.2.1.12">2.2.1.12.</a> <a href="#attributecount" id="attributecount">attribute_count</a>
-</h1>
-<p id="rfc.section.2.2.1.12.p.1">attribute_count represents the number of attributes in the event. attribute_count is expressed in decimal.  </p>
-<p id="rfc.section.2.2.1.12.p.2">attribute_count is represented as a JSON string. attribute_count SHALL be present.  </p>
-<h1 id="rfc.section.2.2.1.13">
-<a href="#rfc.section.2.2.1.13">2.2.1.13.</a> <a href="#distribution" id="distribution">distribution</a>
-</h1>
-<p id="rfc.section.2.2.1.13.p.1">distribution represents the basic distribution rules of the event. The system must adhere to the distribution setting for access control and for dissemination of the event.  </p>
-<p id="rfc.section.2.2.1.13.p.2">distribution is represented by a JSON string. distribution MUST be present and be one of the following options: </p>
-<p></p>
-
-<dl>
-<dt>0</dt>
-<dd style="margin-left: 8">
-<br> Your Organisation Only</dd>
-<dt>1</dt>
-<dd style="margin-left: 8">
-<br> This Community Only</dd>
-<dt>2</dt>
-<dd style="margin-left: 8">
-<br> Connected Communities</dd>
-<dt>3</dt>
-<dd style="margin-left: 8">
-<br> All Communities</dd>
-<dt>4</dt>
-<dd style="margin-left: 8">
-<br> Sharing Group</dd>
+<p id="section-2.2.1.5-3">If a higher granularity is required, a MISP taxonomy applied as a Tag <span class="bcp14">SHOULD</span> be preferred.<a href="#section-2.2.1.5-3" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.5-4">threat_level_id is represented as a JSON string. threat_level_id <span class="bcp14">SHALL</span> be present.<a href="#section-2.2.1.5-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="analysis">
+<section id="section-2.2.1.6">
+            <h5 id="name-analysis">
+<a href="#section-2.2.1.6" class="section-number selfRef">2.2.1.6. </a><a href="#name-analysis" class="section-name selfRef">analysis</a>
+            </h5>
+<p id="section-2.2.1.6-1">analysis represents the analysis level.<a href="#section-2.2.1.6-1" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlCompact dlParallel" id="section-2.2.1.6-2">
+              <dt id="section-2.2.1.6-2.1">0:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.6-2.2">Initial<a href="#section-2.2.1.6-2.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.6-2.3">1:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.6-2.4">Ongoing<a href="#section-2.2.1.6-2.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.6-2.5">2:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.6-2.6">Complete<a href="#section-2.2.1.6-2.6" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<h1 id="rfc.section.2.2.1.14">
-<a href="#rfc.section.2.2.1.14">2.2.1.14.</a> <a href="#sharinggroupid" id="sharinggroupid">sharing_group_id</a>
-</h1>
-<p id="rfc.section.2.2.1.14.p.1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the event, if distribution level "4" is set. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.2.1.14.p.2">sharing_group_id is represented by a JSON string and SHOULD be present. If a distribution level other than "4" is chosen the sharing_group_id MUST be set to "0".  </p>
-<h1 id="rfc.section.2.2.1.15">
-<a href="#rfc.section.2.2.1.15">2.2.1.15.</a> <a href="#extendsuuid" id="extendsuuid">extends_uuid</a>
-</h1>
-<p id="rfc.section.2.2.1.15.p.1">extends_uuid represents which event is extended by this event. The extends_uuid is described as a Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> with the UUID of the extended event.  </p>
-<p id="rfc.section.2.2.1.15.p.2">extends_uuid is represented as a JSON string. extends_uuid SHOULD be present.  </p>
-<h1 id="rfc.section.2.3">
-<a href="#rfc.section.2.3">2.3.</a> <a href="#objects" id="objects">Objects</a>
-</h1>
-<h1 id="rfc.section.2.3.1">
-<a href="#rfc.section.2.3.1">2.3.1.</a> <a href="#org" id="org">Org</a>
-</h1>
-<p id="rfc.section.2.3.1.p.1">An Org object is composed of an uuid, name and id.  </p>
-<p id="rfc.section.2.3.1.p.2">The uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the organisation.  The organisation UUID is globally assigned to an organisation and SHALL be kept overtime.  </p>
-<p id="rfc.section.2.3.1.p.3">The name is a readable description of the organisation and SHOULD be present.  The id is a human-readable identifier generated by the instance and used as reference in the event.  A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.3.1.p.4">uuid, name and id are represented as a JSON string. uuid, name and id MUST be present.  </p>
-<h1 id="rfc.section.2.3.1.1">
-<a href="#rfc.section.2.3.1.1">2.3.1.1.</a> <a href="#sample-org-object" id="sample-org-object">Sample Org Object</a>
-</h1>
-<pre>
-"Org": {
+<p id="section-2.2.1.6-3">If a higher granularity is required, a MISP taxonomy applied as a Tag <span class="bcp14">SHOULD</span> be preferred.<a href="#section-2.2.1.6-3" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.6-4">analysis is represented as a JSON string. analysis <span class="bcp14">SHALL</span> be present.<a href="#section-2.2.1.6-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="date">
+<section id="section-2.2.1.7">
+            <h5 id="name-date">
+<a href="#section-2.2.1.7" class="section-number selfRef">2.2.1.7. </a><a href="#name-date" class="section-name selfRef">date</a>
+            </h5>
+<p id="section-2.2.1.7-1">date represents a reference date to the event in ISO 8601 format (date only: YYYY-MM-DD). This date corresponds to the date the event occurred, which may be in the past.<a href="#section-2.2.1.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.7-2">date is represented as a JSON string. date <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.7-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="timestamp">
+<section id="section-2.2.1.8">
+            <h5 id="name-timestamp">
+<a href="#section-2.2.1.8" class="section-number selfRef">2.2.1.8. </a><a href="#name-timestamp" class="section-name selfRef">timestamp</a>
+            </h5>
+<p id="section-2.2.1.8-1">timestamp represents a reference time when the event, or one of the attributes within the event was created, or last updated/edited on the instance. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.2.1.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.8-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="publish-timestamp">
+<section id="section-2.2.1.9">
+            <h5 id="name-publish_timestamp">
+<a href="#section-2.2.1.9" class="section-number selfRef">2.2.1.9. </a><a href="#name-publish_timestamp" class="section-name selfRef">publish_timestamp</a>
+            </h5>
+<p id="section-2.2.1.9-1">publish_timestamp represents a reference time when the event was published on the instance. published_timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). At each publication of an event, publish_timestamp <span class="bcp14">MUST</span> be updated. The time zone <span class="bcp14">MUST</span> be UTC. If the published_timestamp is present and the published flag is set to false, the publish_timestamp represents the previous publication timestamp. If the event was never published, the published_timestamp <span class="bcp14">MUST</span> be set to 0.<a href="#section-2.2.1.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.9-2">publish_timestamp is represented as a JSON string. publish_timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="org-id">
+<section id="section-2.2.1.10">
+            <h5 id="name-org_id">
+<a href="#section-2.2.1.10" class="section-number selfRef">2.2.1.10. </a><a href="#name-org_id" class="section-name selfRef">org_id</a>
+            </h5>
+<p id="section-2.2.1.10-1">org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.2.1.10-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.10-2">The org_id <span class="bcp14">MUST</span> be updated when the event is generated by a new instance.<a href="#section-2.2.1.10-2" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.10-3">org_id is represented as a JSON string. org_id <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.10-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="orgc-id">
+<section id="section-2.2.1.11">
+            <h5 id="name-orgc_id">
+<a href="#section-2.2.1.11" class="section-number selfRef">2.2.1.11. </a><a href="#name-orgc_id" class="section-name selfRef">orgc_id</a>
+            </h5>
+<p id="section-2.2.1.11-1">orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event.<a href="#section-2.2.1.11-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.11-2">The orgc_id and Org object <span class="bcp14">MUST</span> be preserved for any updates or transfer of the same event.<a href="#section-2.2.1.11-2" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.11-3">orgc_id is represented as a JSON string. orgc_id <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.11-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="attribute-count">
+<section id="section-2.2.1.12">
+            <h5 id="name-attribute_count">
+<a href="#section-2.2.1.12" class="section-number selfRef">2.2.1.12. </a><a href="#name-attribute_count" class="section-name selfRef">attribute_count</a>
+            </h5>
+<p id="section-2.2.1.12-1">attribute_count represents the number of attributes in the event. attribute_count is expressed in decimal.<a href="#section-2.2.1.12-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.12-2">attribute_count is represented as a JSON string. attribute_count <span class="bcp14">SHALL</span> be present.<a href="#section-2.2.1.12-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="distribution">
+<section id="section-2.2.1.13">
+            <h5 id="name-distribution">
+<a href="#section-2.2.1.13" class="section-number selfRef">2.2.1.13. </a><a href="#name-distribution" class="section-name selfRef">distribution</a>
+            </h5>
+<p id="section-2.2.1.13-1">distribution represents the basic distribution rules of the event. The system must adhere to the distribution setting for access control and for dissemination of the event.<a href="#section-2.2.1.13-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.13-2">distribution is represented by a JSON string. distribution <span class="bcp14">MUST</span> be present and be one of the following options:<a href="#section-2.2.1.13-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlCompact dlParallel" id="section-2.2.1.13-3">
+              <dt id="section-2.2.1.13-3.1">0</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.13-3.2">Your Organisation Only<a href="#section-2.2.1.13-3.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.13-3.3">1</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.13-3.4">This Community Only<a href="#section-2.2.1.13-3.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.13-3.5">2</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.13-3.6">Connected Communities<a href="#section-2.2.1.13-3.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.13-3.7">3</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.13-3.8">All Communities<a href="#section-2.2.1.13-3.8" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.13-3.9">4</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.13-3.10">Sharing Group<a href="#section-2.2.1.13-3.10" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+</dl>
+</section>
+</div>
+<div id="sharing-group-id">
+<section id="section-2.2.1.14">
+            <h5 id="name-sharing_group_id">
+<a href="#section-2.2.1.14" class="section-number selfRef">2.2.1.14. </a><a href="#name-sharing_group_id" class="section-name selfRef">sharing_group_id</a>
+            </h5>
+<p id="section-2.2.1.14-1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the event, if distribution level "4" is set. A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.2.1.14-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.14-2">sharing_group_id is represented by a JSON string and <span class="bcp14">SHOULD</span> be present. If a distribution level other than "4" is chosen the sharing_group_id <span class="bcp14">MUST</span> be set to "0".<a href="#section-2.2.1.14-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="extends-uuid">
+<section id="section-2.2.1.15">
+            <h5 id="name-extends_uuid">
+<a href="#section-2.2.1.15" class="section-number selfRef">2.2.1.15. </a><a href="#name-extends_uuid" class="section-name selfRef">extends_uuid</a>
+            </h5>
+<p id="section-2.2.1.15-1">extends_uuid represents which event is extended by this event. The extends_uuid is described as a Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> with the UUID of the extended event.<a href="#section-2.2.1.15-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.15-2">extends_uuid is represented as a JSON string. extends_uuid <span class="bcp14">SHOULD</span> be present.<a href="#section-2.2.1.15-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="event-objects">
+<section id="section-2.2.2">
+          <h4 id="name-event-objects">
+<a href="#section-2.2.2" class="section-number selfRef">2.2.2. </a><a href="#name-event-objects" class="section-name selfRef">Event Objects</a>
+          </h4>
+<div id="org">
+<section id="section-2.2.2.1">
+            <h5 id="name-org">
+<a href="#section-2.2.2.1" class="section-number selfRef">2.2.2.1. </a><a href="#name-org" class="section-name selfRef">Org</a>
+            </h5>
+<p id="section-2.2.2.1-1">An Org object is composed of an uuid, name and id.<a href="#section-2.2.2.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.2.1-2">The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the organisation.
+The organisation UUID is globally assigned to an organisation and <span class="bcp14">SHALL</span> be kept overtime.<a href="#section-2.2.2.1-2" class="pilcrow">¶</a></p>
+<p id="section-2.2.2.1-3">The name is a readable description of the organisation and <span class="bcp14">SHOULD</span> be present.
+The id is a human-readable identifier generated by the instance and used as reference in the event.
+A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.2.2.1-3" class="pilcrow">¶</a></p>
+<p id="section-2.2.2.1-4">uuid, name and id are represented as a JSON string. uuid, name and id <span class="bcp14">MUST</span> be present.<a href="#section-2.2.2.1-4" class="pilcrow">¶</a></p>
+<div id="sample-org-object">
+<section id="section-2.2.2.1.1">
+              <h6 id="name-sample-org-object">
+<a href="#section-2.2.2.1.1" class="section-number selfRef">2.2.2.1.1. </a><a href="#name-sample-org-object" class="section-name selfRef">Sample Org Object</a>
+              </h6>
+<div class="alignLeft art-text artwork" id="section-2.2.2.1.1-1">
+<pre>"Org": {
         "id": "2",
         "name": "CIRCL",
         "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
        }
-</pre>
-<h1 id="rfc.section.2.3.2">
-<a href="#rfc.section.2.3.2">2.3.2.</a> <a href="#orgc" id="orgc">Orgc</a>
-</h1>
-<p id="rfc.section.2.3.2.p.1">An Orgc object is composed of an uuid, name and id.  </p>
-<p id="rfc.section.2.3.2.p.2">The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.  The organisation UUID is globally assigned to an organisation and SHALL be kept overtime.  </p>
-<p id="rfc.section.2.3.2.p.3">The name is a readable description of the organisation and SHOULD be present.  The id is a human-readable identifier generated by the instance and used as reference in the event.  A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.3.2.p.4">uuid, name and id are represented as a JSON string. uuid, name and id MUST be present.  </p>
-<h1 id="rfc.section.2.4">
-<a href="#rfc.section.2.4">2.4.</a> <a href="#attribute" id="attribute">Attribute</a>
-</h1>
-<p id="rfc.section.2.4.p.1">Attributes are used to describe the indicators and contextual data of an event. The main information contained in an attribute is made up of a category-type-value triplet, where the category and type give meaning and context to the value. Through the various category-type combinations a wide range of information can be conveyed.  </p>
-<p id="rfc.section.2.4.p.2">A MISP document MUST at least includes category-type-value triplet described in section "Attribute Attributes".  </p>
-<h1 id="rfc.section.2.4.1">
-<a href="#rfc.section.2.4.1">2.4.1.</a> <a href="#sample-attribute-object" id="sample-attribute-object">Sample Attribute Object</a>
-</h1>
-<pre>
-"Attribute": {
+</pre><a href="#section-2.2.2.1.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="orgc">
+<section id="section-2.2.2.2">
+            <h5 id="name-orgc">
+<a href="#section-2.2.2.2" class="section-number selfRef">2.2.2.2. </a><a href="#name-orgc" class="section-name selfRef">Orgc</a>
+            </h5>
+<p id="section-2.2.2.2-1">An Orgc object is composed of an uuid, name and id.<a href="#section-2.2.2.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.2.2-2">The uuid <span class="bcp14">MUST</span> be preserved for any updates or transfer of the same event. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new event.
+The organisation UUID is globally assigned to an organisation and <span class="bcp14">SHALL</span> be kept overtime.<a href="#section-2.2.2.2-2" class="pilcrow">¶</a></p>
+<p id="section-2.2.2.2-3">The name is a readable description of the organisation and <span class="bcp14">SHOULD</span> be present.
+The id is a human-readable identifier generated by the instance and used as reference in the event.
+A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.2.2.2-3" class="pilcrow">¶</a></p>
+<p id="section-2.2.2.2-4">uuid, name and id are represented as a JSON string. uuid, name and id <span class="bcp14">MUST</span> be present.<a href="#section-2.2.2.2-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="attribute">
+<section id="section-2.3">
+        <h3 id="name-attribute">
+<a href="#section-2.3" class="section-number selfRef">2.3. </a><a href="#name-attribute" class="section-name selfRef">Attribute</a>
+        </h3>
+<p id="section-2.3-1">Attributes are used to describe the indicators and contextual data of an event. The main information contained in an attribute is made up of a category-type-value triplet,
+where the category and type give meaning and context to the value. Through the various category-type combinations a wide range of information can be conveyed.<a href="#section-2.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.3-2">A MISP document <span class="bcp14">MUST</span> at least includes category-type-value triplet described in section "Attribute Attributes".<a href="#section-2.3-2" class="pilcrow">¶</a></p>
+<div id="sample-attribute-object">
+<section id="section-2.3.1">
+          <h4 id="name-sample-attribute-object">
+<a href="#section-2.3.1" class="section-number selfRef">2.3.1. </a><a href="#name-sample-attribute-object" class="section-name selfRef">Sample Attribute Object</a>
+          </h4>
+<div class="alignLeft art-text artwork" id="section-2.3.1-1">
+<pre>"Attribute": {
               "id": "346056",
               "type": "comment",
               "category": "Other",
@@ -797,185 +1786,285 @@
               "first_seen": "2019-06-02T22:14:28.711954+00:00",
               "last_seen": null
              }
-</pre>
-<h1 id="rfc.section.2.4.2">
-<a href="#rfc.section.2.4.2">2.4.2.</a> <a href="#attribute-attributes" id="attribute-attributes">Attribute Attributes</a>
-</h1>
-<h1 id="rfc.section.2.4.2.1">
-<a href="#rfc.section.2.4.2.1">2.4.2.1.</a> <a href="#uuid-1" id="uuid-1">uuid</a>
-</h1>
-<p id="rfc.section.2.4.2.1.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the event. The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.  </p>
-<p id="rfc.section.2.4.2.1.p.2">uuid is represented as a JSON string. uuid MUST be present.  </p>
-<h1 id="rfc.section.2.4.2.2">
-<a href="#rfc.section.2.4.2.2">2.4.2.2.</a> <a href="#id-1" id="id-1">id</a>
-</h1>
-<p id="rfc.section.2.4.2.2.p.1">id represents the human-readable identifier associated to the event for a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.4.2.2.p.2">id is represented as a JSON string. id SHALL be present.  </p>
-<h1 id="rfc.section.2.4.2.3">
-<a href="#rfc.section.2.4.2.3">2.4.2.3.</a> <a href="#type" id="type">type</a>
-</h1>
-<p id="rfc.section.2.4.2.3.p.1">type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.  </p>
-<p id="rfc.section.2.4.2.3.p.2">type is represented as a JSON string. type MUST be present and it MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows: </p>
-<p></p>
-
-<dl>
-<dt>Antivirus detection</dt>
-<dd style="margin-left: 8">
-<br> link, comment, text, hex, attachment, other, anonymised</dd>
-<dt>Artifacts dropped</dt>
-<dd style="margin-left: 8">
-<br> md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Attribution</dt>
-<dd style="margin-left: 8">
-<br> threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email</dd>
-<dt>External analysis</dt>
-<dd style="margin-left: 8">
-<br> md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id</dd>
-<dt>Financial fraud</dt>
-<dd style="margin-left: 8">
-<br> btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
-<dt>Internal reference</dt>
-<dd style="margin-left: 8">
-<br> text, link, comment, other, hex, anonymised, git-commit-id</dd>
-<dt>Network activity</dt>
-<dd style="margin-left: 8">
-<br> ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
-<dt>Other</dt>
-<dd style="margin-left: 8">
-<br> comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Payload delivery</dt>
-<dd style="margin-left: 8">
-<br> md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
-<dt>Payload installation</dt>
-<dd style="margin-left: 8">
-<br> md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
-<dt>Payload type</dt>
-<dd style="margin-left: 8">
-<br> comment, text, other, anonymised</dd>
-<dt>Persistence mechanism</dt>
-<dd style="margin-left: 8">
-<br> filename, regkey, regkey|value, comment, text, other, hex, anonymised</dd>
-<dt>Person</dt>
-<dd style="margin-left: 8">
-<br> first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key</dd>
-<dt>Social network</dt>
-<dd style="margin-left: 8">
-<br> github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Support Tool</dt>
-<dd style="margin-left: 8">
-<br> link, text, attachment, comment, other, hex, anonymised</dd>
-<dt>Targeting data</dt>
-<dd style="margin-left: 8">
-<br> target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised</dd>
+</pre><a href="#section-2.3.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="attribute-attributes">
+<section id="section-2.3.2">
+          <h4 id="name-attribute-attributes">
+<a href="#section-2.3.2" class="section-number selfRef">2.3.2. </a><a href="#name-attribute-attributes" class="section-name selfRef">Attribute Attributes</a>
+          </h4>
+<div id="uuid-1">
+<section id="section-2.3.2.1">
+            <h5 id="name-uuid-2">
+<a href="#section-2.3.2.1" class="section-number selfRef">2.3.2.1. </a><a href="#name-uuid-2" class="section-name selfRef">uuid</a>
+            </h5>
+<p id="section-2.3.2.1-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the event. The uuid <span class="bcp14">MUST</span> be preserved
+for any updates or transfer of the same event. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new event.<a href="#section-2.3.2.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.1-2">uuid is represented as a JSON string. uuid <span class="bcp14">MUST</span> be present.<a href="#section-2.3.2.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="id-1">
+<section id="section-2.3.2.2">
+            <h5 id="name-id-2">
+<a href="#section-2.3.2.2" class="section-number selfRef">2.3.2.2. </a><a href="#name-id-2" class="section-name selfRef">id</a>
+            </h5>
+<p id="section-2.3.2.2-1">id represents the human-readable identifier associated to the event for a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.3.2.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.2-2">id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.3.2.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="type">
+<section id="section-2.3.2.3">
+            <h5 id="name-type">
+<a href="#section-2.3.2.3" class="section-number selfRef">2.3.2.3. </a><a href="#name-type" class="section-name selfRef">type</a>
+            </h5>
+<p id="section-2.3.2.3-1">type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.<a href="#section-2.3.2.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.3-2">type is represented as a JSON string. type <span class="bcp14">MUST</span> be present and it <span class="bcp14">MUST</span> be a valid selection for the chosen category. The list of valid category-type combinations is as follows:<a href="#section-2.3.2.3-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlCompact dlParallel" id="section-2.3.2.3-3">
+              <dt id="section-2.3.2.3-3.1">Antivirus detection</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.2">link, comment, text, hex, attachment, other, anonymised<a href="#section-2.3.2.3-3.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.3">Artifacts dropped</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.4">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, process-state, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.3.2.3-3.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.5">Attribution</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.6">threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email<a href="#section-2.3.2.3-3.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.7">External analysis</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.8">md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id<a href="#section-2.3.2.3-3.8" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.9">Financial fraud</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.10">btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised<a href="#section-2.3.2.3-3.10" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.11">Internal reference</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.12">text, link, comment, other, hex, anonymised, git-commit-id<a href="#section-2.3.2.3-3.12" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.13">Network activity</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.14">ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject, favicon-mmh3, dkim, dkim-signature<a href="#section-2.3.2.3-3.14" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.15">Other</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.16">comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.3.2.3-3.16" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.17">Payload delivery</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.3.2.3-3.18" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.19">Payload installation</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.3.2.3-3.20" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.21">Payload type</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.22">comment, text, other, anonymised<a href="#section-2.3.2.3-3.22" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.23">Persistence mechanism</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.24">filename, regkey, regkey|value, comment, text, other, hex, anonymised<a href="#section-2.3.2.3-3.24" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.25">Person</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.26">first-name, middle-name, last-name, full-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key<a href="#section-2.3.2.3-3.26" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.27">Social network</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.28">github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.3.2.3-3.28" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.29">Support Tool</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.30">link, text, attachment, comment, other, hex, anonymised<a href="#section-2.3.2.3-3.30" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.3-3.31">Targeting data</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.3-3.32">target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised<a href="#section-2.3.2.3-3.32" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<p id="rfc.section.2.4.2.3.p.4">Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.  </p>
-<h1 id="rfc.section.2.4.2.4">
-<a href="#rfc.section.2.4.2.4">2.4.2.4.</a> <a href="#category" id="category">category</a>
-</h1>
-<p id="rfc.section.2.4.2.4.p.1">category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.  </p>
-<p id="rfc.section.2.4.2.4.p.2">category is represented as a JSON string. category MUST be present and it MUST be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.  </p>
-<h1 id="rfc.section.2.4.2.5">
-<a href="#rfc.section.2.4.2.5">2.4.2.5.</a> <a href="#toids" id="toids">to_ids</a>
-</h1>
-<p id="rfc.section.2.4.2.5.p.1">to_ids represents whether the attribute is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.  </p>
-<p id="rfc.section.2.4.2.5.p.2">to_ids is represented as a JSON boolean. to_ids MUST be present.  </p>
-<h1 id="rfc.section.2.4.2.6">
-<a href="#rfc.section.2.4.2.6">2.4.2.6.</a> <a href="#eventid" id="eventid">event_id</a>
-</h1>
-<p id="rfc.section.2.4.2.6.p.1">event_id represents a human-readable identifier referencing the Event object that the attribute belongs to. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.4.2.6.p.2">The event_id SHOULD be updated when the event is imported to reflect the newly created event's id on the instance.  </p>
-<p id="rfc.section.2.4.2.6.p.3">event_id is represented as a JSON string. event_id MUST be present.  </p>
-<h1 id="rfc.section.2.4.2.7">
-<a href="#rfc.section.2.4.2.7">2.4.2.7.</a> <a href="#distribution-1" id="distribution-1">distribution</a>
-</h1>
-<p id="rfc.section.2.4.2.7.p.1">distribution represents the basic distribution rules of the attribute. The system must adhere to the distribution setting for access control and for dissemination of the attribute.  </p>
-<p id="rfc.section.2.4.2.7.p.2">distribution is represented by a JSON string. distribution MUST be present and be one of the following options: </p>
-<p></p>
-
-<dl>
-<dt>0</dt>
-<dd style="margin-left: 8">
-<br> Your Organisation Only</dd>
-<dt>1</dt>
-<dd style="margin-left: 8">
-<br> This Community Only</dd>
-<dt>2</dt>
-<dd style="margin-left: 8">
-<br> Connected Communities</dd>
-<dt>3</dt>
-<dd style="margin-left: 8">
-<br> All Communities</dd>
-<dt>4</dt>
-<dd style="margin-left: 8">
-<br> Sharing Group</dd>
-<dt>5</dt>
-<dd style="margin-left: 8">
-<br> Inherit Event</dd>
+<p id="section-2.3.2.3-4">Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.<a href="#section-2.3.2.3-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="category">
+<section id="section-2.3.2.4">
+            <h5 id="name-category">
+<a href="#section-2.3.2.4" class="section-number selfRef">2.3.2.4. </a><a href="#name-category" class="section-name selfRef">category</a>
+            </h5>
+<p id="section-2.3.2.4-1">category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.<a href="#section-2.3.2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.4-2">category is represented as a JSON string. category <span class="bcp14">MUST</span> be present and it <span class="bcp14">MUST</span> be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.<a href="#section-2.3.2.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="to-ids">
+<section id="section-2.3.2.5">
+            <h5 id="name-to_ids">
+<a href="#section-2.3.2.5" class="section-number selfRef">2.3.2.5. </a><a href="#name-to_ids" class="section-name selfRef">to_ids</a>
+            </h5>
+<p id="section-2.3.2.5-1">to_ids represents whether the attribute is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.<a href="#section-2.3.2.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.5-2">to_ids is represented as a JSON boolean. to_ids <span class="bcp14">MUST</span> be present.<a href="#section-2.3.2.5-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event-id">
+<section id="section-2.3.2.6">
+            <h5 id="name-event_id">
+<a href="#section-2.3.2.6" class="section-number selfRef">2.3.2.6. </a><a href="#name-event_id" class="section-name selfRef">event_id</a>
+            </h5>
+<p id="section-2.3.2.6-1">event_id represents a human-readable identifier referencing the Event object that the attribute belongs to. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.3.2.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.6-2">The event_id <span class="bcp14">SHOULD</span> be updated when the event is imported to reflect the newly created event's id on the instance.<a href="#section-2.3.2.6-2" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.6-3">event_id is represented as a JSON string. event_id <span class="bcp14">MUST</span> be present.<a href="#section-2.3.2.6-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="distribution-1">
+<section id="section-2.3.2.7">
+            <h5 id="name-distribution-2">
+<a href="#section-2.3.2.7" class="section-number selfRef">2.3.2.7. </a><a href="#name-distribution-2" class="section-name selfRef">distribution</a>
+            </h5>
+<p id="section-2.3.2.7-1">distribution represents the basic distribution rules of the attribute. The system must adhere to the distribution setting for access control and for dissemination of the attribute.<a href="#section-2.3.2.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.7-2">distribution is represented by a JSON string. distribution <span class="bcp14">MUST</span> be present and be one of the following options:<a href="#section-2.3.2.7-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlCompact dlParallel" id="section-2.3.2.7-3">
+              <dt id="section-2.3.2.7-3.1">0</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.7-3.2">Your Organisation Only<a href="#section-2.3.2.7-3.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.7-3.3">1</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.7-3.4">This Community Only<a href="#section-2.3.2.7-3.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.7-3.5">2</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.7-3.6">Connected Communities<a href="#section-2.3.2.7-3.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.7-3.7">3</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.7-3.8">All Communities<a href="#section-2.3.2.7-3.8" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.7-3.9">4</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.7-3.10">Sharing Group<a href="#section-2.3.2.7-3.10" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.3.2.7-3.11">5</dt>
+              <dd style="margin-left: 1.5em" id="section-2.3.2.7-3.12">Inherit Event<a href="#section-2.3.2.7-3.12" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<h1 id="rfc.section.2.4.2.8">
-<a href="#rfc.section.2.4.2.8">2.4.2.8.</a> <a href="#timestamp-1" id="timestamp-1">timestamp</a>
-</h1>
-<p id="rfc.section.2.4.2.8.p.1">timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.  </p>
-<p id="rfc.section.2.4.2.8.p.2">timestamp is represented as a JSON string. timestamp MUST be present.  </p>
-<h1 id="rfc.section.2.4.2.9">
-<a href="#rfc.section.2.4.2.9">2.4.2.9.</a> <a href="#comment" id="comment">comment</a>
-</h1>
-<p id="rfc.section.2.4.2.9.p.1">comment is a contextual comment field.  </p>
-<p id="rfc.section.2.4.2.9.p.2">comment is represented by a JSON string. comment MAY be present.  </p>
-<h1 id="rfc.section.2.4.2.10">
-<a href="#rfc.section.2.4.2.10">2.4.2.10.</a> <a href="#sharinggroupid-1" id="sharinggroupid-1">sharing_group_id</a>
-</h1>
-<p id="rfc.section.2.4.2.10.p.1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the attribute, if distribution level "4" is set. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.4.2.10.p.2">sharing_group_id is represented by a JSON string and SHOULD be present. If a distribution level other than "4" is chosen the sharing_group_id MUST be set to "0".  </p>
-<h1 id="rfc.section.2.4.2.11">
-<a href="#rfc.section.2.4.2.11">2.4.2.11.</a> <a href="#deleted" id="deleted">deleted</a>
-</h1>
-<p id="rfc.section.2.4.2.11.p.1">deleted represents a setting that allows attributes to be revoked. Revoked attributes are not actionable and exist merely to inform other instances of a revocation.  </p>
-<p id="rfc.section.2.4.2.11.p.2">deleted is represented by a JSON boolean. deleted MUST be present.  </p>
-<h1 id="rfc.section.2.4.2.12">
-<a href="#rfc.section.2.4.2.12">2.4.2.12.</a> <a href="#data" id="data">data</a>
-</h1>
-<p id="rfc.section.2.4.2.12.p.1">data contains the base64 encoded contents of an attachment or a malware sample. For malware samples, the sample MUST be encrypted using a password protected zip archive, with the password being "infected".  </p>
-<p id="rfc.section.2.4.2.12.p.2">data is represented by a JSON string in base64 encoding. data MUST be set for attributes of type malware-sample and attachment.  </p>
-<h1 id="rfc.section.2.4.2.13">
-<a href="#rfc.section.2.4.2.13">2.4.2.13.</a> <a href="#relatedattribute" id="relatedattribute">RelatedAttribute</a>
-</h1>
-<p id="rfc.section.2.4.2.13.p.1">RelatedAttribute is an array of attributes correlating with the current attribute. Each element in the array represents an JSON object which contains an Attribute dictionnary with the external attributes who correlate. Each Attribute MUST include the id, org_id, info and a value. Only the correlations found on the local instance are shown in RelatedAttribute.  </p>
-<p id="rfc.section.2.4.2.13.p.2">RelatedAttribute MAY be present.  </p>
-<h1 id="rfc.section.2.4.2.14">
-<a href="#rfc.section.2.4.2.14">2.4.2.14.</a> <a href="#shadowattribute" id="shadowattribute">ShadowAttribute</a>
-</h1>
-<p id="rfc.section.2.4.2.14.p.1">ShadowAttribute is an array of shadow attributes that serve as proposals by third parties to alter the containing attribute. The structure of a ShadowAttribute is similar to that of an Attribute, which can be accepted or discarded by the event creator. If accepted, the original attribute containing the shadow attribute is removed and the shadow attribute is converted into an attribute.  </p>
-<p id="rfc.section.2.4.2.14.p.2">Each shadow attribute that references an attribute MUST contain the containing attribute's ID in the old_id field and the event's ID in the event_id field.  </p>
-<h1 id="rfc.section.2.4.2.15">
-<a href="#rfc.section.2.4.2.15">2.4.2.15.</a> <a href="#value" id="value">value</a>
-</h1>
-<p id="rfc.section.2.4.2.15.p.1">value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.  </p>
-<p id="rfc.section.2.4.2.15.p.2">value is represented by a JSON string. value MUST be present.  </p>
-<h1 id="rfc.section.2.4.2.16">
-<a href="#rfc.section.2.4.2.16">2.4.2.16.</a> <a href="#firstseen" id="firstseen">first_seen</a>
-</h1>
-<p id="rfc.section.2.4.2.16.p.1">first_seen represents a reference time when the attribute was first seen. first_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.  </p>
-<p id="rfc.section.2.4.2.16.p.2">first_seen is represented as a JSON string. first_seen MAY be present.  </p>
-<h1 id="rfc.section.2.4.2.17">
-<a href="#rfc.section.2.4.2.17">2.4.2.17.</a> <a href="#lastseen" id="lastseen">last_seen</a>
-</h1>
-<p id="rfc.section.2.4.2.17.p.1">last_seen represents a reference time when the attribute was last seen. last_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.  </p>
-<p id="rfc.section.2.4.2.17.p.2">last_seen is represented as a JSON string. last_seen MAY be present.  </p>
-<h1 id="rfc.section.2.5">
-<a href="#rfc.section.2.5">2.5.</a> <a href="#shadowattribute-1" id="shadowattribute-1">ShadowAttribute</a>
-</h1>
-<p id="rfc.section.2.5.p.1">ShadowAttributes are 3rd party created attributes that either propose to add new information to an event or modify existing information. They are not meant to be actionable until the event creator accepts them - at which point they will be converted into attributes or modify an existing attribute.  </p>
-<p id="rfc.section.2.5.p.2">They are similar in structure to Attributes but additionally carry a reference to the creator of the ShadowAttribute as well as a revocation flag.  </p>
-<h1 id="rfc.section.2.5.1">
-<a href="#rfc.section.2.5.1">2.5.1.</a> <a href="#sample-attribute-object-1" id="sample-attribute-object-1">Sample Attribute Object</a>
-</h1>
-<pre>
-"ShadowAttribute":  {
+</section>
+</div>
+<div id="timestamp-1">
+<section id="section-2.3.2.8">
+            <h5 id="name-timestamp-2">
+<a href="#section-2.3.2.8" class="section-number selfRef">2.3.2.8. </a><a href="#name-timestamp-2" class="section-name selfRef">timestamp</a>
+            </h5>
+<p id="section-2.3.2.8-1">timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.3.2.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.8-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.3.2.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="comment">
+<section id="section-2.3.2.9">
+            <h5 id="name-comment">
+<a href="#section-2.3.2.9" class="section-number selfRef">2.3.2.9. </a><a href="#name-comment" class="section-name selfRef">comment</a>
+            </h5>
+<p id="section-2.3.2.9-1">comment is a contextual comment field.<a href="#section-2.3.2.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.9-2">comment is represented by a JSON string. comment <span class="bcp14">MAY</span> be present.<a href="#section-2.3.2.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="sharing-group-id-1">
+<section id="section-2.3.2.10">
+            <h5 id="name-sharing_group_id-2">
+<a href="#section-2.3.2.10" class="section-number selfRef">2.3.2.10. </a><a href="#name-sharing_group_id-2" class="section-name selfRef">sharing_group_id</a>
+            </h5>
+<p id="section-2.3.2.10-1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the attribute, if distribution level "4" is set. A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.3.2.10-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.10-2">sharing_group_id is represented by a JSON string and <span class="bcp14">SHOULD</span> be present. If a distribution level other than "4" is chosen the sharing_group_id <span class="bcp14">MUST</span> be set to "0".<a href="#section-2.3.2.10-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="deleted">
+<section id="section-2.3.2.11">
+            <h5 id="name-deleted">
+<a href="#section-2.3.2.11" class="section-number selfRef">2.3.2.11. </a><a href="#name-deleted" class="section-name selfRef">deleted</a>
+            </h5>
+<p id="section-2.3.2.11-1">deleted represents a setting that allows attributes to be revoked. Revoked attributes are not actionable and exist merely to inform other instances of a revocation.<a href="#section-2.3.2.11-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.11-2">deleted is represented by a JSON boolean. deleted <span class="bcp14">MUST</span> be present.<a href="#section-2.3.2.11-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="data">
+<section id="section-2.3.2.12">
+            <h5 id="name-data">
+<a href="#section-2.3.2.12" class="section-number selfRef">2.3.2.12. </a><a href="#name-data" class="section-name selfRef">data</a>
+            </h5>
+<p id="section-2.3.2.12-1">data contains the base64 encoded contents of an attachment or a malware sample. For malware samples,
+the sample <span class="bcp14">MUST</span> be encrypted using a password protected zip archive, with the password being "infected".<a href="#section-2.3.2.12-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.12-2">data is represented by a JSON string in base64 encoding. data <span class="bcp14">MUST</span> be set for attributes of type malware-sample and attachment.<a href="#section-2.3.2.12-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="relatedattribute">
+<section id="section-2.3.2.13">
+            <h5 id="name-relatedattribute">
+<a href="#section-2.3.2.13" class="section-number selfRef">2.3.2.13. </a><a href="#name-relatedattribute" class="section-name selfRef">RelatedAttribute</a>
+            </h5>
+<p id="section-2.3.2.13-1">RelatedAttribute is an array of attributes correlating with the current attribute. Each element in the array represents an JSON object which contains an Attribute dictionnary with the external attributes who correlate. Each Attribute <span class="bcp14">MUST</span> include the id, org_id, info and a value. Only the correlations found on the local instance are shown in RelatedAttribute.<a href="#section-2.3.2.13-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.13-2">RelatedAttribute <span class="bcp14">MAY</span> be present.<a href="#section-2.3.2.13-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="shadowattribute">
+<section id="section-2.3.2.14">
+            <h5 id="name-shadowattribute">
+<a href="#section-2.3.2.14" class="section-number selfRef">2.3.2.14. </a><a href="#name-shadowattribute" class="section-name selfRef">ShadowAttribute</a>
+            </h5>
+<p id="section-2.3.2.14-1">ShadowAttribute is an array of shadow attributes that serve as proposals by third parties to alter the containing attribute. The structure of a ShadowAttribute is similar to that of an Attribute,
+which can be accepted or discarded by the event creator. If accepted, the original attribute containing the shadow attribute is removed and the shadow attribute is converted into an attribute.<a href="#section-2.3.2.14-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.14-2">Each shadow attribute that references an attribute <span class="bcp14">MUST</span> contain the containing attribute's ID in the old_id field and the event's ID in the event_id field.<a href="#section-2.3.2.14-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="value">
+<section id="section-2.3.2.15">
+            <h5 id="name-value">
+<a href="#section-2.3.2.15" class="section-number selfRef">2.3.2.15. </a><a href="#name-value" class="section-name selfRef">value</a>
+            </h5>
+<p id="section-2.3.2.15-1">value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.<a href="#section-2.3.2.15-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.15-2">value is represented by a JSON string. value <span class="bcp14">MUST</span> be present.<a href="#section-2.3.2.15-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="first-seen">
+<section id="section-2.3.2.16">
+            <h5 id="name-first_seen">
+<a href="#section-2.3.2.16" class="section-number selfRef">2.3.2.16. </a><a href="#name-first_seen" class="section-name selfRef">first_seen</a>
+            </h5>
+<p id="section-2.3.2.16-1">first_seen represents a reference time when the attribute was first seen. first_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.3.2.16-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.16-2">first_seen is represented as a JSON string. first_seen <span class="bcp14">MAY</span> be present.<a href="#section-2.3.2.16-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="last-seen">
+<section id="section-2.3.2.17">
+            <h5 id="name-last_seen">
+<a href="#section-2.3.2.17" class="section-number selfRef">2.3.2.17. </a><a href="#name-last_seen" class="section-name selfRef">last_seen</a>
+            </h5>
+<p id="section-2.3.2.17-1">last_seen represents a reference time when the attribute was last seen. last_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.3.2.17-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2.17-2">last_seen is represented as a JSON string. last_seen <span class="bcp14">MAY</span> be present.<a href="#section-2.3.2.17-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="shadowattribute-1">
+<section id="section-2.4">
+        <h3 id="name-shadowattribute-2">
+<a href="#section-2.4" class="section-number selfRef">2.4. </a><a href="#name-shadowattribute-2" class="section-name selfRef">ShadowAttribute</a>
+        </h3>
+<p id="section-2.4-1">ShadowAttributes are 3rd party created attributes that either propose to add new information to an event or modify existing information. They are not meant to be actionable until the event creator accepts them - at which point they will be converted into attributes or modify an existing attribute.<a href="#section-2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.4-2">They are similar in structure to Attributes but additionally carry a reference to the creator of the ShadowAttribute as well as a revocation flag.<a href="#section-2.4-2" class="pilcrow">¶</a></p>
+<div id="sample-attribute-object-1">
+<section id="section-2.4.1">
+          <h4 id="name-sample-attribute-object-2">
+<a href="#section-2.4.1" class="section-number selfRef">2.4.1. </a><a href="#name-sample-attribute-object-2" class="section-name selfRef">Sample Attribute Object</a>
+          </h4>
+<div class="alignLeft art-text artwork" id="section-2.4.1-1">
+<pre>"ShadowAttribute":  {
                        "id": "8",
                        "type": "ip-src",
                        "category": "Network activity",
@@ -997,178 +2086,289 @@
                        "first_seen": "2019-06-02T22:14:28.711954+00:00",
                        "last_seen": null
                    }
-</pre>
-<h1 id="rfc.section.2.5.2">
-<a href="#rfc.section.2.5.2">2.5.2.</a> <a href="#shadowattribute-attributes" id="shadowattribute-attributes">ShadowAttribute Attributes</a>
-</h1>
-<h1 id="rfc.section.2.5.2.1">
-<a href="#rfc.section.2.5.2.1">2.5.2.1.</a> <a href="#uuid-2" id="uuid-2">uuid</a>
-</h1>
-<p id="rfc.section.2.5.2.1.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the event. The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.  </p>
-<p id="rfc.section.2.5.2.1.p.2">uuid is represented as a JSON string. uuid MUST be present.  </p>
-<h1 id="rfc.section.2.5.2.2">
-<a href="#rfc.section.2.5.2.2">2.5.2.2.</a> <a href="#id-2" id="id-2">id</a>
-</h1>
-<p id="rfc.section.2.5.2.2.p.1">id represents the human-readable identifier associated to the event for a specific MISP instance. human-readable identifier MUST be represented as an unsigned integer.  id is represented as a JSON string. id SHALL be present.  </p>
-<h1 id="rfc.section.2.5.2.3">
-<a href="#rfc.section.2.5.2.3">2.5.2.3.</a> <a href="#type-1" id="type-1">type</a>
-</h1>
-<p id="rfc.section.2.5.2.3.p.1">type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.  </p>
-<p id="rfc.section.2.5.2.3.p.2">type is represented as a JSON string. type MUST be present and it MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows: </p>
-<p></p>
-
-<dl>
-<dt>Antivirus detection</dt>
-<dd style="margin-left: 8">
-<br> link, comment, text, hex, attachment, other, anonymised</dd>
-<dt>Artifacts dropped</dt>
-<dd style="margin-left: 8">
-<br> md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Attribution</dt>
-<dd style="margin-left: 8">
-<br> threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email</dd>
-<dt>External analysis</dt>
-<dd style="margin-left: 8">
-<br> md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id</dd>
-<dt>Financial fraud</dt>
-<dd style="margin-left: 8">
-<br> btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
-<dt>Internal reference</dt>
-<dd style="margin-left: 8">
-<br> text, link, comment, other, hex, anonymised, git-commit-id</dd>
-<dt>Network activity</dt>
-<dd style="margin-left: 8">
-<br> ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
-<dt>Other</dt>
-<dd style="margin-left: 8">
-<br> comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Payload delivery</dt>
-<dd style="margin-left: 8">
-<br> md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
-<dt>Payload installation</dt>
-<dd style="margin-left: 8">
-<br> md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
-<dt>Payload type</dt>
-<dd style="margin-left: 8">
-<br> comment, text, other, anonymised</dd>
-<dt>Persistence mechanism</dt>
-<dd style="margin-left: 8">
-<br> filename, regkey, regkey|value, comment, text, other, hex, anonymised</dd>
-<dt>Person</dt>
-<dd style="margin-left: 8">
-<br> first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key</dd>
-<dt>Social network</dt>
-<dd style="margin-left: 8">
-<br> github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Support Tool</dt>
-<dd style="margin-left: 8">
-<br> link, text, attachment, comment, other, hex, anonymised</dd>
-<dt>Targeting data</dt>
-<dd style="margin-left: 8">
-<br> target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised</dd>
+</pre><a href="#section-2.4.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="shadowattribute-attributes">
+<section id="section-2.4.2">
+          <h4 id="name-shadowattribute-attributes">
+<a href="#section-2.4.2" class="section-number selfRef">2.4.2. </a><a href="#name-shadowattribute-attributes" class="section-name selfRef">ShadowAttribute Attributes</a>
+          </h4>
+<div id="uuid-2">
+<section id="section-2.4.2.1">
+            <h5 id="name-uuid-3">
+<a href="#section-2.4.2.1" class="section-number selfRef">2.4.2.1. </a><a href="#name-uuid-3" class="section-name selfRef">uuid</a>
+            </h5>
+<p id="section-2.4.2.1-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the event. The uuid <span class="bcp14">MUST</span> be preserved
+for any updates or transfer of the same event. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new event.<a href="#section-2.4.2.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.1-2">uuid is represented as a JSON string. uuid <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="id-2">
+<section id="section-2.4.2.2">
+            <h5 id="name-id-3">
+<a href="#section-2.4.2.2" class="section-number selfRef">2.4.2.2. </a><a href="#name-id-3" class="section-name selfRef">id</a>
+            </h5>
+<p id="section-2.4.2.2-1">id represents the human-readable identifier associated to the event for a specific MISP instance. human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.
+id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.4.2.2-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="type-1">
+<section id="section-2.4.2.3">
+            <h5 id="name-type-2">
+<a href="#section-2.4.2.3" class="section-number selfRef">2.4.2.3. </a><a href="#name-type-2" class="section-name selfRef">type</a>
+            </h5>
+<p id="section-2.4.2.3-1">type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.<a href="#section-2.4.2.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.3-2">type is represented as a JSON string. type <span class="bcp14">MUST</span> be present and it <span class="bcp14">MUST</span> be a valid selection for the chosen category. The list of valid category-type combinations is as follows:<a href="#section-2.4.2.3-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlCompact dlParallel" id="section-2.4.2.3-3">
+              <dt id="section-2.4.2.3-3.1">Antivirus detection</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.2">link, comment, text, hex, attachment, other, anonymised<a href="#section-2.4.2.3-3.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.3">Artifacts dropped</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.4">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, process-state, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.4.2.3-3.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.5">Attribution</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.6">threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email<a href="#section-2.4.2.3-3.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.7">External analysis</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.8">md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id<a href="#section-2.4.2.3-3.8" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.9">Financial fraud</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.10">btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised<a href="#section-2.4.2.3-3.10" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.11">Internal reference</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.12">text, link, comment, other, hex, anonymised, git-commit-id<a href="#section-2.4.2.3-3.12" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.13">Network activity</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.14">ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject, favicon-mmh3, dkim, dkim-signature<a href="#section-2.4.2.3-3.14" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.15">Other</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.16">comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.4.2.3-3.16" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.17">Payload delivery</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.4.2.3-3.18" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.19">Payload installation</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.4.2.3-3.20" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.21">Payload type</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.22">comment, text, other, anonymised<a href="#section-2.4.2.3-3.22" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.23">Persistence mechanism</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.24">filename, regkey, regkey|value, comment, text, other, hex, anonymised<a href="#section-2.4.2.3-3.24" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.25">Person</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.26">first-name, middle-name, last-name, full-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key<a href="#section-2.4.2.3-3.26" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.27">Social network</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.28">github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.4.2.3-3.28" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.29">Support Tool</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.30">link, text, attachment, comment, other, hex, anonymised<a href="#section-2.4.2.3-3.30" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.31">Targeting data</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.32">target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised<a href="#section-2.4.2.3-3.32" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<p id="rfc.section.2.5.2.3.p.4">Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.  </p>
-<h1 id="rfc.section.2.5.2.4">
-<a href="#rfc.section.2.5.2.4">2.5.2.4.</a> <a href="#category-1" id="category-1">category</a>
-</h1>
-<p id="rfc.section.2.5.2.4.p.1">category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.  </p>
-<p id="rfc.section.2.5.2.4.p.2">category is represented as a JSON string. category MUST be present and it MUST be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.  </p>
-<h1 id="rfc.section.2.5.2.5">
-<a href="#rfc.section.2.5.2.5">2.5.2.5.</a> <a href="#toids-1" id="toids-1">to_ids</a>
-</h1>
-<p id="rfc.section.2.5.2.5.p.1">to_ids represents whether the Attribute to be created if the ShadowAttribute is accepted is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.  </p>
-<p id="rfc.section.2.5.2.5.p.2">to_ids is represented as a JSON boolean. to_ids MUST be present.  </p>
-<h1 id="rfc.section.2.5.2.6">
-<a href="#rfc.section.2.5.2.6">2.5.2.6.</a> <a href="#eventid-1" id="eventid-1">event_id</a>
-</h1>
-<p id="rfc.section.2.5.2.6.p.1">event_id represents a human-readable identifier referencing the Event object that the ShadowAttribute belongs to.  </p>
-<p id="rfc.section.2.5.2.6.p.2">The event_id SHOULD be updated when the event is imported to reflect the newly created event's id on the instance.  </p>
-<p id="rfc.section.2.5.2.6.p.3">event_id is represented as a JSON string. event_id MUST be present.  </p>
-<h1 id="rfc.section.2.5.2.7">
-<a href="#rfc.section.2.5.2.7">2.5.2.7.</a> <a href="#oldid" id="oldid">old_id</a>
-</h1>
-<p id="rfc.section.2.5.2.7.p.1">old_id represents a human-readable identifier referencing the Attribute object that the ShadowAttribute belongs to. A ShadowAttribute can this way target an existing Attribute, implying that it is a proposal to modify an existing Attribute, or alternatively it can be a proposal to create a new Attribute for the containing Event.  </p>
-<p id="rfc.section.2.5.2.7.p.2">The old_id SHOULD be updated when the event is imported to reflect the newly created Attribute's id on the instance. Alternatively, if the ShadowAttribute proposes the creation of a new Attribute, it should be set to 0.  </p>
-<p id="rfc.section.2.5.2.7.p.3">old_id is represented as a JSON string. old_id MUST be present.  </p>
-<h1 id="rfc.section.2.5.2.8">
-<a href="#rfc.section.2.5.2.8">2.5.2.8.</a> <a href="#timestamp-2" id="timestamp-2">timestamp</a>
-</h1>
-<p id="rfc.section.2.5.2.8.p.1">timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.  </p>
-<p id="rfc.section.2.5.2.8.p.2">timestamp is represented as a JSON string. timestamp MUST be present.  </p>
-<h1 id="rfc.section.2.5.2.9">
-<a href="#rfc.section.2.5.2.9">2.5.2.9.</a> <a href="#comment-1" id="comment-1">comment</a>
-</h1>
-<p id="rfc.section.2.5.2.9.p.1">comment is a contextual comment field.  </p>
-<p id="rfc.section.2.5.2.9.p.2">comment is represented by a JSON string. comment MAY be present.  </p>
-<h1 id="rfc.section.2.5.2.10">
-<a href="#rfc.section.2.5.2.10">2.5.2.10.</a> <a href="#orgid-1" id="orgid-1">org_id</a>
-</h1>
-<p id="rfc.section.2.5.2.10.p.1">org_id represents a human-readable identifier referencing the proposal creator's Organisation object. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.5.2.10.p.2">Whilst attributes can only be created by the event creator organisation, shadow attributes can be created by third parties. org_id tracks the creator organisation.  </p>
-<p id="rfc.section.2.5.2.10.p.3">org_id is represented by a JSON string and MUST be present.  </p>
-<h1 id="rfc.section.2.5.2.11">
-<a href="#rfc.section.2.5.2.11">2.5.2.11.</a> <a href="#proposaltodelete" id="proposaltodelete">proposal_to_delete</a>
-</h1>
-<p id="rfc.section.2.5.2.11.p.1">proposal_to_delete is a boolean flag that sets whether the shadow attribute proposes to alter an attribute, or whether it proposes to remove it completely.  </p>
-<p id="rfc.section.2.5.2.11.p.2">Accepting a shadow attribute with this flag set will remove the target attribute.  </p>
-<p id="rfc.section.2.5.2.11.p.3">proposal_to_delete is a JSON boolean and it MUST be present. If proposal_to_delete is set to true, old_id MUST NOT be 0.  </p>
-<h1 id="rfc.section.2.5.2.12">
-<a href="#rfc.section.2.5.2.12">2.5.2.12.</a> <a href="#deleted-1" id="deleted-1">deleted</a>
-</h1>
-<p id="rfc.section.2.5.2.12.p.1">deleted represents a setting that allows shadow attributes to be revoked. Revoked shadow attributes only serve to inform other instances that the shadow attribute is no longer active.  </p>
-<p id="rfc.section.2.5.2.12.p.2">deleted is represented by a JSON boolean. deleted SHOULD be present.  </p>
-<h1 id="rfc.section.2.5.2.13">
-<a href="#rfc.section.2.5.2.13">2.5.2.13.</a> <a href="#data-1" id="data-1">data</a>
-</h1>
-<p id="rfc.section.2.5.2.13.p.1">data contains the base64 encoded contents of an attachment or a malware sample. For malware samples, the sample MUST be encrypted using a password protected zip archive, with the password being "infected".  </p>
-<p id="rfc.section.2.5.2.13.p.2">data is represented by a JSON string in base64 encoding. data MUST be set for shadow attributes of type malware-sample and attachment.  </p>
-<h1 id="rfc.section.2.5.2.14">
-<a href="#rfc.section.2.5.2.14">2.5.2.14.</a> <a href="#firstseen-1" id="firstseen-1">first_seen</a>
-</h1>
-<p id="rfc.section.2.5.2.14.p.1">first_seen represents a reference time when the attribute was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support.  </p>
-<p id="rfc.section.2.5.2.14.p.2">first_seen is represented as a JSON string. first_seen MAY be present.  </p>
-<h1 id="rfc.section.2.5.2.15">
-<a href="#rfc.section.2.5.2.15">2.5.2.15.</a> <a href="#lastseen-1" id="lastseen-1">last_seen</a>
-</h1>
-<p id="rfc.section.2.5.2.15.p.1">last_seen represents a reference time when the attribute was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support.  </p>
-<p id="rfc.section.2.5.2.15.p.2">last_seen is represented as a JSON string. last_seen MAY be present.  </p>
-<h1 id="rfc.section.2.5.3">
-<a href="#rfc.section.2.5.3">2.5.3.</a> <a href="#org-1" id="org-1">Org</a>
-</h1>
-<p id="rfc.section.2.5.3.p.1">An Org object is composed of an uuid, name and id.  </p>
-<p id="rfc.section.2.5.3.p.2">The uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the organization.  The organization UUID is globally assigned to an organization and SHALL be kept overtime.  </p>
-<p id="rfc.section.2.5.3.p.3">The name is a readable description of the organization and SHOULD be present.  The id is a human-readable identifier generated by the instance and used as reference in the event.  A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.5.3.p.4">uuid, name and id are represented as a JSON string. uuid, name and id MUST be present.  </p>
-<h1 id="rfc.section.2.5.3.1">
-<a href="#rfc.section.2.5.3.1">2.5.3.1.</a> <a href="#sample-org-object-1" id="sample-org-object-1">Sample Org Object</a>
-</h1>
-<pre>
-"Org": {
+<p id="section-2.4.2.3-4">Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.<a href="#section-2.4.2.3-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="category-1">
+<section id="section-2.4.2.4">
+            <h5 id="name-category-2">
+<a href="#section-2.4.2.4" class="section-number selfRef">2.4.2.4. </a><a href="#name-category-2" class="section-name selfRef">category</a>
+            </h5>
+<p id="section-2.4.2.4-1">category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.<a href="#section-2.4.2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.4-2">category is represented as a JSON string. category <span class="bcp14">MUST</span> be present and it <span class="bcp14">MUST</span> be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.<a href="#section-2.4.2.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="to-ids-1">
+<section id="section-2.4.2.5">
+            <h5 id="name-to_ids-2">
+<a href="#section-2.4.2.5" class="section-number selfRef">2.4.2.5. </a><a href="#name-to_ids-2" class="section-name selfRef">to_ids</a>
+            </h5>
+<p id="section-2.4.2.5-1">to_ids represents whether the Attribute to be created if the ShadowAttribute is accepted is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.<a href="#section-2.4.2.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.5-2">to_ids is represented as a JSON boolean. to_ids <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.5-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event-id-1">
+<section id="section-2.4.2.6">
+            <h5 id="name-event_id-2">
+<a href="#section-2.4.2.6" class="section-number selfRef">2.4.2.6. </a><a href="#name-event_id-2" class="section-name selfRef">event_id</a>
+            </h5>
+<p id="section-2.4.2.6-1">event_id represents a human-readable identifier referencing the Event object that the ShadowAttribute belongs to.<a href="#section-2.4.2.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.6-2">The event_id <span class="bcp14">SHOULD</span> be updated when the event is imported to reflect the newly created event's id on the instance.<a href="#section-2.4.2.6-2" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.6-3">event_id is represented as a JSON string. event_id <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.6-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="old-id">
+<section id="section-2.4.2.7">
+            <h5 id="name-old_id">
+<a href="#section-2.4.2.7" class="section-number selfRef">2.4.2.7. </a><a href="#name-old_id" class="section-name selfRef">old_id</a>
+            </h5>
+<p id="section-2.4.2.7-1">old_id represents a human-readable identifier referencing the Attribute object that the ShadowAttribute belongs to. A ShadowAttribute can this way target an existing Attribute, implying that it is a proposal to modify an existing Attribute, or alternatively it can be a proposal to create a new Attribute for the containing Event.<a href="#section-2.4.2.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.7-2">The old_id <span class="bcp14">SHOULD</span> be updated when the event is imported to reflect the newly created Attribute's id on the instance. Alternatively, if the ShadowAttribute proposes the creation of a new Attribute, it should be set to 0.<a href="#section-2.4.2.7-2" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.7-3">old_id is represented as a JSON string. old_id <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.7-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="timestamp-2">
+<section id="section-2.4.2.8">
+            <h5 id="name-timestamp-3">
+<a href="#section-2.4.2.8" class="section-number selfRef">2.4.2.8. </a><a href="#name-timestamp-3" class="section-name selfRef">timestamp</a>
+            </h5>
+<p id="section-2.4.2.8-1">timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.4.2.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.8-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="comment-1">
+<section id="section-2.4.2.9">
+            <h5 id="name-comment-2">
+<a href="#section-2.4.2.9" class="section-number selfRef">2.4.2.9. </a><a href="#name-comment-2" class="section-name selfRef">comment</a>
+            </h5>
+<p id="section-2.4.2.9-1">comment is a contextual comment field.<a href="#section-2.4.2.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.9-2">comment is represented by a JSON string. comment <span class="bcp14">MAY</span> be present.<a href="#section-2.4.2.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="org-id-1">
+<section id="section-2.4.2.10">
+            <h5 id="name-org_id-2">
+<a href="#section-2.4.2.10" class="section-number selfRef">2.4.2.10. </a><a href="#name-org_id-2" class="section-name selfRef">org_id</a>
+            </h5>
+<p id="section-2.4.2.10-1">org_id represents a human-readable identifier referencing the proposal creator's Organisation object. A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.4.2.10-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.10-2">Whilst attributes can only be created by the event creator organisation, shadow attributes can be created by third parties. org_id tracks the creator organisation.<a href="#section-2.4.2.10-2" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.10-3">org_id is represented by a JSON string and <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.10-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="proposal-to-delete">
+<section id="section-2.4.2.11">
+            <h5 id="name-proposal_to_delete">
+<a href="#section-2.4.2.11" class="section-number selfRef">2.4.2.11. </a><a href="#name-proposal_to_delete" class="section-name selfRef">proposal_to_delete</a>
+            </h5>
+<p id="section-2.4.2.11-1">proposal_to_delete is a boolean flag that sets whether the shadow attribute proposes to alter an attribute, or whether it proposes to remove it completely.<a href="#section-2.4.2.11-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.11-2">Accepting a shadow attribute with this flag set will remove the target attribute.<a href="#section-2.4.2.11-2" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.11-3">proposal_to_delete is a JSON boolean and it <span class="bcp14">MUST</span> be present. If proposal_to_delete is set to true, old_id <span class="bcp14">MUST NOT</span> be 0.<a href="#section-2.4.2.11-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="deleted-1">
+<section id="section-2.4.2.12">
+            <h5 id="name-deleted-2">
+<a href="#section-2.4.2.12" class="section-number selfRef">2.4.2.12. </a><a href="#name-deleted-2" class="section-name selfRef">deleted</a>
+            </h5>
+<p id="section-2.4.2.12-1">deleted represents a setting that allows shadow attributes to be revoked. Revoked shadow attributes only serve to inform other instances that the shadow attribute is no longer active.<a href="#section-2.4.2.12-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.12-2">deleted is represented by a JSON boolean. deleted <span class="bcp14">SHOULD</span> be present.<a href="#section-2.4.2.12-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="data-1">
+<section id="section-2.4.2.13">
+            <h5 id="name-data-2">
+<a href="#section-2.4.2.13" class="section-number selfRef">2.4.2.13. </a><a href="#name-data-2" class="section-name selfRef">data</a>
+            </h5>
+<p id="section-2.4.2.13-1">data contains the base64 encoded contents of an attachment or a malware sample. For malware samples,
+the sample <span class="bcp14">MUST</span> be encrypted using a password protected zip archive, with the password being "infected".<a href="#section-2.4.2.13-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.13-2">data is represented by a JSON string in base64 encoding. data <span class="bcp14">MUST</span> be set for shadow attributes of type malware-sample and attachment.<a href="#section-2.4.2.13-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="first-seen-1">
+<section id="section-2.4.2.14">
+            <h5 id="name-first_seen-2">
+<a href="#section-2.4.2.14" class="section-number selfRef">2.4.2.14. </a><a href="#name-first_seen-2" class="section-name selfRef">first_seen</a>
+            </h5>
+<p id="section-2.4.2.14-1">first_seen represents a reference time when the attribute was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.4.2.14-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.14-2">first_seen is represented as a JSON string. first_seen <span class="bcp14">MAY</span> be present.<a href="#section-2.4.2.14-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="last-seen-1">
+<section id="section-2.4.2.15">
+            <h5 id="name-last_seen-2">
+<a href="#section-2.4.2.15" class="section-number selfRef">2.4.2.15. </a><a href="#name-last_seen-2" class="section-name selfRef">last_seen</a>
+            </h5>
+<p id="section-2.4.2.15-1">last_seen represents a reference time when the attribute was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.4.2.15-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.15-2">last_seen is represented as a JSON string. last_seen <span class="bcp14">MAY</span> be present.<a href="#section-2.4.2.15-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="value-1">
+<section id="section-2.4.2.16">
+            <h5 id="name-value-2">
+<a href="#section-2.4.2.16" class="section-number selfRef">2.4.2.16. </a><a href="#name-value-2" class="section-name selfRef">value</a>
+            </h5>
+<p id="section-2.4.2.16-1">value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.<a href="#section-2.4.2.16-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.16-2">value is represented by a JSON string. value <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.16-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="shadowattribute-objects">
+<section id="section-2.4.3">
+          <h4 id="name-shadowattribute-objects">
+<a href="#section-2.4.3" class="section-number selfRef">2.4.3. </a><a href="#name-shadowattribute-objects" class="section-name selfRef">ShadowAttribute Objects</a>
+          </h4>
+<div id="org-1">
+<section id="section-2.4.3.1">
+            <h5 id="name-org-2">
+<a href="#section-2.4.3.1" class="section-number selfRef">2.4.3.1. </a><a href="#name-org-2" class="section-name selfRef">Org</a>
+            </h5>
+<p id="section-2.4.3.1-1">An Org object is composed of an uuid, name and id.<a href="#section-2.4.3.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.3.1-2">The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the organization.
+The organization UUID is globally assigned to an organization and <span class="bcp14">SHALL</span> be kept overtime.<a href="#section-2.4.3.1-2" class="pilcrow">¶</a></p>
+<p id="section-2.4.3.1-3">The name is a readable description of the organization and <span class="bcp14">SHOULD</span> be present.
+The id is a human-readable identifier generated by the instance and used as reference in the event.
+A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.4.3.1-3" class="pilcrow">¶</a></p>
+<p id="section-2.4.3.1-4">uuid, name and id are represented as a JSON string. uuid, name and id <span class="bcp14">MUST</span> be present.<a href="#section-2.4.3.1-4" class="pilcrow">¶</a></p>
+<div id="sample-org-object-1">
+<section id="section-2.4.3.1.1">
+              <h6 id="name-sample-org-object-2">
+<a href="#section-2.4.3.1.1" class="section-number selfRef">2.4.3.1.1. </a><a href="#name-sample-org-object-2" class="section-name selfRef">Sample Org Object</a>
+              </h6>
+<div class="alignLeft art-text artwork" id="section-2.4.3.1.1-1">
+<pre>"Org": {
         "id": "2",
         "name": "CIRCL",
         "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
        }
-</pre>
-<h1 id="rfc.section.2.5.3.2">
-<a href="#rfc.section.2.5.3.2">2.5.3.2.</a> <a href="#value-1" id="value-1">value</a>
-</h1>
-<p id="rfc.section.2.5.3.2.p.1">value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.  </p>
-<p id="rfc.section.2.5.3.2.p.2">value is represented by a JSON string. value MUST be present.  </p>
-<h1 id="rfc.section.2.6">
-<a href="#rfc.section.2.6">2.6.</a> <a href="#object" id="object">Object</a>
-</h1>
-<p id="rfc.section.2.6.p.1">Objects serve as a contextual bond between a list of attributes within an event. Their main purpose is to describe more complex structures than can be described by a single attribute Each object is created using an Object Template and carries the meta-data of the template used for its creation within. Objects belong to a meta-category and are defined by a name.  </p>
-<p id="rfc.section.2.6.p.2">The schema used is described by the template_uuid and template_version fields.  </p>
-<p id="rfc.section.2.6.p.3">A MISP document containing an Object MUST contain a name, a meta-category, a description, a template_uuid and a template_version as described in the "Object Attributes" section.  </p>
-<h1 id="rfc.section.2.6.1">
-<a href="#rfc.section.2.6.1">2.6.1.</a> <a href="#sample-object" id="sample-object">Sample Object</a>
-</h1>
-<div id="rfc.figure.1"></div>
-<div id="fig-sample-object"></div>
-<pre>
-"Object": {
+</pre><a href="#section-2.4.3.1.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="object">
+<section id="section-2.5">
+        <h3 id="name-object">
+<a href="#section-2.5" class="section-number selfRef">2.5. </a><a href="#name-object" class="section-name selfRef">Object</a>
+        </h3>
+<p id="section-2.5-1">Objects serve as a contextual bond between a list of attributes within an event. Their main purpose is to describe more complex structures than can be described by a single attribute
+Each object is created using an Object Template and carries the meta-data of the template used for its creation within. Objects belong to a meta-category and are defined by a name.<a href="#section-2.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.5-2">The schema used is described by the template_uuid and template_version fields.<a href="#section-2.5-2" class="pilcrow">¶</a></p>
+<p id="section-2.5-3">A MISP document containing an Object <span class="bcp14">MUST</span> contain a name, a meta-category, a description, a template_uuid and a template_version as described in the "Object Attributes" section.<a href="#section-2.5-3" class="pilcrow">¶</a></p>
+<div id="sample-object">
+<section id="section-2.5.1">
+          <h4 id="name-sample-object">
+<a href="#section-2.5.1" class="section-number selfRef">2.5.1. </a><a href="#name-sample-object" class="section-name selfRef">Sample Object</a>
+          </h4>
+<div id="fig-sample-object">
+<div class="alignLeft art-text artwork" id="section-2.5.1-1">
+<pre>"Object": {
    "id": "588",
    "name": "file",
    "meta-category": "file",
@@ -1208,121 +2408,206 @@
      "last_seen": null
    ]
 }
-</pre>
-<p class="figure">Figure 1</p>
-<h1 id="rfc.section.2.6.2">
-<a href="#rfc.section.2.6.2">2.6.2.</a> <a href="#object-attributes" id="object-attributes">Object Attributes</a>
-</h1>
-<h1 id="rfc.section.2.6.2.1">
-<a href="#rfc.section.2.6.2.1">2.6.2.1.</a> <a href="#uuid-3" id="uuid-3">uuid</a>
-</h1>
-<p id="rfc.section.2.6.2.1.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the object. The uuid MUST be preserved for any updates or transfer of the same object. UUID version 4 is RECOMMENDED when assigning it to a new object.  </p>
-<h1 id="rfc.section.2.6.2.2">
-<a href="#rfc.section.2.6.2.2">2.6.2.2.</a> <a href="#id-3" id="id-3">id</a>
-</h1>
-<p id="rfc.section.2.6.2.2.p.1">id represents the human-readable identifier associated to the object for a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.6.2.2.p.2">id is represented as a JSON string. id SHALL be present.  </p>
-<h1 id="rfc.section.2.6.2.3">
-<a href="#rfc.section.2.6.2.3">2.6.2.3.</a> <a href="#name" id="name">name</a>
-</h1>
-<p id="rfc.section.2.6.2.3.p.1">name represents the human-readable name of the object describing the intent of the object package.  </p>
-<p id="rfc.section.2.6.2.3.p.2">name is represented as a JSON string. name MUST be present </p>
-<h1 id="rfc.section.2.6.2.4">
-<a href="#rfc.section.2.6.2.4">2.6.2.4.</a> <a href="#metacategory" id="metacategory">meta-category</a>
-</h1>
-<p id="rfc.section.2.6.2.4.p.1">meta-category represents the sub-category of objects that the given object belongs to. meta-categories are not tied to a fixed list of options but can be created on the fly.  </p>
-<p id="rfc.section.2.6.2.4.p.2">meta-category is represented as a JSON string. meta-category MUST be present </p>
-<h1 id="rfc.section.2.6.2.5">
-<a href="#rfc.section.2.6.2.5">2.6.2.5.</a> <a href="#description" id="description">description</a>
-</h1>
-<p id="rfc.section.2.6.2.5.p.1">description is a human-readable description of the given object type, as derived from the template used for creation.  </p>
-<p id="rfc.section.2.6.2.5.p.2">description is represented as a JSON string. id SHALL be present.  </p>
-<h1 id="rfc.section.2.6.2.6">
-<a href="#rfc.section.2.6.2.6">2.6.2.6.</a> <a href="#templateuuid" id="templateuuid">template_uuid</a>
-</h1>
-<p id="rfc.section.2.6.2.6.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the template used to create the object. The uuid MUST be preserved to preserve the object's association with the correct template used for creation. UUID version 4 is RECOMMENDED when assigning it to a new object.  </p>
-<h1 id="rfc.section.2.6.2.7">
-<a href="#rfc.section.2.6.2.7">2.6.2.7.</a> <a href="#templateversion" id="templateversion">template_version</a>
-</h1>
-<p id="rfc.section.2.6.2.7.p.1">template_version represents a numeric incrementing version of the template used to create the object. It is used to associate the object to the correct version of the template and together with the template_uuid forms an association to the correct template type and version.  </p>
-<p id="rfc.section.2.6.2.7.p.2">version is represented as a JSON string. version MUST be present.  </p>
-<h1 id="rfc.section.2.6.2.8">
-<a href="#rfc.section.2.6.2.8">2.6.2.8.</a> <a href="#eventid-2" id="eventid-2">event_id</a>
-</h1>
-<p id="rfc.section.2.6.2.8.p.1">event_id represents the human-readable identifier of the event that the object belongs to on a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.6.2.8.p.2">event_id is represented as a JSON string. event_id SHALL be present.  </p>
-<h1 id="rfc.section.2.6.2.9">
-<a href="#rfc.section.2.6.2.9">2.6.2.9.</a> <a href="#timestamp-3" id="timestamp-3">timestamp</a>
-</h1>
-<p id="rfc.section.2.6.2.9.p.1">timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.  </p>
-<p id="rfc.section.2.6.2.9.p.2">timestamp is represented as a JSON string. timestamp MUST be present.  </p>
-<h1 id="rfc.section.2.6.2.10">
-<a href="#rfc.section.2.6.2.10">2.6.2.10.</a> <a href="#distribution-2" id="distribution-2">distribution</a>
-</h1>
-<p id="rfc.section.2.6.2.10.p.1">distribution represents the basic distribution rules of the object. The system must adhere to the distribution setting for access control and for dissemination of the object.  </p>
-<p id="rfc.section.2.6.2.10.p.2">distribution is represented by a JSON string. distribution MUST be present and be one of the following options: </p>
-<p></p>
-
-<dl>
-<dt>0</dt>
-<dd style="margin-left: 8">
-<br> Your Organisation Only</dd>
-<dt>1</dt>
-<dd style="margin-left: 8">
-<br> This Community Only</dd>
-<dt>2</dt>
-<dd style="margin-left: 8">
-<br> Connected Communities</dd>
-<dt>3</dt>
-<dd style="margin-left: 8">
-<br> All Communities</dd>
-<dt>4</dt>
-<dd style="margin-left: 8">
-<br> Sharing Group</dd>
+</pre><a href="#section-2.5.1-1" class="pilcrow">¶</a>
+</div>
+</div>
+</section>
+</div>
+<div id="object-attributes">
+<section id="section-2.5.2">
+          <h4 id="name-object-attributes">
+<a href="#section-2.5.2" class="section-number selfRef">2.5.2. </a><a href="#name-object-attributes" class="section-name selfRef">Object Attributes</a>
+          </h4>
+<div id="uuid-3">
+<section id="section-2.5.2.1">
+            <h5 id="name-uuid-4">
+<a href="#section-2.5.2.1" class="section-number selfRef">2.5.2.1. </a><a href="#name-uuid-4" class="section-name selfRef">uuid</a>
+            </h5>
+<p id="section-2.5.2.1-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the object. The uuid <span class="bcp14">MUST</span> be preserved
+for any updates or transfer of the same object. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new object.<a href="#section-2.5.2.1-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="id-3">
+<section id="section-2.5.2.2">
+            <h5 id="name-id-4">
+<a href="#section-2.5.2.2" class="section-number selfRef">2.5.2.2. </a><a href="#name-id-4" class="section-name selfRef">id</a>
+            </h5>
+<p id="section-2.5.2.2-1">id represents the human-readable identifier associated to the object for a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.5.2.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.2-2">id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.5.2.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="name">
+<section id="section-2.5.2.3">
+            <h5 id="name-name">
+<a href="#section-2.5.2.3" class="section-number selfRef">2.5.2.3. </a><a href="#name-name" class="section-name selfRef">name</a>
+            </h5>
+<p id="section-2.5.2.3-1">name represents the human-readable name of the object describing the intent of the object package.<a href="#section-2.5.2.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.3-2">name is represented as a JSON string. name <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.3-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="meta-category">
+<section id="section-2.5.2.4">
+            <h5 id="name-meta-category">
+<a href="#section-2.5.2.4" class="section-number selfRef">2.5.2.4. </a><a href="#name-meta-category" class="section-name selfRef">meta-category</a>
+            </h5>
+<p id="section-2.5.2.4-1">meta-category represents the sub-category of objects that the given object belongs to. meta-categories are not
+tied to a fixed list of options but can be created on the fly.<a href="#section-2.5.2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.4-2">meta-category is represented as a JSON string. meta-category <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="description">
+<section id="section-2.5.2.5">
+            <h5 id="name-description">
+<a href="#section-2.5.2.5" class="section-number selfRef">2.5.2.5. </a><a href="#name-description" class="section-name selfRef">description</a>
+            </h5>
+<p id="section-2.5.2.5-1">description is a human-readable description of the given object type, as derived from the template used for creation.<a href="#section-2.5.2.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.5-2">description is represented as a JSON string. description <span class="bcp14">SHALL</span> be present.<a href="#section-2.5.2.5-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="template-uuid">
+<section id="section-2.5.2.6">
+            <h5 id="name-template_uuid">
+<a href="#section-2.5.2.6" class="section-number selfRef">2.5.2.6. </a><a href="#name-template_uuid" class="section-name selfRef">template_uuid</a>
+            </h5>
+<p id="section-2.5.2.6-1">template_uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the template used to create the object. The uuid <span class="bcp14">MUST</span> be preserved
+to preserve the object's association with the correct template used for creation. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new object.<a href="#section-2.5.2.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.6-2">template_uuid is represented as a JSON string. template_uuid <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.6-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="template-version">
+<section id="section-2.5.2.7">
+            <h5 id="name-template_version">
+<a href="#section-2.5.2.7" class="section-number selfRef">2.5.2.7. </a><a href="#name-template_version" class="section-name selfRef">template_version</a>
+            </h5>
+<p id="section-2.5.2.7-1">template_version represents a numeric incrementing version of the template used to create the object. It is used to associate the object to the
+correct version of the template and together with the template_uuid forms an association to the correct template type and version.<a href="#section-2.5.2.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.7-2">template_version is represented as a JSON string. template_version <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.7-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event-id-2">
+<section id="section-2.5.2.8">
+            <h5 id="name-event_id-3">
+<a href="#section-2.5.2.8" class="section-number selfRef">2.5.2.8. </a><a href="#name-event_id-3" class="section-name selfRef">event_id</a>
+            </h5>
+<p id="section-2.5.2.8-1">event_id represents the human-readable identifier of the event that the object belongs to on a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.5.2.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.8-2">event_id is represented as a JSON string. event_id <span class="bcp14">SHALL</span> be present.<a href="#section-2.5.2.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="timestamp-3">
+<section id="section-2.5.2.9">
+            <h5 id="name-timestamp-4">
+<a href="#section-2.5.2.9" class="section-number selfRef">2.5.2.9. </a><a href="#name-timestamp-4" class="section-name selfRef">timestamp</a>
+            </h5>
+<p id="section-2.5.2.9-1">timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.5.2.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.9-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="distribution-2">
+<section id="section-2.5.2.10">
+            <h5 id="name-distribution-3">
+<a href="#section-2.5.2.10" class="section-number selfRef">2.5.2.10. </a><a href="#name-distribution-3" class="section-name selfRef">distribution</a>
+            </h5>
+<p id="section-2.5.2.10-1">distribution represents the basic distribution rules of the object. The system must adhere to the distribution setting for access control and for dissemination of the object.<a href="#section-2.5.2.10-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.10-2">distribution is represented by a JSON string. distribution <span class="bcp14">MUST</span> be present and be one of the following options:<a href="#section-2.5.2.10-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlCompact dlParallel" id="section-2.5.2.10-3">
+              <dt id="section-2.5.2.10-3.1">0</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.10-3.2">Your Organisation Only<a href="#section-2.5.2.10-3.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.10-3.3">1</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.10-3.4">This Community Only<a href="#section-2.5.2.10-3.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.10-3.5">2</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.10-3.6">Connected Communities<a href="#section-2.5.2.10-3.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.10-3.7">3</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.10-3.8">All Communities<a href="#section-2.5.2.10-3.8" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.10-3.9">4</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.10-3.10">Sharing Group<a href="#section-2.5.2.10-3.10" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<h1 id="rfc.section.2.6.2.11">
-<a href="#rfc.section.2.6.2.11">2.6.2.11.</a> <a href="#sharinggroupid-2" id="sharinggroupid-2">sharing_group_id</a>
-</h1>
-<p id="rfc.section.2.6.2.11.p.1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the object, if distribution level "4" is set. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.6.2.11.p.2">sharing_group_id is represented by a JSON string and SHOULD be present. If a distribution level other than "4" is chosen the sharing_group_id MUST be set to "0".  </p>
-<h1 id="rfc.section.2.6.2.12">
-<a href="#rfc.section.2.6.2.12">2.6.2.12.</a> <a href="#comment-2" id="comment-2">comment</a>
-</h1>
-<p id="rfc.section.2.6.2.12.p.1">comment is a contextual comment field.  </p>
-<p id="rfc.section.2.6.2.12.p.2">comment is represented by a JSON string. comment MAY be present.  </p>
-<h1 id="rfc.section.2.6.2.13">
-<a href="#rfc.section.2.6.2.13">2.6.2.13.</a> <a href="#deleted-2" id="deleted-2">deleted</a>
-</h1>
-<p id="rfc.section.2.6.2.13.p.1">deleted represents a setting that allows attributes to be revoked. Revoked attributes are not actionable and exist merely to inform other instances of a revocation.  </p>
-<p id="rfc.section.2.6.2.13.p.2">deleted is represented by a JSON boolean. deleted MUST be present.  </p>
-<h1 id="rfc.section.2.6.2.14">
-<a href="#rfc.section.2.6.2.14">2.6.2.14.</a> <a href="#attribute-1" id="attribute-1">Attribute</a>
-</h1>
-<p id="rfc.section.2.6.2.14.p.1">Attribute is an array of attributes that describe the object with data.  </p>
-<p id="rfc.section.2.6.2.14.p.2">Each attribute in an object MUST contain the parent event's ID in the event_id field and the parent object's ID in the object_id field.  </p>
-<h1 id="rfc.section.2.6.2.15">
-<a href="#rfc.section.2.6.2.15">2.6.2.15.</a> <a href="#firstseen-2" id="firstseen-2">first_seen</a>
-</h1>
-<p id="rfc.section.2.6.2.15.p.1">first_seen represents a reference time when the object was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support.  </p>
-<p id="rfc.section.2.6.2.15.p.2">first_seen is represented as a JSON string. first_seen MAY be present.  </p>
-<h1 id="rfc.section.2.6.2.16">
-<a href="#rfc.section.2.6.2.16">2.6.2.16.</a> <a href="#lastseen-2" id="lastseen-2">last_seen</a>
-</h1>
-<p id="rfc.section.2.6.2.16.p.1">last_seen represents a reference time when the object was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support.  </p>
-<p id="rfc.section.2.6.2.16.p.2">last_seen is represented as a JSON string. last_seen MAY be present.  </p>
-<h1 id="rfc.section.2.7">
-<a href="#rfc.section.2.7">2.7.</a> <a href="#object-references" id="object-references">Object References</a>
-</h1>
-<p id="rfc.section.2.7.p.1">Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary.  </p>
-<p id="rfc.section.2.7.p.2">The relationship_type is recommended to be taken from the MISP object relationship list [<a href="#MISP-R" class="xref">[MISP-R]</a>] is RECOMMENDED to ensure a coherent naming of the tags </p>
-<p id="rfc.section.2.7.p.3">All Object References MUST contain an object_uuid, a referenced_uuid and a relationship type.  </p>
-<h1 id="rfc.section.2.7.1">
-<a href="#rfc.section.2.7.1">2.7.1.</a> <a href="#sample-objectreference-object" id="sample-objectreference-object">Sample ObjectReference object</a>
-</h1>
-<pre>
-"ObjectReference": {
+</section>
+</div>
+<div id="sharing-group-id-2">
+<section id="section-2.5.2.11">
+            <h5 id="name-sharing_group_id-3">
+<a href="#section-2.5.2.11" class="section-number selfRef">2.5.2.11. </a><a href="#name-sharing_group_id-3" class="section-name selfRef">sharing_group_id</a>
+            </h5>
+<p id="section-2.5.2.11-1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the object, if distribution level "4" is set. A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.5.2.11-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.11-2">sharing_group_id is represented by a JSON string and <span class="bcp14">SHOULD</span> be present. If a distribution level other than "4" is chosen the sharing_group_id <span class="bcp14">MUST</span> be set to "0".<a href="#section-2.5.2.11-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="comment-2">
+<section id="section-2.5.2.12">
+            <h5 id="name-comment-3">
+<a href="#section-2.5.2.12" class="section-number selfRef">2.5.2.12. </a><a href="#name-comment-3" class="section-name selfRef">comment</a>
+            </h5>
+<p id="section-2.5.2.12-1">comment is a contextual comment field.<a href="#section-2.5.2.12-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.12-2">comment is represented by a JSON string. comment <span class="bcp14">MAY</span> be present.<a href="#section-2.5.2.12-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="deleted-2">
+<section id="section-2.5.2.13">
+            <h5 id="name-deleted-3">
+<a href="#section-2.5.2.13" class="section-number selfRef">2.5.2.13. </a><a href="#name-deleted-3" class="section-name selfRef">deleted</a>
+            </h5>
+<p id="section-2.5.2.13-1">deleted represents a setting that allows objects to be revoked. Revoked objects are not actionable and exist merely to inform other instances of a revocation.<a href="#section-2.5.2.13-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.13-2">deleted is represented by a JSON boolean. deleted <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.13-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="attribute-1">
+<section id="section-2.5.2.14">
+            <h5 id="name-attribute-2">
+<a href="#section-2.5.2.14" class="section-number selfRef">2.5.2.14. </a><a href="#name-attribute-2" class="section-name selfRef">Attribute</a>
+            </h5>
+<p id="section-2.5.2.14-1">Attribute is an array of attributes that describe the object with data.<a href="#section-2.5.2.14-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.14-2">Each attribute in an object <span class="bcp14">MUST</span> contain the parent event's ID in the event_id field and the parent object's ID in the object_id field.<a href="#section-2.5.2.14-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="first-seen-2">
+<section id="section-2.5.2.15">
+            <h5 id="name-first_seen-3">
+<a href="#section-2.5.2.15" class="section-number selfRef">2.5.2.15. </a><a href="#name-first_seen-3" class="section-name selfRef">first_seen</a>
+            </h5>
+<p id="section-2.5.2.15-1">first_seen represents a reference time when the object was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.5.2.15-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.15-2">first_seen is represented as a JSON string. first_seen <span class="bcp14">MAY</span> be present.<a href="#section-2.5.2.15-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="last-seen-2">
+<section id="section-2.5.2.16">
+            <h5 id="name-last_seen-3">
+<a href="#section-2.5.2.16" class="section-number selfRef">2.5.2.16. </a><a href="#name-last_seen-3" class="section-name selfRef">last_seen</a>
+            </h5>
+<p id="section-2.5.2.16-1">last_seen represents a reference time when the object was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.5.2.16-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.16-2">last_seen is represented as a JSON string. last_seen <span class="bcp14">MAY</span> be present.<a href="#section-2.5.2.16-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="object-references">
+<section id="section-2.6">
+        <h3 id="name-object-references">
+<a href="#section-2.6" class="section-number selfRef">2.6. </a><a href="#name-object-references" class="section-name selfRef">Object References</a>
+        </h3>
+<p id="section-2.6-1">Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary.<a href="#section-2.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.6-2">The relationship_type is recommended to be taken from the MISP object relationship list [<span>[<a href="#MISP-R" class="xref">MISP-R</a>]</span>] is <span class="bcp14">RECOMMENDED</span> to ensure a coherent naming of the tags<a href="#section-2.6-2" class="pilcrow">¶</a></p>
+<p id="section-2.6-3">All Object References <span class="bcp14">MUST</span> contain an object_uuid, a referenced_uuid and a relationship type.<a href="#section-2.6-3" class="pilcrow">¶</a></p>
+<div id="sample-objectreference-object">
+<section id="section-2.6.1">
+          <h4 id="name-sample-objectreference-obje">
+<a href="#section-2.6.1" class="section-number selfRef">2.6.1. </a><a href="#name-sample-objectreference-obje" class="section-name selfRef">Sample ObjectReference object</a>
+          </h4>
+<div class="alignLeft art-text artwork" id="section-2.6.1-1">
+<pre>"ObjectReference": {
                     "id": "195",
                     "uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1",
                     "timestamp": "1505892908",
@@ -1336,236 +2621,372 @@
                     "object_uuid": "59c1134d-8a40-4c14-ad94-0f7ba07724d1",
                     "referenced_uuid": "59c1133c-9adc-4d06-a34b-0f7ca07724d1",
                    }
-</pre>
-<h1 id="rfc.section.2.7.2">
-<a href="#rfc.section.2.7.2">2.7.2.</a> <a href="#objectreference-attributes" id="objectreference-attributes">ObjectReference Attributes</a>
-</h1>
-<h1 id="rfc.section.2.7.2.1">
-<a href="#rfc.section.2.7.2.1">2.7.2.1.</a> <a href="#uuid-4" id="uuid-4">uuid</a>
-</h1>
-<p id="rfc.section.2.7.2.1.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the object reference. The uuid MUST be preserved for any updates or transfer of the same object reference. UUID version 4 is RECOMMENDED when assigning it to a new object reference.  </p>
-<h1 id="rfc.section.2.7.2.2">
-<a href="#rfc.section.2.7.2.2">2.7.2.2.</a> <a href="#id-4" id="id-4">id</a>
-</h1>
-<p id="rfc.section.2.7.2.2.p.1">id represents the human-readable identifier associated to the object reference for a specific MISP instance.  </p>
-<p id="rfc.section.2.7.2.2.p.2">id is represented as a JSON string. id SHALL be present.  </p>
-<h1 id="rfc.section.2.7.2.3">
-<a href="#rfc.section.2.7.2.3">2.7.2.3.</a> <a href="#timestamp-4" id="timestamp-4">timestamp</a>
-</h1>
-<p id="rfc.section.2.7.2.3.p.1">timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.  </p>
-<p id="rfc.section.2.7.2.3.p.2">timestamp is represented as a JSON string. timestamp MUST be present.  </p>
-<h1 id="rfc.section.2.7.2.4">
-<a href="#rfc.section.2.7.2.4">2.7.2.4.</a> <a href="#objectid" id="objectid">object_id</a>
-</h1>
-<p id="rfc.section.2.7.2.4.p.1">object_id represents the human-readable identifier of the object that the object reference belongs to on a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.7.2.4.p.2">event_id is represented as a JSON string. event_id SHALL be present.  </p>
-<h1 id="rfc.section.2.7.2.5">
-<a href="#rfc.section.2.7.2.5">2.7.2.5.</a> <a href="#eventid-3" id="eventid-3">event_id</a>
-</h1>
-<p id="rfc.section.2.7.2.5.p.1">event_id represents the human-readable identifier of the event that the object reference belongs to on a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.7.2.5.p.2">event_id is represented as a JSON string. event_id SHALL be present.  </p>
-<h1 id="rfc.section.2.7.2.6">
-<a href="#rfc.section.2.7.2.6">2.7.2.6.</a> <a href="#referencedid" id="referencedid">referenced_id</a>
-</h1>
-<p id="rfc.section.2.7.2.6.p.1">referenced_id represents the human-readable identifier of the object or attribute that the parent object  of the object reference points to on a specific MISP instance.  </p>
-<p id="rfc.section.2.7.2.6.p.2">referenced_id is represented as a JSON string. referenced_id MAY be present.  </p>
-<h1 id="rfc.section.2.7.2.7">
-<a href="#rfc.section.2.7.2.7">2.7.2.7.</a> <a href="#referencedtype" id="referencedtype">referenced_type</a>
-</h1>
-<p id="rfc.section.2.7.2.7.p.1">referenced_type represents the numeric value describing what the object reference points to, "0" representing an attribute and "1" representing an object </p>
-<p id="rfc.section.2.7.2.7.p.2">referenced_type is represented as a JSON string. referenced_type MAY be present.  </p>
-<h1 id="rfc.section.2.7.2.8">
-<a href="#rfc.section.2.7.2.8">2.7.2.8.</a> <a href="#relationshiptype" id="relationshiptype">relationship_type</a>
-</h1>
-<p id="rfc.section.2.7.2.8.p.1">relationship_type represents the human-readable context of the relationship between an object and another object or attribute as described by the object_reference.  </p>
-<p id="rfc.section.2.7.2.8.p.2">referenced_type is represented as a JSON string. relationship_type MUST be present.  </p>
-<h1 id="rfc.section.2.7.2.9">
-<a href="#rfc.section.2.7.2.9">2.7.2.9.</a> <a href="#comment-3" id="comment-3">comment</a>
-</h1>
-<p id="rfc.section.2.7.2.9.p.1">comment is a contextual comment field.  </p>
-<p id="rfc.section.2.7.2.9.p.2">comment is represented by a JSON string. comment MAY be present.  </p>
-<h1 id="rfc.section.2.7.2.10">
-<a href="#rfc.section.2.7.2.10">2.7.2.10.</a> <a href="#deleted-3" id="deleted-3">deleted</a>
-</h1>
-<p id="rfc.section.2.7.2.10.p.1">deleted represents a setting that allows object references to be revoked. Revoked object references are not actionable and exist merely to inform other instances of a revocation.  </p>
-<p id="rfc.section.2.7.2.10.p.2">deleted is represented by a JSON boolean. deleted MUST be present.  </p>
-<h1 id="rfc.section.2.7.2.11">
-<a href="#rfc.section.2.7.2.11">2.7.2.11.</a> <a href="#objectuuid" id="objectuuid">object_uuid</a>
-</h1>
-<p id="rfc.section.2.7.2.11.p.1">object_uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the object that the given object reference belongs to. The object_uuid MUST be preserved to preserve the object reference's association with the object.  </p>
-<h1 id="rfc.section.2.7.2.12">
-<a href="#rfc.section.2.7.2.12">2.7.2.12.</a> <a href="#referenceduuid" id="referenceduuid">referenced_uuid</a>
-</h1>
-<p id="rfc.section.2.7.2.12.p.1">referenced_uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the object or attribute that is being referenced by the object reference. The referenced_uuid MUST be preserved to preserve the object reference's association with the object or attribute.  </p>
-<h1 id="rfc.section.2.8">
-<a href="#rfc.section.2.8">2.8.</a> <a href="#eventreport" id="eventreport">EventReport</a>
-</h1>
-<p id="rfc.section.2.8.p.1">EventReport are used to complement an event with one or more report in Markdown format. The EventReport contains unstructured information which can be linked to Attributes, Objects, Tags or Galaxy with an extension to the Markdown marking language.  </p>
-<h1 id="rfc.section.2.8.1">
-<a href="#rfc.section.2.8.1">2.8.1.</a> <a href="#id-5" id="id-5">id</a>
-</h1>
-<p id="rfc.section.2.8.1.p.1">id represents the human-readable identifier associated to the EventReport for a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.8.1.p.2">id is represented as a JSON string. id SHALL be present.  </p>
-<h1 id="rfc.section.2.8.2">
-<a href="#rfc.section.2.8.2">2.8.2.</a> <a href="#uuid-5" id="uuid-5">UUID</a>
-</h1>
-<p id="rfc.section.2.8.2.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the EventReport. The uuid MUST be preserved for any updates or transfer of the same EventReport. UUID version 4 is RECOMMENDED when assigning it to a new EventReport.  </p>
-<p id="rfc.section.2.8.2.p.2">uuid is represented as a JSON string. uuid MUST be present.  </p>
-<h1 id="rfc.section.2.8.3">
-<a href="#rfc.section.2.8.3">2.8.3.</a> <a href="#eventid-4" id="eventid-4">event_id</a>
-</h1>
-<p id="rfc.section.2.8.3.p.1">event_id represents the human-readable identifier associating the EventReport to an event on a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<p id="rfc.section.2.8.3.p.2">event_id is represented as a JSON string. event_id  MUST be present.  </p>
-<h1 id="rfc.section.2.8.4">
-<a href="#rfc.section.2.8.4">2.8.4.</a> <a href="#name-1" id="name-1">name</a>
-</h1>
-<p id="rfc.section.2.8.4.p.1">name represents the information field of the EventReport. name is a free-text value to provide a human-readable summary of the report. name SHOULD NOT be bigger than 256 characters and SHOULD NOT include new-lines.  </p>
-<p id="rfc.section.2.8.4.p.2">name is represented as a JSON string. name MUST be present.  </p>
-<h1 id="rfc.section.2.8.5">
-<a href="#rfc.section.2.8.5">2.8.5.</a> <a href="#content" id="content">content</a>
-</h1>
-<p id="rfc.section.2.8.5.p.1">content includes the raw EventReport in Markdown format with or without the specific MISP Markdown markup extension.  </p>
-<p id="rfc.section.2.8.5.p.2">The markdown extension for MISP is composed with a symbol as prefix then between square bracket the scope (attribute, object, tag or galaxymatrix) followed by the UUID in parenthesis.  </p>
-<p id="rfc.section.2.8.5.p.3">content is represented as a JSON string. content MUST be present.  </p>
-<h1 id="rfc.section.2.8.6">
-<a href="#rfc.section.2.8.6">2.8.6.</a> <a href="#distribution-3" id="distribution-3">distribution</a>
-</h1>
-<p id="rfc.section.2.8.6.p.1">distribution represents the basic distribution rules of the EventReport. The system must adhere to the distribution setting for access control and for dissemination of the EventReport.  </p>
-<p id="rfc.section.2.8.6.p.2">distribution is represented by a JSON string. distribution MUST be present and be one of the following options: </p>
-<p></p>
-
-<dl>
-<dt>0</dt>
-<dd style="margin-left: 8">
-<br> Your Organisation Only</dd>
-<dt>1</dt>
-<dd style="margin-left: 8">
-<br> This Community Only</dd>
-<dt>2</dt>
-<dd style="margin-left: 8">
-<br> Connected Communities</dd>
-<dt>3</dt>
-<dd style="margin-left: 8">
-<br> All Communities</dd>
-<dt>4</dt>
-<dd style="margin-left: 8">
-<br> Sharing Group</dd>
-<dt>5</dt>
-<dd style="margin-left: 8">
-<br> Inherit Event</dd>
+</pre><a href="#section-2.6.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="objectreference-attributes">
+<section id="section-2.6.2">
+          <h4 id="name-objectreference-attributes">
+<a href="#section-2.6.2" class="section-number selfRef">2.6.2. </a><a href="#name-objectreference-attributes" class="section-name selfRef">ObjectReference Attributes</a>
+          </h4>
+<div id="uuid-4">
+<section id="section-2.6.2.1">
+            <h5 id="name-uuid-5">
+<a href="#section-2.6.2.1" class="section-number selfRef">2.6.2.1. </a><a href="#name-uuid-5" class="section-name selfRef">uuid</a>
+            </h5>
+<p id="section-2.6.2.1-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the object reference. The uuid <span class="bcp14">MUST</span> be preserved
+for any updates or transfer of the same object reference. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new object reference.<a href="#section-2.6.2.1-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="id-4">
+<section id="section-2.6.2.2">
+            <h5 id="name-id-5">
+<a href="#section-2.6.2.2" class="section-number selfRef">2.6.2.2. </a><a href="#name-id-5" class="section-name selfRef">id</a>
+            </h5>
+<p id="section-2.6.2.2-1">id represents the human-readable identifier associated to the object reference for a specific MISP instance.<a href="#section-2.6.2.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.2-2">id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.6.2.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="timestamp-4">
+<section id="section-2.6.2.3">
+            <h5 id="name-timestamp-5">
+<a href="#section-2.6.2.3" class="section-number selfRef">2.6.2.3. </a><a href="#name-timestamp-5" class="section-name selfRef">timestamp</a>
+            </h5>
+<p id="section-2.6.2.3-1">timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.6.2.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.3-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.6.2.3-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="object-id">
+<section id="section-2.6.2.4">
+            <h5 id="name-object_id">
+<a href="#section-2.6.2.4" class="section-number selfRef">2.6.2.4. </a><a href="#name-object_id" class="section-name selfRef">object_id</a>
+            </h5>
+<p id="section-2.6.2.4-1">object_id represents the human-readable identifier of the object that the object reference belongs to on a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.6.2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.4-2">object_id is represented as a JSON string. object_id <span class="bcp14">SHALL</span> be present.<a href="#section-2.6.2.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event-id-3">
+<section id="section-2.6.2.5">
+            <h5 id="name-event_id-4">
+<a href="#section-2.6.2.5" class="section-number selfRef">2.6.2.5. </a><a href="#name-event_id-4" class="section-name selfRef">event_id</a>
+            </h5>
+<p id="section-2.6.2.5-1">event_id represents the human-readable identifier of the event that the object reference belongs to on a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.6.2.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.5-2">event_id is represented as a JSON string. event_id <span class="bcp14">SHALL</span> be present.<a href="#section-2.6.2.5-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="referenced-id">
+<section id="section-2.6.2.6">
+            <h5 id="name-referenced_id">
+<a href="#section-2.6.2.6" class="section-number selfRef">2.6.2.6. </a><a href="#name-referenced_id" class="section-name selfRef">referenced_id</a>
+            </h5>
+<p id="section-2.6.2.6-1">referenced_id represents the human-readable identifier of the object or attribute that the parent object  of the object reference points to on a specific MISP instance.<a href="#section-2.6.2.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.6-2">referenced_id is represented as a JSON string. referenced_id <span class="bcp14">MAY</span> be present.<a href="#section-2.6.2.6-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="referenced-type">
+<section id="section-2.6.2.7">
+            <h5 id="name-referenced_type">
+<a href="#section-2.6.2.7" class="section-number selfRef">2.6.2.7. </a><a href="#name-referenced_type" class="section-name selfRef">referenced_type</a>
+            </h5>
+<p id="section-2.6.2.7-1">referenced_type represents the numeric value describing what the object reference points to, "0" representing an attribute and "1" representing an object<a href="#section-2.6.2.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.7-2">referenced_type is represented as a JSON string. referenced_type <span class="bcp14">MAY</span> be present.<a href="#section-2.6.2.7-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="relationship-type">
+<section id="section-2.6.2.8">
+            <h5 id="name-relationship_type">
+<a href="#section-2.6.2.8" class="section-number selfRef">2.6.2.8. </a><a href="#name-relationship_type" class="section-name selfRef">relationship_type</a>
+            </h5>
+<p id="section-2.6.2.8-1">relationship_type represents the human-readable context of the relationship between an object and another object or attribute as described by the object_reference.<a href="#section-2.6.2.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.8-2">relationship_type is represented as a JSON string. relationship_type <span class="bcp14">MUST</span> be present.<a href="#section-2.6.2.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="comment-3">
+<section id="section-2.6.2.9">
+            <h5 id="name-comment-4">
+<a href="#section-2.6.2.9" class="section-number selfRef">2.6.2.9. </a><a href="#name-comment-4" class="section-name selfRef">comment</a>
+            </h5>
+<p id="section-2.6.2.9-1">comment is a contextual comment field.<a href="#section-2.6.2.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.9-2">comment is represented by a JSON string. comment <span class="bcp14">MAY</span> be present.<a href="#section-2.6.2.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="deleted-3">
+<section id="section-2.6.2.10">
+            <h5 id="name-deleted-4">
+<a href="#section-2.6.2.10" class="section-number selfRef">2.6.2.10. </a><a href="#name-deleted-4" class="section-name selfRef">deleted</a>
+            </h5>
+<p id="section-2.6.2.10-1">deleted represents a setting that allows object references to be revoked. Revoked object references are not actionable and exist merely to inform other instances of a revocation.<a href="#section-2.6.2.10-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.10-2">deleted is represented by a JSON boolean. deleted <span class="bcp14">MUST</span> be present.<a href="#section-2.6.2.10-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="object-uuid">
+<section id="section-2.6.2.11">
+            <h5 id="name-object_uuid">
+<a href="#section-2.6.2.11" class="section-number selfRef">2.6.2.11. </a><a href="#name-object_uuid" class="section-name selfRef">object_uuid</a>
+            </h5>
+<p id="section-2.6.2.11-1">object_uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the object that the given object reference belongs to. The object_uuid <span class="bcp14">MUST</span> be preserved
+to preserve the object reference's association with the object.<a href="#section-2.6.2.11-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="referenced-uuid">
+<section id="section-2.6.2.12">
+            <h5 id="name-referenced_uuid">
+<a href="#section-2.6.2.12" class="section-number selfRef">2.6.2.12. </a><a href="#name-referenced_uuid" class="section-name selfRef">referenced_uuid</a>
+            </h5>
+<p id="section-2.6.2.12-1">referenced_uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the object or attribute that is being referenced by the object reference. The referenced_uuid <span class="bcp14">MUST</span> be preserved
+to preserve the object reference's association with the object or attribute.<a href="#section-2.6.2.12-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="eventreport">
+<section id="section-2.7">
+        <h3 id="name-eventreport">
+<a href="#section-2.7" class="section-number selfRef">2.7. </a><a href="#name-eventreport" class="section-name selfRef">EventReport</a>
+        </h3>
+<p id="section-2.7-1">EventReport are used to complement an event with one or more report in Markdown format. The EventReport contains unstructured information which can be linked to Attributes, Objects, Tags or Galaxy with
+an extension to the Markdown marking language.<a href="#section-2.7-1" class="pilcrow">¶</a></p>
+<div id="id-5">
+<section id="section-2.7.1">
+          <h4 id="name-id-6">
+<a href="#section-2.7.1" class="section-number selfRef">2.7.1. </a><a href="#name-id-6" class="section-name selfRef">id</a>
+          </h4>
+<p id="section-2.7.1-1">id represents the human-readable identifier associated to the EventReport for a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.7.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.1-2">id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.7.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="uuid-5">
+<section id="section-2.7.2">
+          <h4 id="name-uuid-6">
+<a href="#section-2.7.2" class="section-number selfRef">2.7.2. </a><a href="#name-uuid-6" class="section-name selfRef">UUID</a>
+          </h4>
+<p id="section-2.7.2-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the EventReport. The uuid <span class="bcp14">MUST</span> be preserved for any updates or transfer of the same EventReport. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new EventReport.<a href="#section-2.7.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.2-2">uuid is represented as a JSON string. uuid <span class="bcp14">MUST</span> be present.<a href="#section-2.7.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event-id-4">
+<section id="section-2.7.3">
+          <h4 id="name-event_id-5">
+<a href="#section-2.7.3" class="section-number selfRef">2.7.3. </a><a href="#name-event_id-5" class="section-name selfRef">event_id</a>
+          </h4>
+<p id="section-2.7.3-1">event_id represents the human-readable identifier associating the EventReport to an event on a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.7.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.3-2">event_id is represented as a JSON string. event_id  <span class="bcp14">MUST</span> be present.<a href="#section-2.7.3-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="name-1">
+<section id="section-2.7.4">
+          <h4 id="name-name-2">
+<a href="#section-2.7.4" class="section-number selfRef">2.7.4. </a><a href="#name-name-2" class="section-name selfRef">name</a>
+          </h4>
+<p id="section-2.7.4-1">name represents the information field of the EventReport. name is a free-text value to provide a human-readable summary
+of the report. name <span class="bcp14">SHOULD</span> NOT be bigger than 256 characters and <span class="bcp14">SHOULD</span> NOT include new-lines.<a href="#section-2.7.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.4-2">name is represented as a JSON string. name <span class="bcp14">MUST</span> be present.<a href="#section-2.7.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="content">
+<section id="section-2.7.5">
+          <h4 id="name-content">
+<a href="#section-2.7.5" class="section-number selfRef">2.7.5. </a><a href="#name-content" class="section-name selfRef">content</a>
+          </h4>
+<p id="section-2.7.5-1">content includes the raw EventReport in Markdown format with or without the specific MISP Markdown markup extension.<a href="#section-2.7.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.5-2">The markdown extension for MISP is composed with a symbol as prefix then between square bracket the scope (attribute, object, tag or galaxymatrix) followed by the UUID in parenthesis.<a href="#section-2.7.5-2" class="pilcrow">¶</a></p>
+<p id="section-2.7.5-3">content is represented as a JSON string. content <span class="bcp14">MUST</span> be present.<a href="#section-2.7.5-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="distribution-3">
+<section id="section-2.7.6">
+          <h4 id="name-distribution-4">
+<a href="#section-2.7.6" class="section-number selfRef">2.7.6. </a><a href="#name-distribution-4" class="section-name selfRef">distribution</a>
+          </h4>
+<p id="section-2.7.6-1">distribution represents the basic distribution rules of the EventReport. The system must adhere to the distribution setting for access control and for dissemination of the EventReport.<a href="#section-2.7.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.6-2">distribution is represented by a JSON string. distribution <span class="bcp14">MUST</span> be present and be one of the following options:<a href="#section-2.7.6-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlCompact dlParallel" id="section-2.7.6-3">
+            <dt id="section-2.7.6-3.1">0</dt>
+            <dd style="margin-left: 1.5em" id="section-2.7.6-3.2">Your Organisation Only<a href="#section-2.7.6-3.2" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+<dt id="section-2.7.6-3.3">1</dt>
+            <dd style="margin-left: 1.5em" id="section-2.7.6-3.4">This Community Only<a href="#section-2.7.6-3.4" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+<dt id="section-2.7.6-3.5">2</dt>
+            <dd style="margin-left: 1.5em" id="section-2.7.6-3.6">Connected Communities<a href="#section-2.7.6-3.6" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+<dt id="section-2.7.6-3.7">3</dt>
+            <dd style="margin-left: 1.5em" id="section-2.7.6-3.8">All Communities<a href="#section-2.7.6-3.8" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+<dt id="section-2.7.6-3.9">4</dt>
+            <dd style="margin-left: 1.5em" id="section-2.7.6-3.10">Sharing Group<a href="#section-2.7.6-3.10" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+<dt id="section-2.7.6-3.11">5</dt>
+            <dd style="margin-left: 1.5em" id="section-2.7.6-3.12">Inherit Event<a href="#section-2.7.6-3.12" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<h1 id="rfc.section.2.8.7">
-<a href="#rfc.section.2.8.7">2.8.7.</a> <a href="#sharinggroupid-3" id="sharinggroupid-3">sharing_group_id</a>
-</h1>
-<p id="rfc.section.2.8.7.p.1">sharing_group_id represents the local id to the MISP local instance of the Sharing Group associated for the distribution.  </p>
-<p id="rfc.section.2.8.7.p.2">sharing_group_id is represented by a JSON string. sharing_group_id MUST be present and set to "0" if not used.  </p>
-<h1 id="rfc.section.2.8.8">
-<a href="#rfc.section.2.8.8">2.8.8.</a> <a href="#timestamp-5" id="timestamp-5">timestamp</a>
-</h1>
-<p id="rfc.section.2.8.8.p.1">timestamp represents a reference time when the EventReport was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.  </p>
-<p id="rfc.section.2.8.8.p.2">timestamp is represented as a JSON string. timestamp MUST be present.  </p>
-<h1 id="rfc.section.2.8.9">
-<a href="#rfc.section.2.8.9">2.8.9.</a> <a href="#deleted-4" id="deleted-4">deleted</a>
-</h1>
-<p id="rfc.section.2.8.9.p.1">deleted represents a setting that allows EventReport to be revoked. Revoked EventReport are not actionable and exist merely to inform other instances of a revocation.  </p>
-<p id="rfc.section.2.8.9.p.2">deleted is represented by a JSON boolean. deleted MUST be present.  </p>
-<h1 id="rfc.section.2.9">
-<a href="#rfc.section.2.9">2.9.</a> <a href="#tag" id="tag">Tag</a>
-</h1>
-<p id="rfc.section.2.9.p.1">A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[<a href="#MISP-T" class="xref">[MISP-T]</a>]. When an event is distributed outside an organisation, the use of MISP taxonomies[<a href="#MISP-T" class="xref">[MISP-T]</a>] is RECOMMENDED to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array SHALL be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.  </p>
-<p id="rfc.section.2.9.p.2">exportable represents a setting if the tag is kept local or exportable to other MISP instances. exportable is represented by a JSON boolean. id is a human-readable identifier that references the tag on the local instance. colour represents an RGB value of the tag.  </p>
-<p id="rfc.section.2.9.p.3">name MUST be present. colour, id and exportable SHALL be present.  </p>
-<h1 id="rfc.section.2.9.1">
-<a href="#rfc.section.2.9.1">2.9.1.</a> <a href="#sample-tag" id="sample-tag">Sample Tag</a>
-</h1>
-<pre>
-"Tag": [{
+</section>
+</div>
+<div id="sharing-group-id-3">
+<section id="section-2.7.7">
+          <h4 id="name-sharing_group_id-4">
+<a href="#section-2.7.7" class="section-number selfRef">2.7.7. </a><a href="#name-sharing_group_id-4" class="section-name selfRef">sharing_group_id</a>
+          </h4>
+<p id="section-2.7.7-1">sharing_group_id represents the local id to the MISP local instance of the Sharing Group associated for the distribution.<a href="#section-2.7.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.7-2">sharing_group_id is represented by a JSON string. sharing_group_id <span class="bcp14">MUST</span> be present and set to "0" if not used.<a href="#section-2.7.7-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="timestamp-5">
+<section id="section-2.7.8">
+          <h4 id="name-timestamp-6">
+<a href="#section-2.7.8" class="section-number selfRef">2.7.8. </a><a href="#name-timestamp-6" class="section-name selfRef">timestamp</a>
+          </h4>
+<p id="section-2.7.8-1">timestamp represents a reference time when the EventReport was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.7.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.8-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.7.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="deleted-4">
+<section id="section-2.7.9">
+          <h4 id="name-deleted-5">
+<a href="#section-2.7.9" class="section-number selfRef">2.7.9. </a><a href="#name-deleted-5" class="section-name selfRef">deleted</a>
+          </h4>
+<p id="section-2.7.9-1">deleted represents a setting that allows EventReport to be revoked. Revoked EventReport are not actionable and exist merely to inform other instances of a revocation.<a href="#section-2.7.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.9-2">deleted is represented by a JSON boolean. deleted <span class="bcp14">MUST</span> be present.<a href="#section-2.7.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="tag">
+<section id="section-2.8">
+        <h3 id="name-tag">
+<a href="#section-2.8" class="section-number selfRef">2.8. </a><a href="#name-tag" class="section-name selfRef">Tag</a>
+        </h3>
+<p id="section-2.8-1">A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[<span>[<a href="#MISP-T" class="xref">MISP-T</a>]</span>]. When an event is distributed outside an organisation, the use of MISP taxonomies[<span>[<a href="#MISP-T" class="xref">MISP-T</a>]</span>] is <span class="bcp14">RECOMMENDED</span> to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array <span class="bcp14">SHALL</span> be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.<a href="#section-2.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.8-2">exportable represents a setting if the tag is kept local or exportable to other MISP instances. exportable is represented by a JSON boolean. id is a human-readable identifier that references the tag on the local instance. colour represents an RGB value of the tag.<a href="#section-2.8-2" class="pilcrow">¶</a></p>
+<p id="section-2.8-3">name <span class="bcp14">MUST</span> be present. colour, id and exportable <span class="bcp14">SHALL</span> be present.<a href="#section-2.8-3" class="pilcrow">¶</a></p>
+<div id="sample-tag">
+<section id="section-2.8.1">
+          <h4 id="name-sample-tag">
+<a href="#section-2.8.1" class="section-number selfRef">2.8.1. </a><a href="#name-sample-tag" class="section-name selfRef">Sample Tag</a>
+          </h4>
+<div class="alignLeft art-text artwork" id="section-2.8.1-1">
+<pre>"Tag": [{
         "exportable": true,
         "colour": "#ffffff",
         "name": "tlp:white",
         "id": "2" }]
-</pre>
-<h1 id="rfc.section.2.10">
-<a href="#rfc.section.2.10">2.10.</a> <a href="#sighting" id="sighting">Sighting</a>
-</h1>
-<p id="rfc.section.2.10.p.1">A sighting is an ascertainment which describes whether an attribute has been seen under a given set of conditions. The sighting can include the organisation who sighted the attribute or can be anonymised. Sighting is composed of a JSON array in which each element describes one singular instance of a sighting. A sighting element is a JSON object composed of the following values: </p>
-<p id="rfc.section.2.10.p.2">type MUST be present. type describes the type of a sighting. MISP allows 3 default types: </p>
-<table cellpadding="3" cellspacing="0" class="tt full center">
-<thead><tr>
-<th class="center">Sighting type</th>
-<th class="center">Description</th>
-</tr></thead>
-<tbody>
-<tr>
-<td class="center">0</td>
-<td class="center">denotes an attribute which has been seen</td>
-</tr>
-<tr>
-<td class="center">1</td>
-<td class="center">denotes an attribute which has been seen and confirmed as false-positive</td>
-</tr>
-<tr>
-<td class="center">2</td>
-<td class="center">denotes an attribute which will be expired at the time of the sighting</td>
-</tr>
-</tbody>
-</table>
-<p id="rfc.section.2.10.p.3">uuid MUST be present. uuid references the uuid of the sighted attribute.  </p>
-<p id="rfc.section.2.10.p.4">date_sighting MUST be present. date_sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.  </p>
-<p id="rfc.section.2.10.p.5">source MAY be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.  </p>
-<p id="rfc.section.2.10.p.6">id, event_id and attribute_id MAY be present.  </p>
-<p id="rfc.section.2.10.p.7">id represents the human-readable identifier of the sighting reference which belongs to a specific MISP instance.  event_id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance.  attribute_id represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.  </p>
-<p id="rfc.section.2.10.p.8">org_id MAY be present along the JSON object describing the organisation. If the org_id is not present, the sighting is considered as anonymised.  </p>
-<p id="rfc.section.2.10.p.9">org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.  </p>
-<p id="rfc.section.2.10.p.10">A human-readable identifier MUST be represented as an unsigned integer.  </p>
-<h1 id="rfc.section.2.10.1">
-<a href="#rfc.section.2.10.1">2.10.1.</a> <a href="#sample-sighting" id="sample-sighting">Sample Sighting</a>
-</h1>
-<pre>
-"Sighting": [
-		   {
-				"id": "13599",
-				"attribute_id": "1201615",
-				"event_id": "10164",
-				"org_id": "2",
-				"date_sighting": "1517581400",
-				"uuid": "5a747459-41b4-4826-9b29-42dd950d210f",
-				"source": "M2M-CIRCL",
-				"type": "0",
-				"Organisation": {
-					"id": "2",
-					"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
-					"name": "CIRCL"
-				}
-			},
-			{
-				"id": "13601",
-				"attribute_id": "1201615",
-				"event_id": "10164",
-				"org_id": "2",
-				"date_sighting": "1517581401",
-				"uuid": "5a74745a-a190-4d04-b719-4916950d210f",
-				"source": "M2M-CIRCL",
-				"type": "0",
-				"Organisation": {
-					"id": "2",
-					"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
-					"name": "CIRCL"
-				}
-			}
-		]
-</pre>
-<h1 id="rfc.section.2.11">
-<a href="#rfc.section.2.11">2.11.</a> <a href="#galaxy" id="galaxy">Galaxy</a>
-</h1>
-<p id="rfc.section.2.11.p.1">A galaxy is a simple method to express a large object called cluster that can be attached to MISP events. A cluster can be composed of one or more elements. Elements are expressed as key-values.  </p>
-<h1 id="rfc.section.2.11.1">
-<a href="#rfc.section.2.11.1">2.11.1.</a> <a href="#sample-galaxy" id="sample-galaxy">Sample Galaxy</a>
-</h1>
-<pre>
-"Galaxy": [ {
+</pre><a href="#section-2.8.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="sighting">
+<section id="section-2.9">
+        <h3 id="name-sighting">
+<a href="#section-2.9" class="section-number selfRef">2.9. </a><a href="#name-sighting" class="section-name selfRef">Sighting</a>
+        </h3>
+<p id="section-2.9-1">A sighting is an ascertainment which describes whether an attribute has been seen under a given set of conditions. The sighting can include the organisation who sighted the attribute or can
+be anonymised. Sighting is composed of a JSON array in which each element describes one singular instance of a sighting. A sighting element is a JSON object composed of the following values:<a href="#section-2.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.9-2">type <span class="bcp14">MUST</span> be present. type describes the type of a sighting. MISP allows 3 default types:<a href="#section-2.9-2" class="pilcrow">¶</a></p>
+<table class="center" id="table-1">
+          <caption><a href="#table-1" class="selfRef">Table 1</a></caption>
+<thead>
+            <tr>
+              <th class="text-left" rowspan="1" colspan="1">Sighting type</th>
+              <th class="text-center" rowspan="1" colspan="1">Description</th>
+            </tr>
+          </thead>
+          <tbody>
+            <tr>
+              <td class="text-left" rowspan="1" colspan="1">0</td>
+              <td class="text-center" rowspan="1" colspan="1">denotes an attribute which has been seen</td>
+            </tr>
+            <tr>
+              <td class="text-left" rowspan="1" colspan="1">1</td>
+              <td class="text-center" rowspan="1" colspan="1">denotes an attribute which has been seen and confirmed as false-positive</td>
+            </tr>
+            <tr>
+              <td class="text-left" rowspan="1" colspan="1">2</td>
+              <td class="text-center" rowspan="1" colspan="1">denotes an attribute which will be expired at the time of the sighting</td>
+            </tr>
+          </tbody>
+        </table>
+<p id="section-2.9-4">uuid <span class="bcp14">MUST</span> be present. uuid references the uuid of the sighted attribute.<a href="#section-2.9-4" class="pilcrow">¶</a></p>
+<p id="section-2.9-5">date_sighting <span class="bcp14">MUST</span> be present. date_sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.<a href="#section-2.9-5" class="pilcrow">¶</a></p>
+<p id="section-2.9-6">source <span class="bcp14">MAY</span> be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.<a href="#section-2.9-6" class="pilcrow">¶</a></p>
+<p id="section-2.9-7">id, event_id and attribute_id are represented as a JSON string and <span class="bcp14">MAY</span> be present.<a href="#section-2.9-7" class="pilcrow">¶</a></p>
+<p id="section-2.9-8">id represents the human-readable identifier of the sighting reference which belongs to a specific MISP instance.
+event_id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance.
+attribute_id represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.<a href="#section-2.9-8" class="pilcrow">¶</a></p>
+<p id="section-2.9-9">org_id <span class="bcp14">MAY</span> be present along the JSON object describing the organisation. If the org_id is not present, the sighting is considered as anonymised.<a href="#section-2.9-9" class="pilcrow">¶</a></p>
+<p id="section-2.9-10">org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.<a href="#section-2.9-10" class="pilcrow">¶</a></p>
+<p id="section-2.9-11">A human-readable identifier <span class="bcp14">MUST</span> be considered as an unsigned integer.<a href="#section-2.9-11" class="pilcrow">¶</a></p>
+<div id="sample-sighting">
+<section id="section-2.9.1">
+          <h4 id="name-sample-sighting">
+<a href="#section-2.9.1" class="section-number selfRef">2.9.1. </a><a href="#name-sample-sighting" class="section-name selfRef">Sample Sighting</a>
+          </h4>
+<div class="alignLeft art-text artwork" id="section-2.9.1-1">
+<pre>"Sighting": [
+                   {
+                                "id": "13599",
+                                "attribute_id": "1201615",
+                                "event_id": "10164",
+                                "org_id": "2",
+                                "date_sighting": "1517581400",
+                                "uuid": "5a747459-41b4-4826-9b29-42dd950d210f",
+                                "source": "M2M-CIRCL",
+                                "type": "0",
+                                "Organisation": {
+                                        "id": "2",
+                                        "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
+                                        "name": "CIRCL"
+                                }
+                        },
+                        {
+                                "id": "13601",
+                                "attribute_id": "1201615",
+                                "event_id": "10164",
+                                "org_id": "2",
+                                "date_sighting": "1517581401",
+                                "uuid": "5a74745a-a190-4d04-b719-4916950d210f",
+                                "source": "M2M-CIRCL",
+                                "type": "0",
+                                "Organisation": {
+                                        "id": "2",
+                                        "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
+                                        "name": "CIRCL"
+                                }
+                        }
+                ]
+</pre><a href="#section-2.9.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="galaxy">
+<section id="section-2.10">
+        <h3 id="name-galaxy">
+<a href="#section-2.10" class="section-number selfRef">2.10. </a><a href="#name-galaxy" class="section-name selfRef">Galaxy</a>
+        </h3>
+<p id="section-2.10-1">A galaxy is a simple method to express a large object called cluster that can be attached to MISP events. A cluster can be composed of one or more elements. Elements are expressed as key-values.<a href="#section-2.10-1" class="pilcrow">¶</a></p>
+<div id="sample-galaxy">
+<section id="section-2.10.1">
+          <h4 id="name-sample-galaxy">
+<a href="#section-2.10.1" class="section-number selfRef">2.10.1. </a><a href="#name-sample-galaxy" class="section-name selfRef">Sample Galaxy</a>
+          </h4>
+<div class="alignLeft art-text artwork" id="section-2.10.1-1">
+<pre>"Galaxy": [ {
            "id": "18",
            "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3",
            "name": "Threat Actor",
@@ -1609,13 +3030,24 @@
                 ]
             }
         ]
-</pre>
-<h1 id="rfc.section.3">
-<a href="#rfc.section.3">3.</a> <a href="#json-schema" id="json-schema">JSON Schema</a>
-</h1>
-<p id="rfc.section.3.p.1">The JSON Schema <a href="#JSON-SCHEMA" class="xref">[JSON-SCHEMA]</a> below defines the structure of the MISP core format as literally described before. The JSON Schema is used to validate MISP events at creation time or parsing.  </p>
-<pre>
-{
+</pre><a href="#section-2.10.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="json-schema">
+<section id="section-3">
+      <h2 id="name-json-schema">
+<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-json-schema" class="section-name selfRef">JSON Schema</a>
+      </h2>
+<p id="section-3-1">The JSON Schema <span>[<a href="#JSON-SCHEMA" class="xref">JSON-SCHEMA</a>]</span> below defines the structure of the MISP core format
+as literally described before. The JSON Schema is used to validate MISP events at creation time
+or parsing.<a href="#section-3-1" class="pilcrow">¶</a></p>
+<div class="alignLeft art-text artwork" id="section-3-2">
+<pre>{
   "$schema": "http://json-schema.org/draft-04/schema#",
   "title": "Validator for misp events",
   "id": "https://github.com/MISP/MISP/blob/2.4/format/2.4/schema.json",
@@ -2289,44 +3721,58 @@
     "Event"
   ]
 }
-</pre>
-<h1 id="rfc.section.4">
-<a href="#rfc.section.4">4.</a> <a href="#manifest" id="manifest">Manifest</a>
-</h1>
-<p id="rfc.section.4.p.1">MISP events can be shared over an HTTP repository, a file package or USB key. A manifest file is used to provide an index of MISP events allowing to only fetch the recently updated files without the need to parse each json file.  </p>
-<h1 id="rfc.section.4.1">
-<a href="#rfc.section.4.1">4.1.</a> <a href="#format-1" id="format-1">Format</a>
-</h1>
-<p id="rfc.section.4.1.p.1">A manifest file is a simple JSON file named manifest.json in a directory where the MISP events are located.  Each MISP event is a file located in the same directory with the event uuid as filename with the json extension.  </p>
-<p id="rfc.section.4.1.p.2">The manifest format is a JSON object composed of a dictionary where the field is the uuid of the event.  </p>
-<p id="rfc.section.4.1.p.3">Each uuid is composed of a JSON object with the following fields which came from the original event referenced by the same uuid: </p>
-<p></p>
-
-<ul>
-<li>info (MUST)</li>
-<li>Orgc object (MUST)</li>
-<li>analysis (SHALL)</li>
-<li>timestamp (MUST)</li>
-<li>date (MUST)</li>
-<li>threat_level_id (SHALL)</li>
-</ul>
-
-<p> </p>
-<p id="rfc.section.4.1.p.5">In addition to the fields originating from the event, the following fields can be added: </p>
-<p></p>
-
-<ul>
-<li>integrity:sha256 represents the SHA256 value in hexadecimal representation of the associated MISP event file to ensure integrity of the file. (SHOULD)</li>
-<li>integrity:pgp represents a detached PGP signature <a href="#RFC4880" class="xref">[RFC4880]</a> of the associated MISP event file to ensure integrity of the file. (SHOULD)</li>
-</ul>
-
-<p> </p>
-<p id="rfc.section.4.1.p.7">If a detached PGP signature is used for each MISP event, a detached PGP signature is a MUST to ensure integrity of the manifest file.  A detached PGP signature for a manifest file is a manifest.json.asc file containing the PGP signature.  </p>
-<h1 id="rfc.section.4.1.1">
-<a href="#rfc.section.4.1.1">4.1.1.</a> <a href="#sample-manifest" id="sample-manifest">Sample Manifest</a>
-</h1>
-<pre>
-{
+</pre><a href="#section-3-2" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="manifest">
+<section id="section-4">
+      <h2 id="name-manifest">
+<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-manifest" class="section-name selfRef">Manifest</a>
+      </h2>
+<p id="section-4-1">MISP events can be shared over an HTTP repository, a file package or USB key. A manifest file is used to
+provide an index of MISP events allowing to only fetch the recently updated files without the need to parse
+each json file.<a href="#section-4-1" class="pilcrow">¶</a></p>
+<div id="format-1">
+<section id="section-4.1">
+        <h3 id="name-format-2">
+<a href="#section-4.1" class="section-number selfRef">4.1. </a><a href="#name-format-2" class="section-name selfRef">Format</a>
+        </h3>
+<p id="section-4.1-1">A manifest file is a simple JSON file named manifest.json in a directory where the MISP events are located.
+Each MISP event is a file located in the same directory with the event uuid as filename with the json extension.<a href="#section-4.1-1" class="pilcrow">¶</a></p>
+<p id="section-4.1-2">The manifest format is a JSON object composed of a dictionary where the field is the uuid of the event.<a href="#section-4.1-2" class="pilcrow">¶</a></p>
+<p id="section-4.1-3">Each uuid is composed of a JSON object with the following fields which came from the original event referenced
+by the same uuid:<a href="#section-4.1-3" class="pilcrow">¶</a></p>
+<ul class="compact">
+<li class="compact" id="section-4.1-4.1">info (<span class="bcp14">MUST</span>)<a href="#section-4.1-4.1" class="pilcrow">¶</a>
+</li>
+          <li class="compact" id="section-4.1-4.2">Orgc object (<span class="bcp14">MUST</span>)<a href="#section-4.1-4.2" class="pilcrow">¶</a>
+</li>
+          <li class="compact" id="section-4.1-4.3">analysis (<span class="bcp14">SHALL</span>)<a href="#section-4.1-4.3" class="pilcrow">¶</a>
+</li>
+          <li class="compact" id="section-4.1-4.4">timestamp (<span class="bcp14">MUST</span>)<a href="#section-4.1-4.4" class="pilcrow">¶</a>
+</li>
+          <li class="compact" id="section-4.1-4.5">date (<span class="bcp14">MUST</span>)<a href="#section-4.1-4.5" class="pilcrow">¶</a>
+</li>
+          <li class="compact" id="section-4.1-4.6">threat_level_id (<span class="bcp14">SHALL</span>)<a href="#section-4.1-4.6" class="pilcrow">¶</a>
+</li>
+        </ul>
+<p id="section-4.1-5">In addition to the fields originating from the event, the following fields can be added:<a href="#section-4.1-5" class="pilcrow">¶</a></p>
+<ul class="compact">
+<li class="compact" id="section-4.1-6.1">integrity:sha256 represents the SHA256 value in hexadecimal representation of the associated MISP event file to ensure integrity of the file. (<span class="bcp14">SHOULD</span>)<a href="#section-4.1-6.1" class="pilcrow">¶</a>
+</li>
+          <li class="compact" id="section-4.1-6.2">integrity:pgp represents a detached PGP signature <span>[<a href="#RFC4880" class="xref">RFC4880</a>]</span> of the associated MISP event file to ensure integrity of the file. (<span class="bcp14">SHOULD</span>)<a href="#section-4.1-6.2" class="pilcrow">¶</a>
+</li>
+        </ul>
+<p id="section-4.1-7">If a detached PGP signature is used for each MISP event, a detached PGP signature is a <span class="bcp14">MUST</span> to ensure integrity of the manifest file.
+A detached PGP signature for a manifest file is a manifest.json.asc file containing the PGP signature.<a href="#section-4.1-7" class="pilcrow">¶</a></p>
+<div id="sample-manifest">
+<section id="section-4.1.1">
+          <h4 id="name-sample-manifest">
+<a href="#section-4.1.1" class="section-number selfRef">4.1.1. </a><a href="#name-sample-manifest" class="section-name selfRef">Sample Manifest</a>
+          </h4>
+<div class="alignLeft art-text artwork" id="section-4.1.1-1">
+<pre>{
   "57c6ac4c-c60c-4f79-a38f-b666950d210f": {
     "info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo",
     "Orgc": {
@@ -2375,123 +3821,148 @@
     "threat_level_id": "3"
   }
 }
-</pre>
-<h1 id="rfc.section.5">
-<a href="#rfc.section.5">5.</a> <a href="#implementation" id="implementation">Implementation</a>
-</h1>
-<p id="rfc.section.5.p.1">MISP format is implemented by different software including the MISP threat sharing platform and libraries like PyMISP <a href="#MISP-P" class="xref">[MISP-P]</a>. Implementations use the format as an export/import mechanism, staging transport format or synchronisation format as used in the MISP core platform. MISP format doesn't impose any restriction on the data representation of the format in data-structure of other implementations.  </p>
-<h1 id="rfc.section.6">
-<a href="#rfc.section.6">6.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>
-</h1>
-<p id="rfc.section.6.p.1">MISP events might contain sensitive or confidential information. Adequate access control and encryption measures shall be implemented to ensure the confidentiality of the MISP events.  </p>
-<p id="rfc.section.6.p.2">Adversaries might include malicious content in MISP events and attributes.  Implementation MUST consider the input of malicious inputs beside the standard threat information that might already include malicious intended inputs.  </p>
-<h1 id="rfc.section.7">
-<a href="#rfc.section.7">7.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
-</h1>
-<p id="rfc.section.7.p.1">The authors wish to thank all the MISP community who are supporting the creation of open standards in threat intelligence sharing. A special thank to Nicolas Bareil for the review of the JSON Schema.  </p>
-<h1 id="rfc.section.8">
-<a href="#rfc.section.8">8.</a> <a href="#references" id="references">References</a>
-</h1>
-<h1 id="rfc.references">
-<a href="#rfc.references">9.</a> References</h1>
-<h1 id="rfc.references.1">
-<a href="#rfc.references.1">9.1.</a> Normative References</h1>
-<table><tbody>
-<tr>
-<td class="reference"><b id="RFC2119">[RFC2119]</b></td>
-<td class="top">
-<a>Bradner, S.</a>, "<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
-</tr>
-<tr>
-<td class="reference"><b id="RFC4122">[RFC4122]</b></td>
-<td class="top">
-<a>Leach, P.</a>, <a>Mealling, M.</a> and <a>R. Salz</a>, "<a href="https://tools.ietf.org/html/rfc4122">A Universally Unique IDentifier (UUID) URN Namespace</a>", RFC 4122, DOI 10.17487/RFC4122, July 2005.</td>
-</tr>
-<tr>
-<td class="reference"><b id="RFC4880">[RFC4880]</b></td>
-<td class="top">
-<a>Callas, J.</a>, <a>Donnerhacke, L.</a>, <a>Finney, H.</a>, <a>Shaw, D.</a> and <a>R. Thayer</a>, "<a href="https://tools.ietf.org/html/rfc4880">OpenPGP Message Format</a>", RFC 4880, DOI 10.17487/RFC4880, November 2007.</td>
-</tr>
-<tr>
-<td class="reference"><b id="RFC8259">[RFC8259]</b></td>
-<td class="top">
-<a>Bray, T.</a>, "<a href="https://tools.ietf.org/html/rfc8259">The JavaScript Object Notation (JSON) Data Interchange Format</a>", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017.</td>
-</tr>
-</tbody></table>
-<h1 id="rfc.references.2">
-<a href="#rfc.references.2">9.2.</a> Informative References</h1>
-<table><tbody>
-<tr>
-<td class="reference"><b id="JSON-SCHEMA">[JSON-SCHEMA]</b></td>
-<td class="top">
-<a></a>, "<a href="https://tools.ietf.org/html/draft-wright-json-schema">JSON Schema: A Media Type for Describing JSON Documents</a>", 2016.</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-P">[MISP-P]</b></td>
-<td class="top">
-<a>MISP</a>, "<a href="https://github.com/MISP">MISP Project - Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing</a>"</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-R">[MISP-R]</b></td>
-<td class="top">
-<a>MISP</a>, "<a href="https://github.com/MISP/misp-objects/tree/master/relationships">MISP Object Relationship Types - common vocabulary of relationships</a>"</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-T">[MISP-T]</b></td>
-<td class="top">
-<a>MISP</a>, "<a href="https://github.com/MISP/misp-taxonomies">MISP Taxonomies - shared and common vocabularies of tags</a>"</td>
-</tr>
-</tbody></table>
-<h1 id="rfc.authors"><a href="#rfc.authors">Authors' Addresses</a></h1>
-<div class="avoidbreak">
-  <address class="vcard">
-	<span class="vcardline">
-	  <span class="fn">Alexandre Dulaunoy</span> 
-	  <span class="n hidden">
-		<span class="family-name">Dulaunoy</span>
-	  </span>
-	</span>
-	<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
-	<span class="adr">
-	  <span class="vcardline">16, bd d'Avranches</span>
-
-	  <span class="vcardline">
-		<span class="locality">Luxembourg</span>,  
-		<span class="region"></span>
-		<span class="code">L-1160</span>
-	  </span>
-	  <span class="country-name vcardline">Luxembourg</span>
-	</span>
-	<span class="vcardline">Phone: +352 247 88444</span>
-
-<span class="vcardline">EMail: <a href="mailto:alexandre.dulaunoy@circl.lu">alexandre.dulaunoy@circl.lu</a></span>
-
-  </address>
-</div><div class="avoidbreak">
-  <address class="vcard">
-	<span class="vcardline">
-	  <span class="fn">Andras Iklody</span> 
-	  <span class="n hidden">
-		<span class="family-name">Iklody</span>
-	  </span>
-	</span>
-	<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
-	<span class="adr">
-	  <span class="vcardline">16, bd d'Avranches</span>
-
-	  <span class="vcardline">
-		<span class="locality">Luxembourg</span>,  
-		<span class="region"></span>
-		<span class="code">L-1160</span>
-	  </span>
-	  <span class="country-name vcardline">Luxembourg</span>
-	</span>
-	<span class="vcardline">Phone: +352 247 88444</span>
-
-<span class="vcardline">EMail: <a href="mailto:andras.iklody@circl.lu">andras.iklody@circl.lu</a></span>
-
-  </address>
+</pre><a href="#section-4.1.1-1" class="pilcrow">¶</a>
 </div>
-
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="implementation">
+<section id="section-5">
+      <h2 id="name-implementation">
+<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-implementation" class="section-name selfRef">Implementation</a>
+      </h2>
+<p id="section-5-1">MISP format is implemented by different software including the MISP threat sharing
+platform and libraries like PyMISP <span>[<a href="#MISP-P" class="xref">MISP-P</a>]</span>. Implementations use the format
+as an export/import mechanism, staging transport format or synchronisation format
+as used in the MISP core platform. MISP format doesn't impose any restriction on
+the data representation of the format in data-structure of other implementations.<a href="#section-5-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="security-considerations">
+<section id="section-6">
+      <h2 id="name-security-considerations">
+<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
+      </h2>
+<p id="section-6-1">MISP events might contain sensitive or confidential information. Adequate
+access control and encryption measures shall be implemented to ensure
+the confidentiality of the MISP events.<a href="#section-6-1" class="pilcrow">¶</a></p>
+<p id="section-6-2">Adversaries might include malicious content in MISP events and attributes.
+Implementation <span class="bcp14">MUST</span> consider the input of malicious inputs beside the
+standard threat information that might already include malicious intended inputs.<a href="#section-6-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="acknowledgements">
+<section id="section-7">
+      <h2 id="name-acknowledgements">
+<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
+      </h2>
+<p id="section-7-1">The authors wish to thank all the MISP community who are supporting the creation
+of open standards in threat intelligence sharing. A special thank to Nicolas Bareil
+for the review of the JSON Schema.<a href="#section-7-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="references">
+<section id="section-8">
+      <h2 id="name-references">
+<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-references" class="section-name selfRef">References</a>
+    </h2>
+</section>
+</div>
+<section id="section-9">
+      <h2 id="name-normative-references">
+<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
+      </h2>
+<dl class="references">
+<dt id="RFC2119">[RFC2119]</dt>
+      <dd>
+<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC4122">[RFC4122]</dt>
+      <dd>
+<span class="refAuthor">Leach, P.</span>, <span class="refAuthor">Mealling, M.</span>, and <span class="refAuthor">R. Salz</span>, <span class="refTitle">"A Universally Unique IDentifier (UUID) URN Namespace"</span>, <span class="seriesInfo">RFC 4122</span>, <span class="seriesInfo">DOI 10.17487/RFC4122</span>, <time datetime="2005-07" class="refDate">July 2005</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc4122">https://www.rfc-editor.org/info/rfc4122</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC4880">[RFC4880]</dt>
+      <dd>
+<span class="refAuthor">Callas, J.</span>, <span class="refAuthor">Donnerhacke, L.</span>, <span class="refAuthor">Finney, H.</span>, <span class="refAuthor">Shaw, D.</span>, and <span class="refAuthor">R. Thayer</span>, <span class="refTitle">"OpenPGP Message Format"</span>, <span class="seriesInfo">RFC 4880</span>, <span class="seriesInfo">DOI 10.17487/RFC4880</span>, <time datetime="2007-11" class="refDate">November 2007</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc4880">https://www.rfc-editor.org/info/rfc4880</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC8259">[RFC8259]</dt>
+    <dd>
+<span class="refAuthor">Bray, T., Ed.</span>, <span class="refTitle">"The JavaScript Object Notation (JSON) Data Interchange Format"</span>, <span class="seriesInfo">STD 90</span>, <span class="seriesInfo">RFC 8259</span>, <span class="seriesInfo">DOI 10.17487/RFC8259</span>, <time datetime="2017-12" class="refDate">December 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8259">https://www.rfc-editor.org/info/rfc8259</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+</dl>
+</section>
+<section id="section-10">
+      <h2 id="name-informative-references">
+<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
+      </h2>
+<dl class="references">
+<dt id="JSON-SCHEMA">[JSON-SCHEMA]</dt>
+      <dd>
+<span class="refAuthor">Wright, A.</span>, <span class="refTitle">"JSON Schema: A Media Type for Describing JSON Documents"</span>, <time datetime="2016" class="refDate">2016</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-wright-json-schema">https://tools.ietf.org/html/draft-wright-json-schema</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-P">[MISP-P]</dt>
+      <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Project - Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing"</span>, <span>&lt;<a href="https://github.com/MISP">https://github.com/MISP</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-R">[MISP-R]</dt>
+      <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Object Relationship Types - common vocabulary of relationships"</span>, <span>&lt;<a href="https://github.com/MISP/misp-objects/tree/master/relationships">https://github.com/MISP/misp-objects/tree/master/relationships</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-T">[MISP-T]</dt>
+    <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Taxonomies - shared and common vocabularies of tags"</span>, <span>&lt;<a href="https://github.com/MISP/misp-taxonomies">https://github.com/MISP/misp-taxonomies</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+</dl>
+</section>
+<div id="authors-addresses">
+<section id="appendix-A">
+      <h2 id="name-authors-addresses">
+<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
+      </h2>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">Alexandre Dulaunoy</span></div>
+<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
+<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
+</div>
+<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
+<div class="tel">
+<span>Phone:</span>
+<a href="tel:+352%20247%2088444" class="tel">+352 247 88444</a>
+</div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:alexandre.dulaunoy@circl.lu" class="email">alexandre.dulaunoy@circl.lu</a>
+</div>
+</address>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">Andras Iklody</span></div>
+<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
+<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
+</div>
+<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
+<div class="tel">
+<span>Phone:</span>
+<a href="tel:+352%20247%2088444" class="tel">+352 247 88444</a>
+</div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:andras.iklody@circl.lu" class="email">andras.iklody@circl.lu</a>
+</div>
+</address>
+</section>
+</div>
+<script>const toc = document.getElementById("toc");
+toc.querySelector("h2").addEventListener("click", e => {
+  toc.classList.toggle("active");
+});
+toc.querySelector("nav").addEventListener("click", e => {
+  toc.classList.remove("active");
+});
+</script>
 </body>
 </html>
diff --git a/misp-core-format/raw.md.txt b/misp-core-format/raw.md.txt
index 294a244..5c30a08 100755
--- a/misp-core-format/raw.md.txt
+++ b/misp-core-format/raw.md.txt
@@ -5,11 +5,11 @@
 Network Working Group                                        A. Dulaunoy
 Internet-Draft                                                 A. Iklody
 Intended status: Informational                                     CIRCL
-Expires: April 24, 2021                                 October 21, 2020
+Expires: 18 August 2022                                 14 February 2022
 
 
                             MISP core format
-                    draft-dulaunoy-misp-core-format
+                                draft-00
 
 Abstract
 
@@ -37,31 +37,27 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on April 24, 2021.
+   This Internet-Draft will expire on 18 August 2022.
 
 Copyright Notice
 
-   Copyright (c) 2020 IETF Trust and the persons identified as the
+   Copyright (c) 2022 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents
-   (https://trustee.ietf.org/license-info) in effect on the date of
-   publication of this document.  Please review these documents
-   carefully, as they describe your rights and restrictions with respect
-   to this document.  Code Components extracted from this document must
+   Provisions Relating to IETF Documents (https://trustee.ietf.org/
+   license-info) in effect on the date of publication of this document.
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 1]
+
+Dulaunoy & Iklody        Expires 18 August 2022                 [Page 1]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
-   include Simplified BSD License text as described in Section 4.e of
-   the Trust Legal Provisions and are provided without warranty as
-   described in the Simplified BSD License.
-
 Table of Contents
 
    1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
@@ -69,59 +65,56 @@ Table of Contents
    2.  Format  . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
      2.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   3
      2.2.  Event . . . . . . . . . . . . . . . . . . . . . . . . . .   3
-       2.2.1.  Event Attributes  . . . . . . . . . . . . . . . . . .   4
-     2.3.  Objects . . . . . . . . . . . . . . . . . . . . . . . . .   7
-       2.3.1.  Org . . . . . . . . . . . . . . . . . . . . . . . . .   7
-       2.3.2.  Orgc  . . . . . . . . . . . . . . . . . . . . . . . .   8
-     2.4.  Attribute . . . . . . . . . . . . . . . . . . . . . . . .   8
-       2.4.1.  Sample Attribute Object . . . . . . . . . . . . . . .   9
-       2.4.2.  Attribute Attributes  . . . . . . . . . . . . . . . .   9
-     2.5.  ShadowAttribute . . . . . . . . . . . . . . . . . . . . .  16
-       2.5.1.  Sample Attribute Object . . . . . . . . . . . . . . .  16
-       2.5.2.  ShadowAttribute Attributes  . . . . . . . . . . . . .  16
-       2.5.3.  Org . . . . . . . . . . . . . . . . . . . . . . . . .  22
-     2.6.  Object  . . . . . . . . . . . . . . . . . . . . . . . . .  23
-       2.6.1.  Sample Object . . . . . . . . . . . . . . . . . . . .  23
-       2.6.2.  Object Attributes . . . . . . . . . . . . . . . . . .  24
-     2.7.  Object References . . . . . . . . . . . . . . . . . . . .  28
-       2.7.1.  Sample ObjectReference object . . . . . . . . . . . .  28
-       2.7.2.  ObjectReference Attributes  . . . . . . . . . . . . .  28
-     2.8.  EventReport . . . . . . . . . . . . . . . . . . . . . . .  30
-       2.8.1.  id  . . . . . . . . . . . . . . . . . . . . . . . . .  31
-       2.8.2.  UUID  . . . . . . . . . . . . . . . . . . . . . . . .  31
-       2.8.3.  event_id  . . . . . . . . . . . . . . . . . . . . . .  31
-       2.8.4.  name  . . . . . . . . . . . . . . . . . . . . . . . .  31
-       2.8.5.  content . . . . . . . . . . . . . . . . . . . . . . .  31
-       2.8.6.  distribution  . . . . . . . . . . . . . . . . . . . .  32
-       2.8.7.  sharing_group_id  . . . . . . . . . . . . . . . . . .  32
-       2.8.8.  timestamp . . . . . . . . . . . . . . . . . . . . . .  32
-       2.8.9.  deleted . . . . . . . . . . . . . . . . . . . . . . .  33
-     2.9.  Tag . . . . . . . . . . . . . . . . . . . . . . . . . . .  33
-       2.9.1.  Sample Tag  . . . . . . . . . . . . . . . . . . . . .  33
-     2.10. Sighting  . . . . . . . . . . . . . . . . . . . . . . . .  33
-       2.10.1.  Sample Sighting  . . . . . . . . . . . . . . . . . .  34
-     2.11. Galaxy  . . . . . . . . . . . . . . . . . . . . . . . . .  35
-       2.11.1.  Sample Galaxy  . . . . . . . . . . . . . . . . . . .  35
-   3.  JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . .  37
-   4.  Manifest  . . . . . . . . . . . . . . . . . . . . . . . . . .  51
-     4.1.  Format  . . . . . . . . . . . . . . . . . . . . . . . . .  51
-       4.1.1.  Sample Manifest . . . . . . . . . . . . . . . . . . .  52
+       2.2.1.  Event Attributes  . . . . . . . . . . . . . . . . . .   3
+       2.2.2.  Event Objects . . . . . . . . . . . . . . . . . . . .   7
+     2.3.  Attribute . . . . . . . . . . . . . . . . . . . . . . . .   8
+       2.3.1.  Sample Attribute Object . . . . . . . . . . . . . . .   8
+       2.3.2.  Attribute Attributes  . . . . . . . . . . . . . . . .   8
+     2.4.  ShadowAttribute . . . . . . . . . . . . . . . . . . . . .  14
+       2.4.1.  Sample Attribute Object . . . . . . . . . . . . . . .  15
+       2.4.2.  ShadowAttribute Attributes  . . . . . . . . . . . . .  15
+       2.4.3.  ShadowAttribute Objects . . . . . . . . . . . . . . .  21
+     2.5.  Object  . . . . . . . . . . . . . . . . . . . . . . . . .  22
+       2.5.1.  Sample Object . . . . . . . . . . . . . . . . . . . .  22
+       2.5.2.  Object Attributes . . . . . . . . . . . . . . . . . .  23
+     2.6.  Object References . . . . . . . . . . . . . . . . . . . .  27
+       2.6.1.  Sample ObjectReference object . . . . . . . . . . . .  27
+       2.6.2.  ObjectReference Attributes  . . . . . . . . . . . . .  27
+     2.7.  EventReport . . . . . . . . . . . . . . . . . . . . . . .  29
+       2.7.1.  id  . . . . . . . . . . . . . . . . . . . . . . . . .  29
+       2.7.2.  UUID  . . . . . . . . . . . . . . . . . . . . . . . .  30
+       2.7.3.  event_id  . . . . . . . . . . . . . . . . . . . . . .  30
+       2.7.4.  name  . . . . . . . . . . . . . . . . . . . . . . . .  30
+       2.7.5.  content . . . . . . . . . . . . . . . . . . . . . . .  30
+       2.7.6.  distribution  . . . . . . . . . . . . . . . . . . . .  30
+       2.7.7.  sharing_group_id  . . . . . . . . . . . . . . . . . .  31
+       2.7.8.  timestamp . . . . . . . . . . . . . . . . . . . . . .  31
+       2.7.9.  deleted . . . . . . . . . . . . . . . . . . . . . . .  31
+     2.8.  Tag . . . . . . . . . . . . . . . . . . . . . . . . . . .  31
+       2.8.1.  Sample Tag  . . . . . . . . . . . . . . . . . . . . .  32
+     2.9.  Sighting  . . . . . . . . . . . . . . . . . . . . . . . .  32
+       2.9.1.  Sample Sighting . . . . . . . . . . . . . . . . . . .  33
+     2.10. Galaxy  . . . . . . . . . . . . . . . . . . . . . . . . .  34
+       2.10.1.  Sample Galaxy  . . . . . . . . . . . . . . . . . . .  34
+   3.  JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . .  36
+   4.  Manifest  . . . . . . . . . . . . . . . . . . . . . . . . . .  50
+     4.1.  Format  . . . . . . . . . . . . . . . . . . . . . . . . .  50
+       4.1.1.  Sample Manifest . . . . . . . . . . . . . . . . . . .  51
+   5.  Implementation  . . . . . . . . . . . . . . . . . . . . . . .  52
+   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  52
+   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  52
+   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  52
+   9.  Normative References  . . . . . . . . . . . . . . . . . . . .  52
+   10. Informative References  . . . . . . . . . . . . . . . . . . .  53
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 2]
+Dulaunoy & Iklody        Expires 18 August 2022                 [Page 2]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
-   5.  Implementation  . . . . . . . . . . . . . . . . . . . . . . .  53
-   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  53
-   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  53
-   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  53
-   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  53
-     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  54
-     9.2.  Informative References  . . . . . . . . . . . . . . . . .  54
-   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  54
+   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  53
 
 1.  Introduction
 
@@ -161,15 +154,6 @@ Internet-Draft              MISP core format                October 2020
    specific threat actor analysis.  The meaning of an event only depends
    of the information embedded in the event.
 
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 3]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.2.1.  Event Attributes
 
 2.2.1.1.  uuid
@@ -179,6 +163,13 @@ Internet-Draft              MISP core format                October 2020
    the same event.  UUID version 4 is RECOMMENDED when assigning it to a
    new event.
 
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                 [Page 3]
+
+Internet-Draft              MISP core format               February 2022
+
+
    uuid is represented as a JSON string. uuid MUST be present.
 
 2.2.1.2.  id
@@ -211,25 +202,10 @@ Internet-Draft              MISP core format                October 2020
 
    threat_level_id represents the threat level.
 
-   4:
-      Undefined
-
-   3:
-      Low
-
-   2:
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 4]
-
-Internet-Draft              MISP core format                October 2020
-
-
-      Medium
-
-   1:
-      High
+   4:  Undefined
+   3:  Low
+   2:  Medium
+   1:  High
 
    If a higher granularity is required, a MISP taxonomy applied as a Tag
    SHOULD be preferred.
@@ -241,14 +217,17 @@ Internet-Draft              MISP core format                October 2020
 
    analysis represents the analysis level.
 
-   0:
-      Initial
+   0:  Initial
 
-   1:
-      Ongoing
 
-   2:
-      Complete
+
+Dulaunoy & Iklody        Expires 18 August 2022                 [Page 4]
+
+Internet-Draft              MISP core format               February 2022
+
+
+   1:  Ongoing
+   2:  Complete
 
    If a higher granularity is required, a MISP taxonomy applied as a Tag
    SHOULD be preferred.
@@ -272,16 +251,6 @@ Internet-Draft              MISP core format                October 2020
 
    timestamp is represented as a JSON string. timestamp MUST be present.
 
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 5]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.2.1.9.  publish_timestamp
 
    publish_timestamp represents a reference time when the event was
@@ -305,6 +274,14 @@ Internet-Draft              MISP core format                October 2020
    The org_id MUST be updated when the event is generated by a new
    instance.
 
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                 [Page 5]
+
+Internet-Draft              MISP core format               February 2022
+
+
    org_id is represented as a JSON string. org_id MUST be present.
 
 2.2.1.11.  orgc_id
@@ -331,30 +308,14 @@ Internet-Draft              MISP core format                October 2020
    The system must adhere to the distribution setting for access control
    and for dissemination of the event.
 
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 6]
-
-Internet-Draft              MISP core format                October 2020
-
-
    distribution is represented by a JSON string. distribution MUST be
    present and be one of the following options:
 
-   0
-      Your Organisation Only
-
-   1
-      This Community Only
-
-   2
-      Connected Communities
-
-   3
-      All Communities
-
-   4
-      Sharing Group
+   0  Your Organisation Only
+   1  This Community Only
+   2  Connected Communities
+   3  All Communities
+   4  Sharing Group
 
 2.2.1.14.  sharing_group_id
 
@@ -367,6 +328,16 @@ Internet-Draft              MISP core format                October 2020
    present.  If a distribution level other than "4" is chosen the
    sharing_group_id MUST be set to "0".
 
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                 [Page 6]
+
+Internet-Draft              MISP core format               February 2022
+
+
 2.2.1.15.  extends_uuid
 
    extends_uuid represents which event is extended by this event.  The
@@ -376,9 +347,9 @@ Internet-Draft              MISP core format                October 2020
    extends_uuid is represented as a JSON string. extends_uuid SHOULD be
    present.
 
-2.3.  Objects
+2.2.2.  Event Objects
 
-2.3.1.  Org
+2.2.2.1.  Org
 
    An Org object is composed of an uuid, name and id.
 
@@ -386,14 +357,6 @@ Internet-Draft              MISP core format                October 2020
    [RFC4122] of the organisation.  The organisation UUID is globally
    assigned to an organisation and SHALL be kept overtime.
 
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 7]
-
-Internet-Draft              MISP core format                October 2020
-
-
    The name is a readable description of the organisation and SHOULD be
    present.  The id is a human-readable identifier generated by the
    instance and used as reference in the event.  A human-readable
@@ -402,15 +365,15 @@ Internet-Draft              MISP core format                October 2020
    uuid, name and id are represented as a JSON string. uuid, name and id
    MUST be present.
 
-2.3.1.1.  Sample Org Object
+2.2.2.1.1.  Sample Org Object
 
-          "Org": {
-                  "id": "2",
-                  "name": "CIRCL",
-                  "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
-                 }
+   "Org": {
+           "id": "2",
+           "name": "CIRCL",
+           "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
+          }
 
-2.3.2.  Orgc
+2.2.2.2.  Orgc
 
    An Orgc object is composed of an uuid, name and id.
 
@@ -424,10 +387,17 @@ Internet-Draft              MISP core format                October 2020
    instance and used as reference in the event.  A human-readable
    identifier MUST be represented as an unsigned integer.
 
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                 [Page 7]
+
+Internet-Draft              MISP core format               February 2022
+
+
    uuid, name and id are represented as a JSON string. uuid, name and id
    MUST be present.
 
-2.4.  Attribute
+2.3.  Attribute
 
    Attributes are used to describe the indicators and contextual data of
    an event.  The main information contained in an attribute is made up
@@ -438,43 +408,31 @@ Internet-Draft              MISP core format                October 2020
    A MISP document MUST at least includes category-type-value triplet
    described in section "Attribute Attributes".
 
+2.3.1.  Sample Attribute Object
 
+   "Attribute": {
+                 "id": "346056",
+                 "type": "comment",
+                 "category": "Other",
+                 "to_ids": false,
+                 "uuid": "57f4f6d9-cd20-458b-84fd-109ec0a83869",
+                 "event_id": "3357",
+                 "distribution": "5",
+                 "timestamp": "1475679332",
+                 "comment": "",
+                 "sharing_group_id": "0",
+                 "deleted": false,
+                 "value": "Hello world",
+                 "SharingGroup": [],
+                 "ShadowAttribute": [],
+                 "RelatedAttribute": [],
+                 "first_seen": "2019-06-02T22:14:28.711954+00:00",
+                 "last_seen": null
+                }
 
+2.3.2.  Attribute Attributes
 
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 8]
-
-Internet-Draft              MISP core format                October 2020
-
-
-2.4.1.  Sample Attribute Object
-
-      "Attribute": {
-                    "id": "346056",
-                    "type": "comment",
-                    "category": "Other",
-                    "to_ids": false,
-                    "uuid": "57f4f6d9-cd20-458b-84fd-109ec0a83869",
-                    "event_id": "3357",
-                    "distribution": "5",
-                    "timestamp": "1475679332",
-                    "comment": "",
-                    "sharing_group_id": "0",
-                    "deleted": false,
-                    "value": "Hello world",
-                    "SharingGroup": [],
-                    "ShadowAttribute": [],
-                    "RelatedAttribute": [],
-                    "first_seen": "2019-06-02T22:14:28.711954+00:00",
-                    "last_seen": null
-                   }
-
-2.4.2.  Attribute Attributes
-
-2.4.2.1.  uuid
+2.3.2.1.  uuid
 
    uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
    the event.  The uuid MUST be preserved for any updates or transfer of
@@ -483,7 +441,16 @@ Internet-Draft              MISP core format                October 2020
 
    uuid is represented as a JSON string. uuid MUST be present.
 
-2.4.2.2.  id
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                 [Page 8]
+
+Internet-Draft              MISP core format               February 2022
+
+
+2.3.2.2.  id
 
    id represents the human-readable identifier associated to the event
    for a specific MISP instance.  A human-readable identifier MUST be
@@ -491,104 +458,86 @@ Internet-Draft              MISP core format                October 2020
 
    id is represented as a JSON string. id SHALL be present.
 
-2.4.2.3.  type
+2.3.2.3.  type
 
    type represents the means through which an attribute tries to
    describe the intent of the attribute creator, using a list of pre-
    defined attribute types.
 
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 9]
-
-Internet-Draft              MISP core format                October 2020
-
-
    type is represented as a JSON string. type MUST be present and it
    MUST be a valid selection for the chosen category.  The list of valid
    category-type combinations is as follows:
 
-   Antivirus detection
-      link, comment, text, hex, attachment, other, anonymised
-
-   Artifacts dropped
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, cdhash, filename, filename|md5,
-      filename|sha1, filename|sha224, filename|sha256, filename|sha384,
-      filename|sha512, filename|sha512/224, filename|sha512/256,
-      filename|sha3-224, filename|sha3-256, filename|sha3-384,
-      filename|sha3-512, filename|authentihash, filename|vhash,
-      filename|ssdeep, filename|tlsh, filename|imphash,
-      filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-
-      in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern,
-      yara, sigma, attachment, malware-sample, named pipe, mutex,
+   Antivirus detection  link, comment, text, hex, attachment, other,
+      anonymised
+   Artifacts dropped  md5, sha1, sha224, sha256, sha384, sha512,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash,
+      filename, filename|md5, filename|sha1, filename|sha224,
+      filename|sha256, filename|sha384, filename|sha512,
+      filename|sha512/224, filename|sha512/256, filename|sha3-224,
+      filename|sha3-256, filename|sha3-384, filename|sha3-512,
+      filename|authentihash, filename|vhash, filename|ssdeep,
+      filename|tlsh, filename|imphash, filename|impfuzzy,
+      filename|pehash, regkey, regkey|value, pattern-in-file, pattern-
+      in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma,
+      attachment, malware-sample, named pipe, mutex, process-state,
       windows-scheduled-task, windows-service-name, windows-service-
       displayname, comment, text, hex, x509-fingerprint-sha1, x509-
       fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene,
       kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-
       key
-
-   Attribution
-      threat-actor, campaign-name, campaign-id, whois-registrant-phone,
-      whois-registrant-email, whois-registrant-name, whois-registrant-
-      org, whois-registrar, whois-creation-date, comment, text, x509-
-      fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
-      other, dns-soa-email, anonymised, email
-
-   External analysis
-      md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512,
-      filename, filename|md5, filename|sha1, filename|sha256,
+   Attribution  threat-actor, campaign-name, campaign-id, whois-
+      registrant-phone, whois-registrant-email, whois-registrant-name,
+      whois-registrant-org, whois-registrar, whois-creation-date,
+      comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-
+      fingerprint-sha256, other, dns-soa-email, anonymised, email
+   External analysis  md5, sha1, sha256, sha3-224, sha3-256, sha3-384,
+      sha3-512, filename, filename|md5, filename|sha1, filename|sha256,
       filename|sha3-224, filename|sha3-256, filename|sha3-384,
       filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
       address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
       regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file,
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                 [Page 9]
+
+Internet-Draft              MISP core format               February 2022
+
+
       pattern-in-traffic, pattern-in-memory, filename-pattern,
       vulnerability, cpe, weakness, attachment, malware-sample, link,
       comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-
-      fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-
-      md5, github-repository, other, cortex, anonymised, community-id
-
-   Financial fraud
-      btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-
-      number, prtn, phone-number, comment, text, other, hex, anonymised
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 10]
-
-Internet-Draft              MISP core format                October 2020
-
-
-   Internal reference
-      text, link, comment, other, hex, anonymised, git-commit-id
-
-   Network activity
-      ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
-      domain|ip, mac-address, mac-eui-64, email, email-dst, email-src,
-      eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-
-      file, filename-pattern, stix2-pattern, pattern-in-traffic,
-      attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-
-      sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5,
-      hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek,
-      anonymised, community-id, email-subject
-
-   Other
-      comment, text, other, size-in-bytes, counter, datetime, cpe, port,
-      float, hex, phone-number, boolean, anonymised, pgp-public-key,
-      pgp-private-key
-
-   Payload delivery
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename,
-      filename|md5, filename|sha1, filename|sha224, filename|sha256,
-      filename|sha384, filename|sha512, filename|sha512/224,
-      filename|sha512/256, filename|sha3-224, filename|sha3-256,
-      filename|sha3-384, filename|sha3-512, filename|authentihash,
-      filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash,
+      fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-
+      md5, hasshserver-md5, github-repository, other, cortex,
+      anonymised, community-id
+   Financial fraud  btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn,
+      bin, cc-number, prtn, phone-number, comment, text, other, hex,
+      anonymised
+   Internal reference  text, link, comment, other, hex, anonymised, git-
+      commit-id
+   Network activity  ip-src, ip-dst, ip-dst|port, ip-src|port, port,
+      hostname, domain, domain|ip, mac-address, mac-eui-64, email,
+      email-dst, email-src, eppn, url, uri, user-agent, http-method, AS,
+      snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-
+      in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-
+      fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5,
+      jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie,
+      hostname|port, bro, zeek, anonymised, community-id, email-subject,
+      favicon-mmh3, dkim, dkim-signature
+   Other  comment, text, other, size-in-bytes, counter, datetime, cpe,
+      port, float, hex, phone-number, boolean, anonymised, pgp-public-
+      key, pgp-private-key
+   Payload delivery  md5, sha1, sha224, sha256, sha384, sha512,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
+      tlsh, cdhash, filename, filename|md5, filename|sha1,
+      filename|sha224, filename|sha256, filename|sha384,
+      filename|sha512, filename|sha512/224, filename|sha512/256,
+      filename|sha3-224, filename|sha3-256, filename|sha3-384,
+      filename|sha3-512, filename|authentihash, filename|vhash,
+      filename|ssdeep, filename|tlsh, filename|imphash,
       filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-
       src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email,
       email-src, email-dst, email-subject, email-attachment, email-body,
@@ -597,84 +546,62 @@ Internet-Draft              MISP core format                October 2020
       attachment, malware-sample, link, malware-type, comment, text,
       hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-
       fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5,
-      hassh-md5, hasshserver-md5, other, hostname|port, email-dst-
-      display-name, email-src-display-name, email-header, email-reply-
-      to, email-x-mailer, email-mime-boundary, email-thread-index,
-      email-message-id, mobile-application-id, chrome-extension-id,
-      whois-registrant-email, anonymised
-
-   Payload installation
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename,
-      filename|md5, filename|sha1, filename|sha224, filename|sha256,
-      filename|sha384, filename|sha512, filename|sha512/224,
-      filename|sha512/256, filename|sha3-224, filename|sha3-256,
+      jarm-fingerprint, hassh-md5, hasshserver-md5, other,
+      hostname|port, email-dst-display-name, email-src-display-name,
+      email-header, email-reply-to, email-x-mailer, email-mime-boundary,
+      email-thread-index, email-message-id, mobile-application-id,
+      chrome-extension-id, whois-registrant-email, anonymised
+   Payload installation  md5, sha1, sha224, sha256, sha384, sha512,
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 11]
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 10]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
-      filename|sha3-384, filename|sha3-512, filename|authentihash,
-      filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
+      tlsh, cdhash, filename, filename|md5, filename|sha1,
+      filename|sha224, filename|sha256, filename|sha384,
+      filename|sha512, filename|sha512/224, filename|sha512/256,
+      filename|sha3-224, filename|sha3-256, filename|sha3-384,
+      filename|sha3-512, filename|authentihash, filename|vhash,
+      filename|ssdeep, filename|tlsh, filename|imphash,
       filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-
       traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
       sigma, vulnerability, cpe, weakness, attachment, malware-sample,
       malware-type, comment, text, hex, x509-fingerprint-sha1, x509-
       fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
       chrome-extension-id, other, mime-type, anonymised
-
-   Payload type
-      comment, text, other, anonymised
-
-   Persistence mechanism
-      filename, regkey, regkey|value, comment, text, other, hex,
-      anonymised
-
-   Person
-      first-name, middle-name, last-name, date-of-birth, place-of-birth,
-      gender, passport-number, passport-country, passport-expiration,
-      redress-number, nationality, visa-number, issue-date-of-the-visa,
-      primary-residence, country-of-residence, special-service-request,
-      frequent-flyer-number, travel-details, payment-details, place-
-      port-of-original-embarkation, place-port-of-clearance, place-port-
-      of-onward-foreign-destination, passenger-name-record-locator-
-      number, comment, text, other, phone-number, identity-card-number,
-      anonymised, email, pgp-public-key, pgp-private-key
-
-   Social network
-      github-username, github-repository, github-organisation, jabber-
-      id, twitter-id, email, email-src, email-dst, eppn, comment, text,
-      other, whois-registrant-email, anonymised, pgp-public-key, pgp-
+   Payload type  comment, text, other, anonymised
+   Persistence mechanism  filename, regkey, regkey|value, comment, text,
+      other, hex, anonymised
+   Person  first-name, middle-name, last-name, full-name, date-of-birth,
+      place-of-birth, gender, passport-number, passport-country,
+      passport-expiration, redress-number, nationality, visa-number,
+      issue-date-of-the-visa, primary-residence, country-of-residence,
+      special-service-request, frequent-flyer-number, travel-details,
+      payment-details, place-port-of-original-embarkation, place-port-
+      of-clearance, place-port-of-onward-foreign-destination, passenger-
+      name-record-locator-number, comment, text, other, phone-number,
+      identity-card-number, anonymised, email, pgp-public-key, pgp-
       private-key
-
-   Support Tool
-      link, text, attachment, comment, other, hex, anonymised
-
-   Targeting data
-      target-user, target-email, target-machine, target-org, target-
-      location, target-external, comment, anonymised
+   Social network  github-username, github-repository, github-
+      organisation, jabber-id, twitter-id, email, email-src, email-dst,
+      eppn, comment, text, other, whois-registrant-email, anonymised,
+      pgp-public-key, pgp-private-key
+   Support Tool  link, text, attachment, comment, other, hex, anonymised
+   Targeting data  target-user, target-email, target-machine, target-
+      org, target-location, target-external, comment, anonymised
 
    Attributes are based on the usage within their different communities.
    Attributes can be extended on a regular basis and this reference
    document is updated accordingly.
 
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 12]
-
-Internet-Draft              MISP core format                October 2020
-
-
-2.4.2.4.  category
+2.3.2.4.  category
 
    category represents the intent of what the attribute is describing as
    selected by the attribute creator, using a list of pre-defined
@@ -684,7 +611,14 @@ Internet-Draft              MISP core format                October 2020
    and it MUST be a valid selection for the chosen type.  The list of
    valid category-type combinations is mentioned above.
 
-2.4.2.5.  to_ids
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 11]
+
+Internet-Draft              MISP core format               February 2022
+
+
+2.3.2.5.  to_ids
 
    to_ids represents whether the attribute is meant to be actionable.
    Actionable defined attributes that can be used in automated processes
@@ -693,7 +627,7 @@ Internet-Draft              MISP core format                October 2020
 
    to_ids is represented as a JSON boolean. to_ids MUST be present.
 
-2.4.2.6.  event_id
+2.3.2.6.  event_id
 
    event_id represents a human-readable identifier referencing the Event
    object that the attribute belongs to.  A human-readable identifier
@@ -704,7 +638,7 @@ Internet-Draft              MISP core format                October 2020
 
    event_id is represented as a JSON string. event_id MUST be present.
 
-2.4.2.7.  distribution
+2.3.2.7.  distribution
 
    distribution represents the basic distribution rules of the
    attribute.  The system must adhere to the distribution setting for
@@ -713,33 +647,14 @@ Internet-Draft              MISP core format                October 2020
    distribution is represented by a JSON string. distribution MUST be
    present and be one of the following options:
 
-   0
-      Your Organisation Only
+   0  Your Organisation Only
+   1  This Community Only
+   2  Connected Communities
+   3  All Communities
+   4  Sharing Group
+   5  Inherit Event
 
-   1
-      This Community Only
-
-   2
-      Connected Communities
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 13]
-
-Internet-Draft              MISP core format                October 2020
-
-
-   3
-      All Communities
-
-   4
-      Sharing Group
-
-   5
-      Inherit Event
-
-2.4.2.8.  timestamp
+2.3.2.8.  timestamp
 
    timestamp represents a reference time when the attribute was created
    or last modified. timestamp is expressed in seconds (decimal) since
@@ -747,13 +662,21 @@ Internet-Draft              MISP core format                October 2020
 
    timestamp is represented as a JSON string. timestamp MUST be present.
 
-2.4.2.9.  comment
+2.3.2.9.  comment
 
    comment is a contextual comment field.
 
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 12]
+
+Internet-Draft              MISP core format               February 2022
+
+
    comment is represented by a JSON string. comment MAY be present.
 
-2.4.2.10.  sharing_group_id
+2.3.2.10.  sharing_group_id
 
    sharing_group_id represents a human-readable identifier referencing a
    Sharing Group object that defines the distribution of the attribute,
@@ -764,7 +687,7 @@ Internet-Draft              MISP core format                October 2020
    present.  If a distribution level other than "4" is chosen the
    sharing_group_id MUST be set to "0".
 
-2.4.2.11.  deleted
+2.3.2.11.  deleted
 
    deleted represents a setting that allows attributes to be revoked.
    Revoked attributes are not actionable and exist merely to inform
@@ -772,24 +695,17 @@ Internet-Draft              MISP core format                October 2020
 
    deleted is represented by a JSON boolean. deleted MUST be present.
 
-2.4.2.12.  data
+2.3.2.12.  data
 
    data contains the base64 encoded contents of an attachment or a
    malware sample.  For malware samples, the sample MUST be encrypted
    using a password protected zip archive, with the password being
    "infected".
 
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 14]
-
-Internet-Draft              MISP core format                October 2020
-
-
    data is represented by a JSON string in base64 encoding. data MUST be
    set for attributes of type malware-sample and attachment.
 
-2.4.2.13.  RelatedAttribute
+2.3.2.13.  RelatedAttribute
 
    RelatedAttribute is an array of attributes correlating with the
    current attribute.  Each element in the array represents an JSON
@@ -800,7 +716,21 @@ Internet-Draft              MISP core format                October 2020
 
    RelatedAttribute MAY be present.
 
-2.4.2.14.  ShadowAttribute
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 13]
+
+Internet-Draft              MISP core format               February 2022
+
+
+2.3.2.14.  ShadowAttribute
 
    ShadowAttribute is an array of shadow attributes that serve as
    proposals by third parties to alter the containing attribute.  The
@@ -813,14 +743,14 @@ Internet-Draft              MISP core format                October 2020
    containing attribute's ID in the old_id field and the event's ID in
    the event_id field.
 
-2.4.2.15.  value
+2.3.2.15.  value
 
    value represents the payload of an attribute.  The format of the
    value is dependent on the type of the attribute.
 
    value is represented by a JSON string. value MUST be present.
 
-2.4.2.16.  first_seen
+2.3.2.16.  first_seen
 
    first_seen represents a reference time when the attribute was first
    seen. first_seen is expressed as an ISO 8601 datetime up to the
@@ -829,22 +759,15 @@ Internet-Draft              MISP core format                October 2020
    first_seen is represented as a JSON string. first_seen MAY be
    present.
 
-2.4.2.17.  last_seen
+2.3.2.17.  last_seen
 
    last_seen represents a reference time when the attribute was last
    seen. last_seen is expressed as an ISO 8601 datetime up to the micro-
    second with time zone support.
 
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 15]
-
-Internet-Draft              MISP core format                October 2020
-
-
    last_seen is represented as a JSON string. last_seen MAY be present.
 
-2.5.  ShadowAttribute
+2.4.  ShadowAttribute
 
    ShadowAttributes are 3rd party created attributes that either propose
    to add new information to an event or modify existing information.
@@ -856,7 +779,14 @@ Internet-Draft              MISP core format                October 2020
    reference to the creator of the ShadowAttribute as well as a
    revocation flag.
 
-2.5.1.  Sample Attribute Object
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 14]
+
+Internet-Draft              MISP core format               February 2022
+
+
+2.4.1.  Sample Attribute Object
 
 "ShadowAttribute":  {
                        "id": "8",
@@ -881,81 +811,67 @@ Internet-Draft              MISP core format                October 2020
                        "last_seen": null
                    }
 
-2.5.2.  ShadowAttribute Attributes
+2.4.2.  ShadowAttribute Attributes
 
-2.5.2.1.  uuid
+2.4.2.1.  uuid
 
    uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
    the event.  The uuid MUST be preserved for any updates or transfer of
    the same event.  UUID version 4 is RECOMMENDED when assigning it to a
    new event.
 
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 16]
-
-Internet-Draft              MISP core format                October 2020
-
-
    uuid is represented as a JSON string. uuid MUST be present.
 
-2.5.2.2.  id
+2.4.2.2.  id
 
    id represents the human-readable identifier associated to the event
    for a specific MISP instance. human-readable identifier MUST be
-   represented as an unsigned integer.  id is represented as a JSON
+   represented as an unsigned integer. id is represented as a JSON
    string. id SHALL be present.
 
-2.5.2.3.  type
+2.4.2.3.  type
 
    type represents the means through which an attribute tries to
    describe the intent of the attribute creator, using a list of pre-
    defined attribute types.
 
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 15]
+
+Internet-Draft              MISP core format               February 2022
+
+
    type is represented as a JSON string. type MUST be present and it
    MUST be a valid selection for the chosen category.  The list of valid
    category-type combinations is as follows:
 
-   Antivirus detection
-      link, comment, text, hex, attachment, other, anonymised
-
-   Artifacts dropped
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, cdhash, filename, filename|md5,
-      filename|sha1, filename|sha224, filename|sha256, filename|sha384,
-      filename|sha512, filename|sha512/224, filename|sha512/256,
-      filename|sha3-224, filename|sha3-256, filename|sha3-384,
-      filename|sha3-512, filename|authentihash, filename|vhash,
-      filename|ssdeep, filename|tlsh, filename|imphash,
-      filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-
-      in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern,
-      yara, sigma, attachment, malware-sample, named pipe, mutex,
+   Antivirus detection  link, comment, text, hex, attachment, other,
+      anonymised
+   Artifacts dropped  md5, sha1, sha224, sha256, sha384, sha512,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash,
+      filename, filename|md5, filename|sha1, filename|sha224,
+      filename|sha256, filename|sha384, filename|sha512,
+      filename|sha512/224, filename|sha512/256, filename|sha3-224,
+      filename|sha3-256, filename|sha3-384, filename|sha3-512,
+      filename|authentihash, filename|vhash, filename|ssdeep,
+      filename|tlsh, filename|imphash, filename|impfuzzy,
+      filename|pehash, regkey, regkey|value, pattern-in-file, pattern-
+      in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma,
+      attachment, malware-sample, named pipe, mutex, process-state,
       windows-scheduled-task, windows-service-name, windows-service-
       displayname, comment, text, hex, x509-fingerprint-sha1, x509-
       fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene,
       kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-
       key
-
-   Attribution
-      threat-actor, campaign-name, campaign-id, whois-registrant-phone,
-      whois-registrant-email, whois-registrant-name, whois-registrant-
-      org, whois-registrar, whois-creation-date, comment, text, x509-
-      fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
-      other, dns-soa-email, anonymised, email
-
-   External analysis
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 17]
-
-Internet-Draft              MISP core format                October 2020
-
-
-      md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512,
-      filename, filename|md5, filename|sha1, filename|sha256,
+   Attribution  threat-actor, campaign-name, campaign-id, whois-
+      registrant-phone, whois-registrant-email, whois-registrant-name,
+      whois-registrant-org, whois-registrar, whois-creation-date,
+      comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-
+      fingerprint-sha256, other, dns-soa-email, anonymised, email
+   External analysis  md5, sha1, sha256, sha3-224, sha3-256, sha3-384,
+      sha3-512, filename, filename|md5, filename|sha1, filename|sha256,
       filename|sha3-224, filename|sha3-256, filename|sha3-384,
       filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
       address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
@@ -963,71 +879,67 @@ Internet-Draft              MISP core format                October 2020
       pattern-in-traffic, pattern-in-memory, filename-pattern,
       vulnerability, cpe, weakness, attachment, malware-sample, link,
       comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-
-      fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-
-      md5, github-repository, other, cortex, anonymised, community-id
+      fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-
+      md5, hasshserver-md5, github-repository, other, cortex,
+      anonymised, community-id
+   Financial fraud  btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn,
+      bin, cc-number, prtn, phone-number, comment, text, other, hex,
+      anonymised
+   Internal reference  text, link, comment, other, hex, anonymised, git-
+      commit-id
+   Network activity  ip-src, ip-dst, ip-dst|port, ip-src|port, port,
 
-   Financial fraud
-      btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-
-      number, prtn, phone-number, comment, text, other, hex, anonymised
 
-   Internal reference
-      text, link, comment, other, hex, anonymised, git-commit-id
 
-   Network activity
-      ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
-      domain|ip, mac-address, mac-eui-64, email, email-dst, email-src,
-      eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-
-      file, filename-pattern, stix2-pattern, pattern-in-traffic,
-      attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-
-      sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5,
-      hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek,
-      anonymised, community-id, email-subject
 
-   Other
-      comment, text, other, size-in-bytes, counter, datetime, cpe, port,
-      float, hex, phone-number, boolean, anonymised, pgp-public-key,
-      pgp-private-key
 
-   Payload delivery
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename,
-      filename|md5, filename|sha1, filename|sha224, filename|sha256,
-      filename|sha384, filename|sha512, filename|sha512/224,
-      filename|sha512/256, filename|sha3-224, filename|sha3-256,
-      filename|sha3-384, filename|sha3-512, filename|authentihash,
-      filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash,
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 16]
+
+Internet-Draft              MISP core format               February 2022
+
+
+      hostname, domain, domain|ip, mac-address, mac-eui-64, email,
+      email-dst, email-src, eppn, url, uri, user-agent, http-method, AS,
+      snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-
+      in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-
+      fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5,
+      jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie,
+      hostname|port, bro, zeek, anonymised, community-id, email-subject,
+      favicon-mmh3, dkim, dkim-signature
+   Other  comment, text, other, size-in-bytes, counter, datetime, cpe,
+      port, float, hex, phone-number, boolean, anonymised, pgp-public-
+      key, pgp-private-key
+   Payload delivery  md5, sha1, sha224, sha256, sha384, sha512,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
+      tlsh, cdhash, filename, filename|md5, filename|sha1,
+      filename|sha224, filename|sha256, filename|sha384,
+      filename|sha512, filename|sha512/224, filename|sha512/256,
+      filename|sha3-224, filename|sha3-256, filename|sha3-384,
+      filename|sha3-512, filename|authentihash, filename|vhash,
+      filename|ssdeep, filename|tlsh, filename|imphash,
       filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-
       src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email,
       email-src, email-dst, email-subject, email-attachment, email-body,
       url, user-agent, AS, pattern-in-file, pattern-in-traffic,
       filename-pattern, stix2-pattern, yara, sigma, mime-type,
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 18]
-
-Internet-Draft              MISP core format                October 2020
-
-
       attachment, malware-sample, link, malware-type, comment, text,
       hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-
       fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5,
-      hassh-md5, hasshserver-md5, other, hostname|port, email-dst-
-      display-name, email-src-display-name, email-header, email-reply-
-      to, email-x-mailer, email-mime-boundary, email-thread-index,
-      email-message-id, mobile-application-id, chrome-extension-id,
-      whois-registrant-email, anonymised
-
-   Payload installation
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename,
-      filename|md5, filename|sha1, filename|sha224, filename|sha256,
-      filename|sha384, filename|sha512, filename|sha512/224,
-      filename|sha512/256, filename|sha3-224, filename|sha3-256,
-      filename|sha3-384, filename|sha3-512, filename|authentihash,
-      filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash,
+      jarm-fingerprint, hassh-md5, hasshserver-md5, other,
+      hostname|port, email-dst-display-name, email-src-display-name,
+      email-header, email-reply-to, email-x-mailer, email-mime-boundary,
+      email-thread-index, email-message-id, mobile-application-id,
+      chrome-extension-id, whois-registrant-email, anonymised
+   Payload installation  md5, sha1, sha224, sha256, sha384, sha512,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
+      tlsh, cdhash, filename, filename|md5, filename|sha1,
+      filename|sha224, filename|sha256, filename|sha384,
+      filename|sha512, filename|sha512/224, filename|sha512/256,
+      filename|sha3-224, filename|sha3-256, filename|sha3-384,
+      filename|sha3-512, filename|authentihash, filename|vhash,
+      filename|ssdeep, filename|tlsh, filename|imphash,
       filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-
       traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
       sigma, vulnerability, cpe, weakness, attachment, malware-sample,
@@ -1035,49 +947,39 @@ Internet-Draft              MISP core format                October 2020
       fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
       chrome-extension-id, other, mime-type, anonymised
 
-   Payload type
-      comment, text, other, anonymised
-
-   Persistence mechanism
-      filename, regkey, regkey|value, comment, text, other, hex,
-      anonymised
-
-   Person
-      first-name, middle-name, last-name, date-of-birth, place-of-birth,
-      gender, passport-number, passport-country, passport-expiration,
-      redress-number, nationality, visa-number, issue-date-of-the-visa,
-      primary-residence, country-of-residence, special-service-request,
-      frequent-flyer-number, travel-details, payment-details, place-
-      port-of-original-embarkation, place-port-of-clearance, place-port-
-      of-onward-foreign-destination, passenger-name-record-locator-
-      number, comment, text, other, phone-number, identity-card-number,
-      anonymised, email, pgp-public-key, pgp-private-key
-
-   Social network
-      github-username, github-repository, github-organisation, jabber-
-      id, twitter-id, email, email-src, email-dst, eppn, comment, text,
-      other, whois-registrant-email, anonymised, pgp-public-key, pgp-
-      private-key
 
 
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 19]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 17]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
-   Support Tool
-      link, text, attachment, comment, other, hex, anonymised
-
-   Targeting data
-      target-user, target-email, target-machine, target-org, target-
-      location, target-external, comment, anonymised
+   Payload type  comment, text, other, anonymised
+   Persistence mechanism  filename, regkey, regkey|value, comment, text,
+      other, hex, anonymised
+   Person  first-name, middle-name, last-name, full-name, date-of-birth,
+      place-of-birth, gender, passport-number, passport-country,
+      passport-expiration, redress-number, nationality, visa-number,
+      issue-date-of-the-visa, primary-residence, country-of-residence,
+      special-service-request, frequent-flyer-number, travel-details,
+      payment-details, place-port-of-original-embarkation, place-port-
+      of-clearance, place-port-of-onward-foreign-destination, passenger-
+      name-record-locator-number, comment, text, other, phone-number,
+      identity-card-number, anonymised, email, pgp-public-key, pgp-
+      private-key
+   Social network  github-username, github-repository, github-
+      organisation, jabber-id, twitter-id, email, email-src, email-dst,
+      eppn, comment, text, other, whois-registrant-email, anonymised,
+      pgp-public-key, pgp-private-key
+   Support Tool  link, text, attachment, comment, other, hex, anonymised
+   Targeting data  target-user, target-email, target-machine, target-
+      org, target-location, target-external, comment, anonymised
 
    Attributes are based on the usage within their different communities.
    Attributes can be extended on a regular basis and this reference
    document is updated accordingly.
 
-2.5.2.4.  category
+2.4.2.4.  category
 
    category represents the intent of what the attribute is describing as
    selected by the attribute creator, using a list of pre-defined
@@ -1087,7 +989,7 @@ Internet-Draft              MISP core format                October 2020
    and it MUST be a valid selection for the chosen type.  The list of
    valid category-type combinations is mentioned above.
 
-2.5.2.5.  to_ids
+2.4.2.5.  to_ids
 
    to_ids represents whether the Attribute to be created if the
    ShadowAttribute is accepted is meant to be actionable.  Actionable
@@ -1097,7 +999,18 @@ Internet-Draft              MISP core format                October 2020
 
    to_ids is represented as a JSON boolean. to_ids MUST be present.
 
-2.5.2.6.  event_id
+
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 18]
+
+Internet-Draft              MISP core format               February 2022
+
+
+2.4.2.6.  event_id
 
    event_id represents a human-readable identifier referencing the Event
    object that the ShadowAttribute belongs to.
@@ -1107,21 +1020,12 @@ Internet-Draft              MISP core format                October 2020
 
    event_id is represented as a JSON string. event_id MUST be present.
 
-2.5.2.7.  old_id
+2.4.2.7.  old_id
 
    old_id represents a human-readable identifier referencing the
    Attribute object that the ShadowAttribute belongs to.  A
    ShadowAttribute can this way target an existing Attribute, implying
    that it is a proposal to modify an existing Attribute, or
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 20]
-
-Internet-Draft              MISP core format                October 2020
-
-
    alternatively it can be a proposal to create a new Attribute for the
    containing Event.
 
@@ -1132,7 +1036,7 @@ Internet-Draft              MISP core format                October 2020
 
    old_id is represented as a JSON string. old_id MUST be present.
 
-2.5.2.8.  timestamp
+2.4.2.8.  timestamp
 
    timestamp represents a reference time when the attribute was created
    or last modified. timestamp is expressed in seconds (decimal) since
@@ -1140,25 +1044,35 @@ Internet-Draft              MISP core format                October 2020
 
    timestamp is represented as a JSON string. timestamp MUST be present.
 
-2.5.2.9.  comment
+2.4.2.9.  comment
 
    comment is a contextual comment field.
 
    comment is represented by a JSON string. comment MAY be present.
 
-2.5.2.10.  org_id
+2.4.2.10.  org_id
 
    org_id represents a human-readable identifier referencing the
    proposal creator's Organisation object.  A human-readable identifier
    MUST be represented as an unsigned integer.
 
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 19]
+
+Internet-Draft              MISP core format               February 2022
+
+
    Whilst attributes can only be created by the event creator
    organisation, shadow attributes can be created by third parties.
    org_id tracks the creator organisation.
 
    org_id is represented by a JSON string and MUST be present.
 
-2.5.2.11.  proposal_to_delete
+2.4.2.11.  proposal_to_delete
 
    proposal_to_delete is a boolean flag that sets whether the shadow
    attribute proposes to alter an attribute, or whether it proposes to
@@ -1170,15 +1084,7 @@ Internet-Draft              MISP core format                October 2020
    proposal_to_delete is a JSON boolean and it MUST be present.  If
    proposal_to_delete is set to true, old_id MUST NOT be 0.
 
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 21]
-
-Internet-Draft              MISP core format                October 2020
-
-
-2.5.2.12.  deleted
+2.4.2.12.  deleted
 
    deleted represents a setting that allows shadow attributes to be
    revoked.  Revoked shadow attributes only serve to inform other
@@ -1186,7 +1092,7 @@ Internet-Draft              MISP core format                October 2020
 
    deleted is represented by a JSON boolean. deleted SHOULD be present.
 
-2.5.2.13.  data
+2.4.2.13.  data
 
    data contains the base64 encoded contents of an attachment or a
    malware sample.  For malware samples, the sample MUST be encrypted
@@ -1196,7 +1102,7 @@ Internet-Draft              MISP core format                October 2020
    data is represented by a JSON string in base64 encoding. data MUST be
    set for shadow attributes of type malware-sample and attachment.
 
-2.5.2.14.  first_seen
+2.4.2.14.  first_seen
 
    first_seen represents a reference time when the attribute was first
    seen. first_seen as an ISO 8601 datetime up to the micro-second with
@@ -1205,7 +1111,18 @@ Internet-Draft              MISP core format                October 2020
    first_seen is represented as a JSON string. first_seen MAY be
    present.
 
-2.5.2.15.  last_seen
+
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 20]
+
+Internet-Draft              MISP core format               February 2022
+
+
+2.4.2.15.  last_seen
 
    last_seen represents a reference time when the attribute was last
    seen. last_seen as an ISO 8601 datetime up to the micro-second with
@@ -1213,7 +1130,16 @@ Internet-Draft              MISP core format                October 2020
 
    last_seen is represented as a JSON string. last_seen MAY be present.
 
-2.5.3.  Org
+2.4.2.16.  value
+
+   value represents the payload of an attribute.  The format of the
+   value is dependent on the type of the attribute.
+
+   value is represented by a JSON string. value MUST be present.
+
+2.4.3.  ShadowAttribute Objects
+
+2.4.3.1.  Org
 
    An Org object is composed of an uuid, name and id.
 
@@ -1226,33 +1152,33 @@ Internet-Draft              MISP core format                October 2020
    instance and used as reference in the event.  A human-readable
    identifier MUST be represented as an unsigned integer.
 
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 22]
-
-Internet-Draft              MISP core format                October 2020
-
-
    uuid, name and id are represented as a JSON string. uuid, name and id
    MUST be present.
 
-2.5.3.1.  Sample Org Object
+2.4.3.1.1.  Sample Org Object
 
-          "Org": {
-                  "id": "2",
-                  "name": "CIRCL",
-                  "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
-                 }
+   "Org": {
+           "id": "2",
+           "name": "CIRCL",
+           "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
+          }
 
-2.5.3.2.  value
 
-   value represents the payload of an attribute.  The format of the
-   value is dependent on the type of the attribute.
 
-   value is represented by a JSON string. value MUST be present.
 
-2.6.  Object
+
+
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 21]
+
+Internet-Draft              MISP core format               February 2022
+
+
+2.5.  Object
 
    Objects serve as a contextual bond between a list of attributes
    within an event.  Their main purpose is to describe more complex
@@ -1268,7 +1194,7 @@ Internet-Draft              MISP core format                October 2020
    category, a description, a template_uuid and a template_version as
    described in the "Object Attributes" section.
 
-2.6.1.  Sample Object
+2.5.1.  Sample Object
 
 
 
@@ -1285,9 +1211,27 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 23]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 22]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
 "Object": {
@@ -1331,9 +1275,7 @@ Internet-Draft              MISP core format                October 2020
    ]
 }
 
-                                 Figure 1
-
-2.6.2.  Object Attributes
+2.5.2.  Object Attributes
 
 
 
@@ -1341,19 +1283,21 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 24]
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 23]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
-2.6.2.1.  uuid
+2.5.2.1.  uuid
 
    uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
    the object.  The uuid MUST be preserved for any updates or transfer
    of the same object.  UUID version 4 is RECOMMENDED when assigning it
    to a new object.
 
-2.6.2.2.  id
+2.5.2.2.  id
 
    id represents the human-readable identifier associated to the object
    for a specific MISP instance.  A human-readable identifier MUST be
@@ -1361,48 +1305,51 @@ Internet-Draft              MISP core format                October 2020
 
    id is represented as a JSON string. id SHALL be present.
 
-2.6.2.3.  name
+2.5.2.3.  name
 
    name represents the human-readable name of the object describing the
    intent of the object package.
 
-   name is represented as a JSON string. name MUST be present
+   name is represented as a JSON string. name MUST be present.
 
-2.6.2.4.  meta-category
+2.5.2.4.  meta-category
 
    meta-category represents the sub-category of objects that the given
    object belongs to. meta-categories are not tied to a fixed list of
    options but can be created on the fly.
 
    meta-category is represented as a JSON string. meta-category MUST be
-   present
+   present.
 
-2.6.2.5.  description
+2.5.2.5.  description
 
    description is a human-readable description of the given object type,
    as derived from the template used for creation.
 
-   description is represented as a JSON string. id SHALL be present.
+   description is represented as a JSON string. description SHALL be
+   present.
 
-2.6.2.6.  template_uuid
+2.5.2.6.  template_uuid
 
-   uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
-   the template used to create the object.  The uuid MUST be preserved
-   to preserve the object's association with the correct template used
-   for creation.  UUID version 4 is RECOMMENDED when assigning it to a
-   new object.
+   template_uuid represents the Universally Unique IDentifier (UUID)
+   [RFC4122] of the template used to create the object.  The uuid MUST
+   be preserved to preserve the object's association with the correct
+   template used for creation.  UUID version 4 is RECOMMENDED when
+   assigning it to a new object.
 
 
 
 
 
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 25]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 24]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
-2.6.2.7.  template_version
+   template_uuid is represented as a JSON string. template_uuid MUST be
+   present.
+
+2.5.2.7.  template_version
 
    template_version represents a numeric incrementing version of the
    template used to create the object.  It is used to associate the
@@ -1410,9 +1357,10 @@ Internet-Draft              MISP core format                October 2020
    template_uuid forms an association to the correct template type and
    version.
 
-   version is represented as a JSON string. version MUST be present.
+   template_version is represented as a JSON string. template_version
+   MUST be present.
 
-2.6.2.8.  event_id
+2.5.2.8.  event_id
 
    event_id represents the human-readable identifier of the event that
    the object belongs to on a specific MISP instance.  A human-readable
@@ -1420,7 +1368,7 @@ Internet-Draft              MISP core format                October 2020
 
    event_id is represented as a JSON string. event_id SHALL be present.
 
-2.6.2.9.  timestamp
+2.5.2.9.  timestamp
 
    timestamp represents a reference time when the object was created or
    last modified. timestamp is expressed in seconds (decimal) since 1st
@@ -1428,7 +1376,7 @@ Internet-Draft              MISP core format                October 2020
 
    timestamp is represented as a JSON string. timestamp MUST be present.
 
-2.6.2.10.  distribution
+2.5.2.10.  distribution
 
    distribution represents the basic distribution rules of the object.
    The system must adhere to the distribution setting for access control
@@ -1437,30 +1385,24 @@ Internet-Draft              MISP core format                October 2020
    distribution is represented by a JSON string. distribution MUST be
    present and be one of the following options:
 
-   0
-      Your Organisation Only
-
-   1
-      This Community Only
-
-   2
-      Connected Communities
-
-   3
-      All Communities
-
-   4
+   0  Your Organisation Only
+   1  This Community Only
+   2  Connected Communities
+   3  All Communities
+   4  Sharing Group
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 26]
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 25]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
-      Sharing Group
-
-2.6.2.11.  sharing_group_id
+2.5.2.11.  sharing_group_id
 
    sharing_group_id represents a human-readable identifier referencing a
    Sharing Group object that defines the distribution of the object, if
@@ -1471,21 +1413,21 @@ Internet-Draft              MISP core format                October 2020
    present.  If a distribution level other than "4" is chosen the
    sharing_group_id MUST be set to "0".
 
-2.6.2.12.  comment
+2.5.2.12.  comment
 
    comment is a contextual comment field.
 
    comment is represented by a JSON string. comment MAY be present.
 
-2.6.2.13.  deleted
+2.5.2.13.  deleted
 
-   deleted represents a setting that allows attributes to be revoked.
-   Revoked attributes are not actionable and exist merely to inform
-   other instances of a revocation.
+   deleted represents a setting that allows objects to be revoked.
+   Revoked objects are not actionable and exist merely to inform other
+   instances of a revocation.
 
    deleted is represented by a JSON boolean. deleted MUST be present.
 
-2.6.2.14.  Attribute
+2.5.2.14.  Attribute
 
    Attribute is an array of attributes that describe the object with
    data.
@@ -1493,7 +1435,7 @@ Internet-Draft              MISP core format                October 2020
    Each attribute in an object MUST contain the parent event's ID in the
    event_id field and the parent object's ID in the object_id field.
 
-2.6.2.15.  first_seen
+2.5.2.15.  first_seen
 
    first_seen represents a reference time when the object was first
    seen. first_seen as an ISO 8601 datetime up to the micro-second with
@@ -1502,27 +1444,23 @@ Internet-Draft              MISP core format                October 2020
    first_seen is represented as a JSON string. first_seen MAY be
    present.
 
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 27]
-
-Internet-Draft              MISP core format                October 2020
-
-
-2.6.2.16.  last_seen
+2.5.2.16.  last_seen
 
    last_seen represents a reference time when the object was last seen.
    last_seen as an ISO 8601 datetime up to the micro-second with time
    zone support.
 
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 26]
+
+Internet-Draft              MISP core format               February 2022
+
+
    last_seen is represented as a JSON string. last_seen MAY be present.
 
-2.7.  Object References
+2.6.  Object References
 
    Object References serve as a logical link between an Object and
    another referenced Object or Attribute.  The relationship is
@@ -1535,7 +1473,7 @@ Internet-Draft              MISP core format                October 2020
    All Object References MUST contain an object_uuid, a referenced_uuid
    and a relationship type.
 
-2.7.1.  Sample ObjectReference object
+2.6.1.  Sample ObjectReference object
 
 "ObjectReference": {
                     "id": "195",
@@ -1552,32 +1490,31 @@ Internet-Draft              MISP core format                October 2020
                     "referenced_uuid": "59c1133c-9adc-4d06-a34b-0f7ca07724d1",
                    }
 
-2.7.2.  ObjectReference Attributes
+2.6.2.  ObjectReference Attributes
 
-2.7.2.1.  uuid
+2.6.2.1.  uuid
 
    uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
    the object reference.  The uuid MUST be preserved for any updates or
    transfer of the same object reference.  UUID version 4 is RECOMMENDED
    when assigning it to a new object reference.
 
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 28]
-
-Internet-Draft              MISP core format                October 2020
-
-
-2.7.2.2.  id
+2.6.2.2.  id
 
    id represents the human-readable identifier associated to the object
    reference for a specific MISP instance.
 
    id is represented as a JSON string. id SHALL be present.
 
-2.7.2.3.  timestamp
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 27]
+
+Internet-Draft              MISP core format               February 2022
+
+
+2.6.2.3.  timestamp
 
    timestamp represents a reference time when the object was created or
    last modified. timestamp is expressed in seconds (decimal) since 1st
@@ -1585,15 +1522,16 @@ Internet-Draft              MISP core format                October 2020
 
    timestamp is represented as a JSON string. timestamp MUST be present.
 
-2.7.2.4.  object_id
+2.6.2.4.  object_id
 
    object_id represents the human-readable identifier of the object that
    the object reference belongs to on a specific MISP instance.  A
    human-readable identifier MUST be represented as an unsigned integer.
 
-   event_id is represented as a JSON string. event_id SHALL be present.
+   object_id is represented as a JSON string. object_id SHALL be
+   present.
 
-2.7.2.5.  event_id
+2.6.2.5.  event_id
 
    event_id represents the human-readable identifier of the event that
    the object reference belongs to on a specific MISP instance.  A
@@ -1601,7 +1539,7 @@ Internet-Draft              MISP core format                October 2020
 
    event_id is represented as a JSON string. event_id SHALL be present.
 
-2.7.2.6.  referenced_id
+2.6.2.6.  referenced_id
 
    referenced_id represents the human-readable identifier of the object
    or attribute that the parent object of the object reference points to
@@ -1610,7 +1548,7 @@ Internet-Draft              MISP core format                October 2020
    referenced_id is represented as a JSON string. referenced_id MAY be
    present.
 
-2.7.2.7.  referenced_type
+2.6.2.7.  referenced_type
 
    referenced_type represents the numeric value describing what the
    object reference points to, "0" representing an attribute and "1"
@@ -1619,29 +1557,29 @@ Internet-Draft              MISP core format                October 2020
    referenced_type is represented as a JSON string. referenced_type MAY
    be present.
 
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 29]
-
-Internet-Draft              MISP core format                October 2020
-
-
-2.7.2.8.  relationship_type
+2.6.2.8.  relationship_type
 
    relationship_type represents the human-readable context of the
    relationship between an object and another object or attribute as
    described by the object_reference.
 
-   referenced_type is represented as a JSON string. relationship_type
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 28]
+
+Internet-Draft              MISP core format               February 2022
+
+
+   relationship_type is represented as a JSON string. relationship_type
    MUST be present.
 
-2.7.2.9.  comment
+2.6.2.9.  comment
 
    comment is a contextual comment field.
 
    comment is represented by a JSON string. comment MAY be present.
 
-2.7.2.10.  deleted
+2.6.2.10.  deleted
 
    deleted represents a setting that allows object references to be
    revoked.  Revoked object references are not actionable and exist
@@ -1649,40 +1587,28 @@ Internet-Draft              MISP core format                October 2020
 
    deleted is represented by a JSON boolean. deleted MUST be present.
 
-2.7.2.11.  object_uuid
+2.6.2.11.  object_uuid
 
    object_uuid represents the Universally Unique IDentifier (UUID)
    [RFC4122] of the object that the given object reference belongs to.
    The object_uuid MUST be preserved to preserve the object reference's
    association with the object.
 
-2.7.2.12.  referenced_uuid
+2.6.2.12.  referenced_uuid
 
    referenced_uuid represents the Universally Unique IDentifier (UUID)
    [RFC4122] of the object or attribute that is being referenced by the
    object reference.  The referenced_uuid MUST be preserved to preserve
    the object reference's association with the object or attribute.
 
-2.8.  EventReport
+2.7.  EventReport
 
    EventReport are used to complement an event with one or more report
    in Markdown format.  The EventReport contains unstructured
    information which can be linked to Attributes, Objects, Tags or
    Galaxy with an extension to the Markdown marking language.
 
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 30]
-
-Internet-Draft              MISP core format                October 2020
-
-
-2.8.1.  id
+2.7.1.  id
 
    id represents the human-readable identifier associated to the
    EventReport for a specific MISP instance.  A human-readable
@@ -1690,7 +1616,17 @@ Internet-Draft              MISP core format                October 2020
 
    id is represented as a JSON string. id SHALL be present.
 
-2.8.2.  UUID
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 29]
+
+Internet-Draft              MISP core format               February 2022
+
+
+2.7.2.  UUID
 
    uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
    the EventReport.  The uuid MUST be preserved for any updates or
@@ -1699,7 +1635,7 @@ Internet-Draft              MISP core format                October 2020
 
    uuid is represented as a JSON string. uuid MUST be present.
 
-2.8.3.  event_id
+2.7.3.  event_id
 
    event_id represents the human-readable identifier associating the
    EventReport to an event on a specific MISP instance.  A human-
@@ -1707,7 +1643,7 @@ Internet-Draft              MISP core format                October 2020
 
    event_id is represented as a JSON string. event_id MUST be present.
 
-2.8.4.  name
+2.7.4.  name
 
    name represents the information field of the EventReport. name is a
    free-text value to provide a human-readable summary of the report.
@@ -1716,7 +1652,7 @@ Internet-Draft              MISP core format                October 2020
 
    name is represented as a JSON string. name MUST be present.
 
-2.8.5.  content
+2.7.5.  content
 
    content includes the raw EventReport in Markdown format with or
    without the specific MISP Markdown markup extension.
@@ -1727,18 +1663,7 @@ Internet-Draft              MISP core format                October 2020
 
    content is represented as a JSON string. content MUST be present.
 
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 31]
-
-Internet-Draft              MISP core format                October 2020
-
-
-2.8.6.  distribution
+2.7.6.  distribution
 
    distribution represents the basic distribution rules of the
    EventReport.  The system must adhere to the distribution setting for
@@ -1747,25 +1672,22 @@ Internet-Draft              MISP core format                October 2020
    distribution is represented by a JSON string. distribution MUST be
    present and be one of the following options:
 
-   0
-      Your Organisation Only
+   0  Your Organisation Only
+   1  This Community Only
 
-   1
-      This Community Only
 
-   2
-      Connected Communities
 
-   3
-      All Communities
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 30]
+
+Internet-Draft              MISP core format               February 2022
 
-   4
-      Sharing Group
 
-   5
-      Inherit Event
+   2  Connected Communities
+   3  All Communities
+   4  Sharing Group
+   5  Inherit Event
 
-2.8.7.  sharing_group_id
+2.7.7.  sharing_group_id
 
    sharing_group_id represents the local id to the MISP local instance
    of the Sharing Group associated for the distribution.
@@ -1773,7 +1695,7 @@ Internet-Draft              MISP core format                October 2020
    sharing_group_id is represented by a JSON string. sharing_group_id
    MUST be present and set to "0" if not used.
 
-2.8.8.  timestamp
+2.7.8.  timestamp
 
    timestamp represents a reference time when the EventReport was
    created or last modified. timestamp is expressed in seconds (decimal)
@@ -1782,19 +1704,7 @@ Internet-Draft              MISP core format                October 2020
 
    timestamp is represented as a JSON string. timestamp MUST be present.
 
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 32]
-
-Internet-Draft              MISP core format                October 2020
-
-
-2.8.9.  deleted
+2.7.9.  deleted
 
    deleted represents a setting that allows EventReport to be revoked.
    Revoked EventReport are not actionable and exist merely to inform
@@ -1802,7 +1712,7 @@ Internet-Draft              MISP core format                October 2020
 
    deleted is represented by a JSON boolean. deleted MUST be present.
 
-2.9.  Tag
+2.8.  Tag
 
    A tag is a simple method to classify an event with a simple string.
    The tag name can be freely chosen.  The tag name can be also chosen
@@ -1821,15 +1731,22 @@ Internet-Draft              MISP core format                October 2020
 
    name MUST be present. colour, id and exportable SHALL be present.
 
-2.9.1.  Sample Tag
 
-                       "Tag": [{
-                               "exportable": true,
-                               "colour": "#ffffff",
-                               "name": "tlp:white",
-                               "id": "2" }]
 
-2.10.  Sighting
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 31]
+
+Internet-Draft              MISP core format               February 2022
+
+
+2.8.1.  Sample Tag
+
+   "Tag": [{
+           "exportable": true,
+           "colour": "#ffffff",
+           "name": "tlp:white",
+           "id": "2" }]
+
+2.9.  Sighting
 
    A sighting is an ascertainment which describes whether an attribute
    has been seen under a given set of conditions.  The sighting can
@@ -1841,25 +1758,19 @@ Internet-Draft              MISP core format                October 2020
    type MUST be present. type describes the type of a sighting.  MISP
    allows 3 default types:
 
+       +===============+==========================================+
+       | Sighting type |               Description                |
+       +===============+==========================================+
+       | 0             | denotes an attribute which has been seen |
+       +---------------+------------------------------------------+
+       | 1             | denotes an attribute which has been seen |
+       |               |     and confirmed as false-positive      |
+       +---------------+------------------------------------------+
+       | 2             |    denotes an attribute which will be    |
+       |               |   expired at the time of the sighting    |
+       +---------------+------------------------------------------+
 
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 33]
-
-Internet-Draft              MISP core format                October 2020
-
-
-   +------------+------------------------------------------------------+
-   |  Sighting  |                     Description                      |
-   |    type    |                                                      |
-   +------------+------------------------------------------------------+
-   |     0      |       denotes an attribute which has been seen       |
-   |     1      |     denotes an attribute which has been seen and     |
-   |            |             confirmed as false-positive              |
-   |     2      |  denotes an attribute which will be expired at the   |
-   |            |                 time of the sighting                 |
-   +------------+------------------------------------------------------+
+                                 Table 1
 
    uuid MUST be present. uuid references the uuid of the sighted
    attribute.
@@ -1874,12 +1785,22 @@ Internet-Draft              MISP core format                October 2020
    can be a given piece of software (e.g.  SIEM), device or a specific
    analytical process.
 
-   id, event_id and attribute_id MAY be present.
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 32]
+
+Internet-Draft              MISP core format               February 2022
+
+
+   id, event_id and attribute_id are represented as a JSON string and
+   MAY be present.
 
    id represents the human-readable identifier of the sighting reference
-   which belongs to a specific MISP instance.  event_id represents the
+   which belongs to a specific MISP instance. event_id represents the
    human-readable identifier of the event referenced by the sighting and
-   belongs to a specific MISP instance.  attribute_id represents the
+   belongs to a specific MISP instance. attribute_id represents the
    human-readable identifier of the attribute referenced by the sighting
    and belongs to a specific MISP instance.
 
@@ -1890,10 +1811,10 @@ Internet-Draft              MISP core format                October 2020
    org_id represents the human-readable identifier of the organisation
    which did the sighting and belongs to a specific MISP instance.
 
-   A human-readable identifier MUST be represented as an unsigned
+   A human-readable identifier MUST be considered as an unsigned
    integer.
 
-2.10.1.  Sample Sighting
+2.9.1.  Sample Sighting
 
 
 
@@ -1901,9 +1822,32 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 34]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 33]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
 "Sighting": [
@@ -1939,13 +1883,13 @@ Internet-Draft              MISP core format                October 2020
                         }
                 ]
 
-2.11.  Galaxy
+2.10.  Galaxy
 
    A galaxy is a simple method to express a large object called cluster
    that can be attached to MISP events.  A cluster can be composed of
    one or more elements.  Elements are expressed as key-values.
 
-2.11.1.  Sample Galaxy
+2.10.1.  Sample Galaxy
 
 
 
@@ -1957,9 +1901,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 35]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 34]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
 "Galaxy": [ {
@@ -2013,9 +1957,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 36]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 35]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
 3.  JSON Schema
@@ -2069,9 +2013,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 37]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 36]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
        "type": "object",
@@ -2125,9 +2069,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 38]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 37]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
            "items": {
@@ -2181,9 +2125,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 39]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 38]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
            "type": "string"
@@ -2237,9 +2181,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 40]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 39]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
            "type": "string"
@@ -2293,9 +2237,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 41]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 40]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
        "properties": {
@@ -2349,9 +2293,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 42]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 41]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
        "properties": {
@@ -2405,9 +2349,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 43]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 42]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
        "properties": {
@@ -2461,9 +2405,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 44]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 43]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
          },
@@ -2517,9 +2461,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 45]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 44]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
          },
@@ -2573,9 +2517,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 46]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 45]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
            "type": "string"
@@ -2629,9 +2573,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 47]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 46]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
            "uniqueItems": true,
@@ -2685,9 +2629,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 48]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 47]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
            "type": "boolean"
@@ -2741,9 +2685,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 49]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 48]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
        "type": "object",
@@ -2797,9 +2741,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 50]
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 49]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format               February 2022
 
 
      "Event": {
@@ -2831,37 +2775,33 @@ Internet-Draft              MISP core format                October 2020
    Each uuid is composed of a JSON object with the following fields
    which came from the original event referenced by the same uuid:
 
-   o  info (MUST)
-
-   o  Orgc object (MUST)
-
-   o  analysis (SHALL)
-
-   o  timestamp (MUST)
-
-   o  date (MUST)
-
-   o  threat_level_id (SHALL)
+   *  info (MUST)
+   *  Orgc object (MUST)
+   *  analysis (SHALL)
+   *  timestamp (MUST)
+   *  date (MUST)
+   *  threat_level_id (SHALL)
 
    In addition to the fields originating from the event, the following
    fields can be added:
 
-   o  integrity:sha256 represents the SHA256 value in hexadecimal
+   *  integrity:sha256 represents the SHA256 value in hexadecimal
       representation of the associated MISP event file to ensure
       integrity of the file.  (SHOULD)
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 51]
-
-Internet-Draft              MISP core format                October 2020
-
-
-   o  integrity:pgp represents a detached PGP signature [RFC4880] of the
+   *  integrity:pgp represents a detached PGP signature [RFC4880] of the
       associated MISP event file to ensure integrity of the file.
       (SHOULD)
 
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 50]
+
+Internet-Draft              MISP core format               February 2022
+
+
    If a detached PGP signature is used for each MISP event, a detached
    PGP signature is a MUST to ensure integrity of the manifest file.  A
    detached PGP signature for a manifest file is a manifest.json.asc
@@ -2906,18 +2846,18 @@ Internet-Draft              MISP core format                October 2020
       },
       {
         "colour": "#3d7a00",
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 52]
-
-Internet-Draft              MISP core format                October 2020
-
-
         "name": "circl:incident-classification=\"malware\""
       },
       {
         "colour": "#2c4f00",
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 51]
+
+Internet-Draft              MISP core format               February 2022
+
+
         "name": "malware_classification:malware-category=\"Ransomware\""
       }
     ],
@@ -2956,27 +2896,24 @@ Internet-Draft              MISP core format                October 2020
 
 8.  References
 
-9.  References
-
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 53]
-
-Internet-Draft              MISP core format                October 2020
-
-
-9.1.  Normative References
+9.  Normative References
 
    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119,
               DOI 10.17487/RFC2119, March 1997,
               <https://www.rfc-editor.org/info/rfc2119>.
 
+
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 52]
+
+Internet-Draft              MISP core format               February 2022
+
+
    [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
               Unique IDentifier (UUID) URN Namespace", RFC 4122,
               DOI 10.17487/RFC4122, July 2005,
@@ -2992,54 +2929,51 @@ Internet-Draft              MISP core format                October 2020
               DOI 10.17487/RFC8259, December 2017,
               <https://www.rfc-editor.org/info/rfc8259>.
 
-9.2.  Informative References
+10.  Informative References
 
    [JSON-SCHEMA]
-              "JSON Schema: A Media Type for Describing JSON Documents",
-              2016,
+              Wright, A., "JSON Schema: A Media Type for Describing JSON
+              Documents", 2016,
               <https://tools.ietf.org/html/draft-wright-json-schema>.
 
-   [MISP-P]   MISP, "MISP Project - Open Source Threat Intelligence
-              Platform and Open Standards For Threat Information
-              Sharing", <https://github.com/MISP>.
+   [MISP-P]   Community, M., "MISP Project - Open Source Threat
+              Intelligence Platform and Open Standards For Threat
+              Information Sharing", <https://github.com/MISP>.
 
-   [MISP-R]   MISP, "MISP Object Relationship Types - common vocabulary
-              of relationships", <https://github.com/MISP/misp-
-              objects/tree/master/relationships>.
+   [MISP-R]   Community, M., "MISP Object Relationship Types - common
+              vocabulary of relationships", <https://github.com/MISP/
+              misp-objects/tree/master/relationships>.
 
-   [MISP-T]   MISP, "MISP Taxonomies - shared and common vocabularies of
-              tags", <https://github.com/MISP/misp-taxonomies>.
+   [MISP-T]   Community, M., "MISP Taxonomies - shared and common
+              vocabularies of tags",
+              <https://github.com/MISP/misp-taxonomies>.
 
 Authors' Addresses
 
-
-
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 54]
-
-Internet-Draft              MISP core format                October 2020
-
-
    Alexandre Dulaunoy
    Computer Incident Response Center Luxembourg
    16, bd d'Avranches
-   Luxembourg  L-1160
+   L-L-1160 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
    Email: alexandre.dulaunoy@circl.lu
 
 
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 53]
+
+Internet-Draft              MISP core format               February 2022
+
+
    Andras Iklody
    Computer Incident Response Center Luxembourg
    16, bd d'Avranches
-   Luxembourg  L-1160
+   L-L-1160 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
@@ -3077,4 +3011,14 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 55]
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody        Expires 18 August 2022                [Page 54]
diff --git a/misp-core-format/raw.md.xml b/misp-core-format/raw.md.xml
index faf276f..9009948 100755
--- a/misp-core-format/raw.md.xml
+++ b/misp-core-format/raw.md.xml
@@ -1,2184 +1,1865 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE rfc SYSTEM 'rfc2629.dtd' []>
-<rfc ipr="trust200902" category="info" docName="draft-dulaunoy-misp-core-format">
-<?rfc toc="yes"?>
-<?rfc symrefs="yes"?>
-<?rfc sortrefs="yes"?>
-<?rfc compact="yes"?>
-<?rfc subcompact="no"?>
-<?rfc private=""?>
-<?rfc topblock="yes"?>
-<?rfc comments="no"?>
+<?xml version="1.0" encoding="utf-8"?>
+<!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.miek.nl" -->
+<rfc version="3" ipr="trust200902" docName="draft-00" submissionType="independent" category="info" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" indexInclude="true">
+
 <front>
-<title abbrev="MISP core format">MISP core format</title>
-
-<author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy">
-<organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization>
-<address>
-<postal>
-<street>16, bd d'Avranches</street>
+<title abbrev="MISP core format">MISP core format</title><seriesInfo value="draft-00" stream="independent" status="informational" name="Internet-Draft"></seriesInfo>
+<author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>16, bd d'Avranches</street>
 <city>Luxembourg</city>
 <code>L-1160</code>
 <country>Luxembourg</country>
-<region></region>
-</postal>
-<phone>+352 247 88444</phone>
+</postal><phone>+352 247 88444</phone>
 <email>alexandre.dulaunoy@circl.lu</email>
-<uri></uri>
-</address>
-</author>
-<author initials="A." surname="Iklody" fullname="Andras Iklody">
-<organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization>
-<address>
-<postal>
-<street>16, bd d'Avranches</street>
+</address></author><author initials="A." surname="Iklody" fullname="Andras Iklody"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>16, bd d'Avranches</street>
 <city>Luxembourg</city>
 <code>L-1160</code>
 <country>Luxembourg</country>
-<region></region>
-</postal>
-<phone>+352 247 88444</phone>
+</postal><phone>+352 247 88444</phone>
 <email>andras.iklody@circl.lu</email>
-<uri></uri>
-</address>
-</author>
-<date year="2020" month="October" day="21"/>
-
+</address></author><date/>
 <area>Security</area>
 <workgroup></workgroup>
 
-
 <abstract>
 <t>This document describes the MISP core format used to exchange indicators and threat information between
 MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.
 The JSON format includes the overall structure along with the semantic associated for each
 respective key. The format is described to support other implementations which reuse the
-format and ensuring an interoperability with existing MISP <xref target="MISP-P"/> software and other Threat Intelligence Platforms.
-</t>
+format and ensuring an interoperability with existing MISP <xref target="MISP-P"></xref> software and other Threat Intelligence Platforms.</t>
 </abstract>
 
-
 </front>
 
 <middle>
 
-<section anchor="introduction" title="Introduction">
+<section anchor="introduction"><name>Introduction</name>
 <t>Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat
 information can include indicators of compromise, malicious file indicators, financial fraud indicators
-or even detailed information about a threat actor. MISP <xref target="MISP-P"/> started as an open source project in late 2011 and
+or even detailed information about a threat actor. MISP <xref target="MISP-P"></xref> started as an open source project in late 2011 and
 the MISP format started to be widely used as an exchange format within the community in the past years. The aim of this document
-is to describe the specification and the MISP core format.
-</t>
+is to describe the specification and the MISP core format.</t>
 
-<section anchor="conventions-and-terminology" title="Conventions and Terminology">
-<t>The key words &quot;MUST&quot;, &quot;MUST NOT&quot;, &quot;REQUIRED&quot;, &quot;SHALL&quot;, &quot;SHALL NOT&quot;,
-&quot;SHOULD&quot;, &quot;SHOULD NOT&quot;, &quot;RECOMMENDED&quot;, &quot;MAY&quot;, and &quot;OPTIONAL&quot; in this
-document are to be interpreted as described in RFC 2119 <xref target="RFC2119"/>.
-</t>
+<section anchor="conventions-and-terminology"><name>Conventions and Terminology</name>
+<t>The key words &quot;<bcp14>MUST</bcp14>&quot;, &quot;<bcp14>MUST NOT</bcp14>&quot;, &quot;<bcp14>REQUIRED</bcp14>&quot;, &quot;<bcp14>SHALL</bcp14>&quot;, &quot;<bcp14>SHALL NOT</bcp14>&quot;,
+&quot;<bcp14>SHOULD</bcp14>&quot;, &quot;<bcp14>SHOULD NOT</bcp14>&quot;, &quot;<bcp14>RECOMMENDED</bcp14>&quot;, &quot;<bcp14>MAY</bcp14>&quot;, and &quot;<bcp14>OPTIONAL</bcp14>&quot; in this
+document are to be interpreted as described in RFC 2119 <xref target="RFC2119"></xref>.</t>
 </section>
 </section>
 
-<section anchor="format" title="Format">
+<section anchor="format"><name>Format</name>
 
-<section anchor="overview" title="Overview">
-<t>The MISP core format is in the JSON <xref target="RFC8259"/> format. In MISP, an event is composed of a single JSON object.
-</t>
+<section anchor="overview"><name>Overview</name>
+<t>The MISP core format is in the JSON <xref target="RFC8259"></xref> format. In MISP, an event is composed of a single JSON object.</t>
 <t>A capitalized key (like Event, Org) represent a data model and a non-capitalised key is just an attribute. This nomenclature
-can support an implementation to represent the MISP format in another data structure.
-</t>
+can support an implementation to represent the MISP format in another data structure.</t>
 </section>
 
-<section anchor="event" title="Event">
+<section anchor="event"><name>Event</name>
 <t>An event is a simple meta structure scheme where attributes and meta-data are embedded to compose a coherent set
 of indicators. An event can be composed from an incident, a security analysis report or a specific threat actor
-analysis. The meaning of an event only depends of the information embedded in the event.
-</t>
+analysis. The meaning of an event only depends of the information embedded in the event.</t>
 
-<section anchor="event-attributes" title="Event Attributes">
+<section anchor="event-attributes"><name>Event Attributes</name>
 
-<section anchor="uuid" title="uuid">
-<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"/> of the event. The uuid MUST be preserved
-for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.
-</t>
-<t>uuid is represented as a JSON string. uuid MUST be present.
-</t>
+<section anchor="uuid"><name>uuid</name>
+<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> of the event. The uuid <bcp14>MUST</bcp14> be preserved
+for any updates or transfer of the same event. UUID version 4 is <bcp14>RECOMMENDED</bcp14> when assigning it to a new event.</t>
+<t>uuid is represented as a JSON string. uuid <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="id" title="id">
-<t>id represents the human-readable identifier associated to the event for a specific MISP instance.  A human-readable identifier MUST be
-represented as an unsigned integer.
-</t>
-<t>id is represented as a JSON string. id SHALL be present.
-</t>
+<section anchor="id"><name>id</name>
+<t>id represents the human-readable identifier associated to the event for a specific MISP instance.  A human-readable identifier <bcp14>MUST</bcp14> be
+represented as an unsigned integer.</t>
+<t>id is represented as a JSON string. id <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="published" title="published">
-<t>published represents the event publication state. If the event was published, the published value MUST be true.
-In any other publication state, the published value MUST be false.
-</t>
-<t>published is represented as a JSON boolean. published MUST be present.
-</t>
+<section anchor="published"><name>published</name>
+<t>published represents the event publication state. If the event was published, the published value <bcp14>MUST</bcp14> be true.
+In any other publication state, the published value <bcp14>MUST</bcp14> be false.</t>
+<t>published is represented as a JSON boolean. published <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="info" title="info">
+<section anchor="info"><name>info</name>
 <t>info represents the information field of the event. info is a free-text value to provide a human-readable summary
-of the event. info SHOULD NOT be bigger than 256 characters and SHOULD NOT include new-lines.
-</t>
-<t>info is represented as a JSON string. info MUST be present.
-</t>
+of the event. info <bcp14>SHOULD</bcp14> NOT be bigger than 256 characters and <bcp14>SHOULD</bcp14> NOT include new-lines.</t>
+<t>info is represented as a JSON string. info <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="threatlevelid" title="threat_level_id">
-<t>threat_level_id represents the threat level.
-</t>
-<t>
-<list style="hanging">
-<t hangText="4:">
-<vspace />
-Undefined</t>
-<t hangText="3:">
-<vspace />
-Low</t>
-<t hangText="2:">
-<vspace />
-Medium</t>
-<t hangText="1:">
-<vspace />
-High</t>
-</list>
-</t>
-<t>If a higher granularity is required, a MISP taxonomy applied as a Tag SHOULD be preferred.
-</t>
-<t>threat_level_id is represented as a JSON string. threat_level_id SHALL be present.
-</t>
+<section anchor="threat-level-id"><name>threat_level_id</name>
+<t>threat_level_id represents the threat level.</t>
+
+<dl spacing="compact">
+<dt>4:</dt>
+<dd>Undefined</dd>
+<dt>3:</dt>
+<dd>Low</dd>
+<dt>2:</dt>
+<dd>Medium</dd>
+<dt>1:</dt>
+<dd>High</dd>
+</dl>
+<t>If a higher granularity is required, a MISP taxonomy applied as a Tag <bcp14>SHOULD</bcp14> be preferred.</t>
+<t>threat_level_id is represented as a JSON string. threat_level_id <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="analysis" title="analysis">
-<t>analysis represents the analysis level.
-</t>
-<t>
-<list style="hanging">
-<t hangText="0:">
-<vspace />
-Initial</t>
-<t hangText="1:">
-<vspace />
-Ongoing</t>
-<t hangText="2:">
-<vspace />
-Complete</t>
-</list>
-</t>
-<t>If a higher granularity is required, a MISP taxonomy applied as a Tag SHOULD be preferred.
-</t>
-<t>analysis is represented as a JSON string. analysis SHALL be present.
-</t>
+<section anchor="analysis"><name>analysis</name>
+<t>analysis represents the analysis level.</t>
+
+<dl spacing="compact">
+<dt>0:</dt>
+<dd>Initial</dd>
+<dt>1:</dt>
+<dd>Ongoing</dd>
+<dt>2:</dt>
+<dd>Complete</dd>
+</dl>
+<t>If a higher granularity is required, a MISP taxonomy applied as a Tag <bcp14>SHOULD</bcp14> be preferred.</t>
+<t>analysis is represented as a JSON string. analysis <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="date" title="date">
-<t>date represents a reference date to the event in ISO 8601 format (date only: YYYY-MM-DD). This date corresponds to the date the event occurred, which may be in the past.
-</t>
-<t>date is represented as a JSON string. date MUST be present.
-</t>
+<section anchor="date"><name>date</name>
+<t>date represents a reference date to the event in ISO 8601 format (date only: YYYY-MM-DD). This date corresponds to the date the event occurred, which may be in the past.</t>
+<t>date is represented as a JSON string. date <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="timestamp" title="timestamp">
-<t>timestamp represents a reference time when the event, or one of the attributes within the event was created, or last updated/edited on the instance. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
-</t>
-<t>timestamp is represented as a JSON string. timestamp MUST be present.
-</t>
+<section anchor="timestamp"><name>timestamp</name>
+<t>timestamp represents a reference time when the event, or one of the attributes within the event was created, or last updated/edited on the instance. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <bcp14>MUST</bcp14> be UTC.</t>
+<t>timestamp is represented as a JSON string. timestamp <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="publishtimestamp" title="publish_timestamp">
-<t>publish_timestamp represents a reference time when the event was published on the instance. published_timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). At each publication of an event, publish_timestamp MUST be updated. The time zone MUST be UTC. If the published_timestamp is present and the published flag is set to false, the publish_timestamp represents the previous publication timestamp. If the event was never published, the published_timestamp MUST be set to 0.
-</t>
-<t>publish_timestamp is represented as a JSON string. publish_timestamp MUST be present.
-</t>
+<section anchor="publish-timestamp"><name>publish_timestamp</name>
+<t>publish_timestamp represents a reference time when the event was published on the instance. published_timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). At each publication of an event, publish_timestamp <bcp14>MUST</bcp14> be updated. The time zone <bcp14>MUST</bcp14> be UTC. If the published_timestamp is present and the published flag is set to false, the publish_timestamp represents the previous publication timestamp. If the event was never published, the published_timestamp <bcp14>MUST</bcp14> be set to 0.</t>
+<t>publish_timestamp is represented as a JSON string. publish_timestamp <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="orgid" title="org_id">
-<t>org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event. A human-readable identifier MUST be
-represented as an unsigned integer.
-</t>
-<t>The org_id MUST be updated when the event is generated by a new instance.
-</t>
-<t>org_id is represented as a JSON string. org_id MUST be present.
-</t>
+<section anchor="org-id"><name>org_id</name>
+<t>org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event. A human-readable identifier <bcp14>MUST</bcp14> be
+represented as an unsigned integer.</t>
+<t>The org_id <bcp14>MUST</bcp14> be updated when the event is generated by a new instance.</t>
+<t>org_id is represented as a JSON string. org_id <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="orgcid" title="orgc_id">
-<t>orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event.
-</t>
-<t>The orgc_id and Org object MUST be preserved for any updates or transfer of the same event.
-</t>
-<t>orgc_id is represented as a JSON string. orgc_id MUST be present.
-</t>
+<section anchor="orgc-id"><name>orgc_id</name>
+<t>orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event.</t>
+<t>The orgc_id and Org object <bcp14>MUST</bcp14> be preserved for any updates or transfer of the same event.</t>
+<t>orgc_id is represented as a JSON string. orgc_id <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="attributecount" title="attribute_count">
-<t>attribute_count represents the number of attributes in the event. attribute_count is expressed in decimal.
-</t>
-<t>attribute_count is represented as a JSON string. attribute_count SHALL be present.
-</t>
+<section anchor="attribute-count"><name>attribute_count</name>
+<t>attribute_count represents the number of attributes in the event. attribute_count is expressed in decimal.</t>
+<t>attribute_count is represented as a JSON string. attribute_count <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="distribution" title="distribution">
-<t>distribution represents the basic distribution rules of the event. The system must adhere to the distribution setting for access control and for dissemination of the event.
-</t>
-<t>distribution is represented by a JSON string. distribution MUST be present and be one of the following options:
-</t>
-<t>
-<list style="hanging">
-<t hangText="0">
-<vspace />
-Your Organisation Only</t>
-<t hangText="1">
-<vspace />
-This Community Only</t>
-<t hangText="2">
-<vspace />
-Connected Communities</t>
-<t hangText="3">
-<vspace />
-All Communities</t>
-<t hangText="4">
-<vspace />
-Sharing Group</t>
-</list>
-</t>
+<section anchor="distribution"><name>distribution</name>
+<t>distribution represents the basic distribution rules of the event. The system must adhere to the distribution setting for access control and for dissemination of the event.</t>
+<t>distribution is represented by a JSON string. distribution <bcp14>MUST</bcp14> be present and be one of the following options:</t>
+
+<dl spacing="compact">
+<dt>0</dt>
+<dd>Your Organisation Only</dd>
+<dt>1</dt>
+<dd>This Community Only</dd>
+<dt>2</dt>
+<dd>Connected Communities</dd>
+<dt>3</dt>
+<dd>All Communities</dd>
+<dt>4</dt>
+<dd>Sharing Group</dd>
+</dl>
 </section>
 
-<section anchor="sharinggroupid" title="sharing_group_id">
-<t>sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the event, if distribution level &quot;4&quot; is set. A human-readable identifier MUST be represented as an unsigned integer.
-</t>
-<t>sharing_group_id is represented by a JSON string and SHOULD be present. If a distribution level other than &quot;4&quot; is chosen the sharing_group_id MUST be set to &quot;0&quot;.
-</t>
+<section anchor="sharing-group-id"><name>sharing_group_id</name>
+<t>sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the event, if distribution level &quot;4&quot; is set. A human-readable identifier <bcp14>MUST</bcp14> be represented as an unsigned integer.</t>
+<t>sharing_group_id is represented by a JSON string and <bcp14>SHOULD</bcp14> be present. If a distribution level other than &quot;4&quot; is chosen the sharing_group_id <bcp14>MUST</bcp14> be set to &quot;0&quot;.</t>
 </section>
 
-<section anchor="extendsuuid" title="extends_uuid">
-<t>extends_uuid represents which event is extended by this event. The extends_uuid is described as a Universally Unique IDentifier (UUID) <xref target="RFC4122"/> with the UUID of the extended event.
-</t>
-<t>extends_uuid is represented as a JSON string. extends_uuid SHOULD be present.
-</t>
-</section>
+<section anchor="extends-uuid"><name>extends_uuid</name>
+<t>extends_uuid represents which event is extended by this event. The extends_uuid is described as a Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> with the UUID of the extended event.</t>
+<t>extends_uuid is represented as a JSON string. extends_uuid <bcp14>SHOULD</bcp14> be present.</t>
 </section>
 </section>
 
-<section anchor="objects" title="Objects">
+<section anchor="event-objects"><name>Event Objects</name>
 
-<section anchor="org" title="Org">
-<t>An Org object is composed of an uuid, name and id.
-</t>
-<t>The uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"/> of the organisation.
-The organisation UUID is globally assigned to an organisation and SHALL be kept overtime.
-</t>
-<t>The name is a readable description of the organisation and SHOULD be present.
+<section anchor="org"><name>Org</name>
+<t>An Org object is composed of an uuid, name and id.</t>
+<t>The uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> of the organisation.
+The organisation UUID is globally assigned to an organisation and <bcp14>SHALL</bcp14> be kept overtime.</t>
+<t>The name is a readable description of the organisation and <bcp14>SHOULD</bcp14> be present.
 The id is a human-readable identifier generated by the instance and used as reference in the event.
-A human-readable identifier MUST be represented as an unsigned integer.
-</t>
-<t>uuid, name and id are represented as a JSON string. uuid, name and id MUST be present.
-</t>
+A human-readable identifier <bcp14>MUST</bcp14> be represented as an unsigned integer.</t>
+<t>uuid, name and id are represented as a JSON string. uuid, name and id <bcp14>MUST</bcp14> be present.</t>
 
-<section anchor="sample-org-object" title="Sample Org Object">
+<section anchor="sample-org-object"><name>Sample Org Object</name>
 
-<figure align="center"><artwork align="center">
-"Org": {
-        "id": "2",
-        "name": "CIRCL",
-        "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
+<artwork>&quot;Org&quot;: {
+        &quot;id&quot;: &quot;2&quot;,
+        &quot;name&quot;: &quot;CIRCL&quot;,
+        &quot;uuid&quot;: &quot;55f6ea5e-2c60-40e5-964f-47a8950d210f&quot;
        }
-</artwork></figure>
+</artwork>
 </section>
 </section>
 
-<section anchor="orgc" title="Orgc">
-<t>An Orgc object is composed of an uuid, name and id.
-</t>
-<t>The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.
-The organisation UUID is globally assigned to an organisation and SHALL be kept overtime.
-</t>
-<t>The name is a readable description of the organisation and SHOULD be present.
+<section anchor="orgc"><name>Orgc</name>
+<t>An Orgc object is composed of an uuid, name and id.</t>
+<t>The uuid <bcp14>MUST</bcp14> be preserved for any updates or transfer of the same event. UUID version 4 is <bcp14>RECOMMENDED</bcp14> when assigning it to a new event.
+The organisation UUID is globally assigned to an organisation and <bcp14>SHALL</bcp14> be kept overtime.</t>
+<t>The name is a readable description of the organisation and <bcp14>SHOULD</bcp14> be present.
 The id is a human-readable identifier generated by the instance and used as reference in the event.
-A human-readable identifier MUST be represented as an unsigned integer.
-</t>
-<t>uuid, name and id are represented as a JSON string. uuid, name and id MUST be present.
-</t>
+A human-readable identifier <bcp14>MUST</bcp14> be represented as an unsigned integer.</t>
+<t>uuid, name and id are represented as a JSON string. uuid, name and id <bcp14>MUST</bcp14> be present.</t>
+</section>
 </section>
 </section>
 
-<section anchor="attribute" title="Attribute">
+<section anchor="attribute"><name>Attribute</name>
 <t>Attributes are used to describe the indicators and contextual data of an event. The main information contained in an attribute is made up of a category-type-value triplet,
-where the category and type give meaning and context to the value. Through the various category-type combinations a wide range of information can be conveyed.
-</t>
-<t>A MISP document MUST at least includes category-type-value triplet described in section &quot;Attribute Attributes&quot;.
-</t>
+where the category and type give meaning and context to the value. Through the various category-type combinations a wide range of information can be conveyed.</t>
+<t>A MISP document <bcp14>MUST</bcp14> at least includes category-type-value triplet described in section &quot;Attribute Attributes&quot;.</t>
 
-<section anchor="sample-attribute-object" title="Sample Attribute Object">
+<section anchor="sample-attribute-object"><name>Sample Attribute Object</name>
 
-<figure align="center"><artwork align="center">
-"Attribute": {
-              "id": "346056",
-              "type": "comment",
-              "category": "Other",
-              "to_ids": false,
-              "uuid": "57f4f6d9-cd20-458b-84fd-109ec0a83869",
-              "event_id": "3357",
-              "distribution": "5",
-              "timestamp": "1475679332",
-              "comment": "",
-              "sharing_group_id": "0",
-              "deleted": false,
-              "value": "Hello world",
-              "SharingGroup": [],
-              "ShadowAttribute": [],
-              "RelatedAttribute": [],
-              "first_seen": "2019-06-02T22:14:28.711954+00:00",
-              "last_seen": null
+<artwork>&quot;Attribute&quot;: {
+              &quot;id&quot;: &quot;346056&quot;,
+              &quot;type&quot;: &quot;comment&quot;,
+              &quot;category&quot;: &quot;Other&quot;,
+              &quot;to_ids&quot;: false,
+              &quot;uuid&quot;: &quot;57f4f6d9-cd20-458b-84fd-109ec0a83869&quot;,
+              &quot;event_id&quot;: &quot;3357&quot;,
+              &quot;distribution&quot;: &quot;5&quot;,
+              &quot;timestamp&quot;: &quot;1475679332&quot;,
+              &quot;comment&quot;: &quot;&quot;,
+              &quot;sharing_group_id&quot;: &quot;0&quot;,
+              &quot;deleted&quot;: false,
+              &quot;value&quot;: &quot;Hello world&quot;,
+              &quot;SharingGroup&quot;: [],
+              &quot;ShadowAttribute&quot;: [],
+              &quot;RelatedAttribute&quot;: [],
+              &quot;first_seen&quot;: &quot;2019-06-02T22:14:28.711954+00:00&quot;,
+              &quot;last_seen&quot;: null
              }
-</artwork></figure>
+</artwork>
 </section>
 
-<section anchor="attribute-attributes" title="Attribute Attributes">
+<section anchor="attribute-attributes"><name>Attribute Attributes</name>
 
-<section anchor="uuid-1" title="uuid">
-<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"/> of the event. The uuid MUST be preserved
-for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.
-</t>
-<t>uuid is represented as a JSON string. uuid MUST be present.
-</t>
+<section anchor="uuid-1"><name>uuid</name>
+<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> of the event. The uuid <bcp14>MUST</bcp14> be preserved
+for any updates or transfer of the same event. UUID version 4 is <bcp14>RECOMMENDED</bcp14> when assigning it to a new event.</t>
+<t>uuid is represented as a JSON string. uuid <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="id-1" title="id">
-<t>id represents the human-readable identifier associated to the event for a specific MISP instance. A human-readable identifier MUST be
-represented as an unsigned integer.
-</t>
-<t>id is represented as a JSON string. id SHALL be present.
-</t>
+<section anchor="id-1"><name>id</name>
+<t>id represents the human-readable identifier associated to the event for a specific MISP instance. A human-readable identifier <bcp14>MUST</bcp14> be
+represented as an unsigned integer.</t>
+<t>id is represented as a JSON string. id <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="type" title="type">
-<t>type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.
-</t>
-<t>type is represented as a JSON string. type MUST be present and it MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows:
-</t>
-<t>
-<list style="hanging">
-<t hangText="Antivirus detection">
-<vspace />
-link, comment, text, hex, attachment, other, anonymised</t>
-<t hangText="Artifacts dropped">
-<vspace />
-md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key</t>
-<t hangText="Attribution">
-<vspace />
-threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email</t>
-<t hangText="External analysis">
-<vspace />
-md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id</t>
-<t hangText="Financial fraud">
-<vspace />
-btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</t>
-<t hangText="Internal reference">
-<vspace />
-text, link, comment, other, hex, anonymised, git-commit-id</t>
-<t hangText="Network activity">
-<vspace />
-ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</t>
-<t hangText="Other">
-<vspace />
-comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</t>
-<t hangText="Payload delivery">
-<vspace />
-md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</t>
-<t hangText="Payload installation">
-<vspace />
-md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</t>
-<t hangText="Payload type">
-<vspace />
-comment, text, other, anonymised</t>
-<t hangText="Persistence mechanism">
-<vspace />
-filename, regkey, regkey|value, comment, text, other, hex, anonymised</t>
-<t hangText="Person">
-<vspace />
-first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key</t>
-<t hangText="Social network">
-<vspace />
-github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key</t>
-<t hangText="Support Tool">
-<vspace />
-link, text, attachment, comment, other, hex, anonymised</t>
-<t hangText="Targeting data">
-<vspace />
-target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised</t>
-</list>
-</t>
-<t>Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.
-</t>
+<section anchor="type"><name>type</name>
+<t>type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.</t>
+<t>type is represented as a JSON string. type <bcp14>MUST</bcp14> be present and it <bcp14>MUST</bcp14> be a valid selection for the chosen category. The list of valid category-type combinations is as follows:</t>
+
+<dl spacing="compact">
+<dt>Antivirus detection</dt>
+<dd>link, comment, text, hex, attachment, other, anonymised</dd>
+<dt>Artifacts dropped</dt>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, process-state, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key</dd>
+<dt>Attribution</dt>
+<dd>threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email</dd>
+<dt>External analysis</dt>
+<dd>md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id</dd>
+<dt>Financial fraud</dt>
+<dd>btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
+<dt>Internal reference</dt>
+<dd>text, link, comment, other, hex, anonymised, git-commit-id</dd>
+<dt>Network activity</dt>
+<dd>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject, favicon-mmh3, dkim, dkim-signature</dd>
+<dt>Other</dt>
+<dd>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
+<dt>Payload delivery</dt>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
+<dt>Payload installation</dt>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
+<dt>Payload type</dt>
+<dd>comment, text, other, anonymised</dd>
+<dt>Persistence mechanism</dt>
+<dd>filename, regkey, regkey|value, comment, text, other, hex, anonymised</dd>
+<dt>Person</dt>
+<dd>first-name, middle-name, last-name, full-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key</dd>
+<dt>Social network</dt>
+<dd>github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key</dd>
+<dt>Support Tool</dt>
+<dd>link, text, attachment, comment, other, hex, anonymised</dd>
+<dt>Targeting data</dt>
+<dd>target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised</dd>
+</dl>
+<t>Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.</t>
 </section>
 
-<section anchor="category" title="category">
-<t>category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.
-</t>
-<t>category is represented as a JSON string. category MUST be present and it MUST be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.
-</t>
+<section anchor="category"><name>category</name>
+<t>category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.</t>
+<t>category is represented as a JSON string. category <bcp14>MUST</bcp14> be present and it <bcp14>MUST</bcp14> be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.</t>
 </section>
 
-<section anchor="toids" title="to_ids">
-<t>to_ids represents whether the attribute is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.
-</t>
-<t>to_ids is represented as a JSON boolean. to_ids MUST be present.
-</t>
+<section anchor="to-ids"><name>to_ids</name>
+<t>to_ids represents whether the attribute is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.</t>
+<t>to_ids is represented as a JSON boolean. to_ids <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="eventid" title="event_id">
-<t>event_id represents a human-readable identifier referencing the Event object that the attribute belongs to. A human-readable identifier MUST be
-represented as an unsigned integer.
-</t>
-<t>The event_id SHOULD be updated when the event is imported to reflect the newly created event's id on the instance.
-</t>
-<t>event_id is represented as a JSON string. event_id MUST be present.
-</t>
+<section anchor="event-id"><name>event_id</name>
+<t>event_id represents a human-readable identifier referencing the Event object that the attribute belongs to. A human-readable identifier <bcp14>MUST</bcp14> be
+represented as an unsigned integer.</t>
+<t>The event_id <bcp14>SHOULD</bcp14> be updated when the event is imported to reflect the newly created event's id on the instance.</t>
+<t>event_id is represented as a JSON string. event_id <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="distribution-1" title="distribution">
-<t>distribution represents the basic distribution rules of the attribute. The system must adhere to the distribution setting for access control and for dissemination of the attribute.
-</t>
-<t>distribution is represented by a JSON string. distribution MUST be present and be one of the following options:
-</t>
-<t>
-<list style="hanging">
-<t hangText="0">
-<vspace />
-Your Organisation Only</t>
-<t hangText="1">
-<vspace />
-This Community Only</t>
-<t hangText="2">
-<vspace />
-Connected Communities</t>
-<t hangText="3">
-<vspace />
-All Communities</t>
-<t hangText="4">
-<vspace />
-Sharing Group</t>
-<t hangText="5">
-<vspace />
-Inherit Event</t>
-</list>
-</t>
+<section anchor="distribution-1"><name>distribution</name>
+<t>distribution represents the basic distribution rules of the attribute. The system must adhere to the distribution setting for access control and for dissemination of the attribute.</t>
+<t>distribution is represented by a JSON string. distribution <bcp14>MUST</bcp14> be present and be one of the following options:</t>
+
+<dl spacing="compact">
+<dt>0</dt>
+<dd>Your Organisation Only</dd>
+<dt>1</dt>
+<dd>This Community Only</dd>
+<dt>2</dt>
+<dd>Connected Communities</dd>
+<dt>3</dt>
+<dd>All Communities</dd>
+<dt>4</dt>
+<dd>Sharing Group</dd>
+<dt>5</dt>
+<dd>Inherit Event</dd>
+</dl>
 </section>
 
-<section anchor="timestamp-1" title="timestamp">
-<t>timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
-</t>
-<t>timestamp is represented as a JSON string. timestamp MUST be present.
-</t>
+<section anchor="timestamp-1"><name>timestamp</name>
+<t>timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <bcp14>MUST</bcp14> be UTC.</t>
+<t>timestamp is represented as a JSON string. timestamp <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="comment" title="comment">
-<t>comment is a contextual comment field.
-</t>
-<t>comment is represented by a JSON string. comment MAY be present.
-</t>
+<section anchor="comment"><name>comment</name>
+<t>comment is a contextual comment field.</t>
+<t>comment is represented by a JSON string. comment <bcp14>MAY</bcp14> be present.</t>
 </section>
 
-<section anchor="sharinggroupid-1" title="sharing_group_id">
-<t>sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the attribute, if distribution level &quot;4&quot; is set. A human-readable identifier MUST be represented as an unsigned integer.
-</t>
-<t>sharing_group_id is represented by a JSON string and SHOULD be present. If a distribution level other than &quot;4&quot; is chosen the sharing_group_id MUST be set to &quot;0&quot;.
-</t>
+<section anchor="sharing-group-id-1"><name>sharing_group_id</name>
+<t>sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the attribute, if distribution level &quot;4&quot; is set. A human-readable identifier <bcp14>MUST</bcp14> be represented as an unsigned integer.</t>
+<t>sharing_group_id is represented by a JSON string and <bcp14>SHOULD</bcp14> be present. If a distribution level other than &quot;4&quot; is chosen the sharing_group_id <bcp14>MUST</bcp14> be set to &quot;0&quot;.</t>
 </section>
 
-<section anchor="deleted" title="deleted">
-<t>deleted represents a setting that allows attributes to be revoked. Revoked attributes are not actionable and exist merely to inform other instances of a revocation.
-</t>
-<t>deleted is represented by a JSON boolean. deleted MUST be present.
-</t>
+<section anchor="deleted"><name>deleted</name>
+<t>deleted represents a setting that allows attributes to be revoked. Revoked attributes are not actionable and exist merely to inform other instances of a revocation.</t>
+<t>deleted is represented by a JSON boolean. deleted <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="data" title="data">
+<section anchor="data"><name>data</name>
 <t>data contains the base64 encoded contents of an attachment or a malware sample. For malware samples,
-the sample MUST be encrypted using a password protected zip archive, with the password being &quot;infected&quot;.
-</t>
-<t>data is represented by a JSON string in base64 encoding. data MUST be set for attributes of type malware-sample and attachment.
-</t>
+the sample <bcp14>MUST</bcp14> be encrypted using a password protected zip archive, with the password being &quot;infected&quot;.</t>
+<t>data is represented by a JSON string in base64 encoding. data <bcp14>MUST</bcp14> be set for attributes of type malware-sample and attachment.</t>
 </section>
 
-<section anchor="relatedattribute" title="RelatedAttribute">
-<t>RelatedAttribute is an array of attributes correlating with the current attribute. Each element in the array represents an JSON object which contains an Attribute dictionnary with the external attributes who correlate. Each Attribute MUST include the id, org_id, info and a value. Only the correlations found on the local instance are shown in RelatedAttribute.
-</t>
-<t>RelatedAttribute MAY be present.
-</t>
+<section anchor="relatedattribute"><name>RelatedAttribute</name>
+<t>RelatedAttribute is an array of attributes correlating with the current attribute. Each element in the array represents an JSON object which contains an Attribute dictionnary with the external attributes who correlate. Each Attribute <bcp14>MUST</bcp14> include the id, org_id, info and a value. Only the correlations found on the local instance are shown in RelatedAttribute.</t>
+<t>RelatedAttribute <bcp14>MAY</bcp14> be present.</t>
 </section>
 
-<section anchor="shadowattribute" title="ShadowAttribute">
+<section anchor="shadowattribute"><name>ShadowAttribute</name>
 <t>ShadowAttribute is an array of shadow attributes that serve as proposals by third parties to alter the containing attribute. The structure of a ShadowAttribute is similar to that of an Attribute,
-which can be accepted or discarded by the event creator. If accepted, the original attribute containing the shadow attribute is removed and the shadow attribute is converted into an attribute.
-</t>
-<t>Each shadow attribute that references an attribute MUST contain the containing attribute's ID in the old_id field and the event's ID in the event_id field.
-</t>
+which can be accepted or discarded by the event creator. If accepted, the original attribute containing the shadow attribute is removed and the shadow attribute is converted into an attribute.</t>
+<t>Each shadow attribute that references an attribute <bcp14>MUST</bcp14> contain the containing attribute's ID in the old_id field and the event's ID in the event_id field.</t>
 </section>
 
-<section anchor="value" title="value">
-<t>value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.
-</t>
-<t>value is represented by a JSON string. value MUST be present.
-</t>
+<section anchor="value"><name>value</name>
+<t>value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.</t>
+<t>value is represented by a JSON string. value <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="firstseen" title="first_seen">
-<t>first_seen represents a reference time when the attribute was first seen. first_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.
-</t>
-<t>first_seen is represented as a JSON string. first_seen MAY be present.
-</t>
+<section anchor="first-seen"><name>first_seen</name>
+<t>first_seen represents a reference time when the attribute was first seen. first_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.</t>
+<t>first_seen is represented as a JSON string. first_seen <bcp14>MAY</bcp14> be present.</t>
 </section>
 
-<section anchor="lastseen" title="last_seen">
-<t>last_seen represents a reference time when the attribute was last seen. last_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.
-</t>
-<t>last_seen is represented as a JSON string. last_seen MAY be present.
-</t>
+<section anchor="last-seen"><name>last_seen</name>
+<t>last_seen represents a reference time when the attribute was last seen. last_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.</t>
+<t>last_seen is represented as a JSON string. last_seen <bcp14>MAY</bcp14> be present.</t>
 </section>
 </section>
 </section>
 
-<section anchor="shadowattribute-1" title="ShadowAttribute">
-<t>ShadowAttributes are 3rd party created attributes that either propose to add new information to an event or modify existing information. They are not meant to be actionable until the event creator accepts them - at which point they will be converted into attributes or modify an existing attribute.
-</t>
-<t>They are similar in structure to Attributes but additionally carry a reference to the creator of the ShadowAttribute as well as a revocation flag.
-</t>
+<section anchor="shadowattribute-1"><name>ShadowAttribute</name>
+<t>ShadowAttributes are 3rd party created attributes that either propose to add new information to an event or modify existing information. They are not meant to be actionable until the event creator accepts them - at which point they will be converted into attributes or modify an existing attribute.</t>
+<t>They are similar in structure to Attributes but additionally carry a reference to the creator of the ShadowAttribute as well as a revocation flag.</t>
 
-<section anchor="sample-attribute-object-1" title="Sample Attribute Object">
+<section anchor="sample-attribute-object-1"><name>Sample Attribute Object</name>
 
-<figure align="center"><artwork align="center">
-"ShadowAttribute":  {
-                       "id": "8",
-                       "type": "ip-src",
-                       "category": "Network activity",
-                       "to_ids": false,
-                       "uuid": "57d475f1-da78-4569-89de-1458c0a83869",
-                       "event_uuid": "57d475e6-41c4-41ca-b450-145ec0a83869",
-                       "event_id": "9",
-                       "old_id": "319",
-                       "comment": "",
-                       "org_id": "1",
-                       "proposal_to_delete": false,
-                       "value": "5.5.5.5",
-                       "deleted": false,
-                       "Org": {
-                           "id": "1",
-                           "name": "MISP",
-                           "uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869"
+<artwork>&quot;ShadowAttribute&quot;:  {
+                       &quot;id&quot;: &quot;8&quot;,
+                       &quot;type&quot;: &quot;ip-src&quot;,
+                       &quot;category&quot;: &quot;Network activity&quot;,
+                       &quot;to_ids&quot;: false,
+                       &quot;uuid&quot;: &quot;57d475f1-da78-4569-89de-1458c0a83869&quot;,
+                       &quot;event_uuid&quot;: &quot;57d475e6-41c4-41ca-b450-145ec0a83869&quot;,
+                       &quot;event_id&quot;: &quot;9&quot;,
+                       &quot;old_id&quot;: &quot;319&quot;,
+                       &quot;comment&quot;: &quot;&quot;,
+                       &quot;org_id&quot;: &quot;1&quot;,
+                       &quot;proposal_to_delete&quot;: false,
+                       &quot;value&quot;: &quot;5.5.5.5&quot;,
+                       &quot;deleted&quot;: false,
+                       &quot;Org&quot;: {
+                           &quot;id&quot;: &quot;1&quot;,
+                           &quot;name&quot;: &quot;MISP&quot;,
+                           &quot;uuid&quot;: &quot;568cce5a-0c80-412b-8fdf-1ffac0a83869&quot;
                        },
-                       "first_seen": "2019-06-02T22:14:28.711954+00:00",
-                       "last_seen": null
+                       &quot;first_seen&quot;: &quot;2019-06-02T22:14:28.711954+00:00&quot;,
+                       &quot;last_seen&quot;: null
                    }
-</artwork></figure>
+</artwork>
 </section>
 
-<section anchor="shadowattribute-attributes" title="ShadowAttribute Attributes">
+<section anchor="shadowattribute-attributes"><name>ShadowAttribute Attributes</name>
 
-<section anchor="uuid-2" title="uuid">
-<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"/> of the event. The uuid MUST be preserved
-for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.
-</t>
-<t>uuid is represented as a JSON string. uuid MUST be present.
-</t>
+<section anchor="uuid-2"><name>uuid</name>
+<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> of the event. The uuid <bcp14>MUST</bcp14> be preserved
+for any updates or transfer of the same event. UUID version 4 is <bcp14>RECOMMENDED</bcp14> when assigning it to a new event.</t>
+<t>uuid is represented as a JSON string. uuid <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="id-2" title="id">
-<t>id represents the human-readable identifier associated to the event for a specific MISP instance. human-readable identifier MUST be represented as an unsigned integer.
-id is represented as a JSON string. id SHALL be present.
-</t>
+<section anchor="id-2"><name>id</name>
+<t>id represents the human-readable identifier associated to the event for a specific MISP instance. human-readable identifier <bcp14>MUST</bcp14> be represented as an unsigned integer.
+id is represented as a JSON string. id <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="type-1" title="type">
-<t>type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.
-</t>
-<t>type is represented as a JSON string. type MUST be present and it MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows:
-</t>
-<t>
-<list style="hanging">
-<t hangText="Antivirus detection">
-<vspace />
-link, comment, text, hex, attachment, other, anonymised</t>
-<t hangText="Artifacts dropped">
-<vspace />
-md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key</t>
-<t hangText="Attribution">
-<vspace />
-threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email</t>
-<t hangText="External analysis">
-<vspace />
-md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id</t>
-<t hangText="Financial fraud">
-<vspace />
-btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</t>
-<t hangText="Internal reference">
-<vspace />
-text, link, comment, other, hex, anonymised, git-commit-id</t>
-<t hangText="Network activity">
-<vspace />
-ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</t>
-<t hangText="Other">
-<vspace />
-comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</t>
-<t hangText="Payload delivery">
-<vspace />
-md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</t>
-<t hangText="Payload installation">
-<vspace />
-md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</t>
-<t hangText="Payload type">
-<vspace />
-comment, text, other, anonymised</t>
-<t hangText="Persistence mechanism">
-<vspace />
-filename, regkey, regkey|value, comment, text, other, hex, anonymised</t>
-<t hangText="Person">
-<vspace />
-first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key</t>
-<t hangText="Social network">
-<vspace />
-github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key</t>
-<t hangText="Support Tool">
-<vspace />
-link, text, attachment, comment, other, hex, anonymised</t>
-<t hangText="Targeting data">
-<vspace />
-target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised</t>
-</list>
-</t>
-<t>Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.
-</t>
+<section anchor="type-1"><name>type</name>
+<t>type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.</t>
+<t>type is represented as a JSON string. type <bcp14>MUST</bcp14> be present and it <bcp14>MUST</bcp14> be a valid selection for the chosen category. The list of valid category-type combinations is as follows:</t>
+
+<dl spacing="compact">
+<dt>Antivirus detection</dt>
+<dd>link, comment, text, hex, attachment, other, anonymised</dd>
+<dt>Artifacts dropped</dt>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, process-state, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key</dd>
+<dt>Attribution</dt>
+<dd>threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email</dd>
+<dt>External analysis</dt>
+<dd>md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id</dd>
+<dt>Financial fraud</dt>
+<dd>btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
+<dt>Internal reference</dt>
+<dd>text, link, comment, other, hex, anonymised, git-commit-id</dd>
+<dt>Network activity</dt>
+<dd>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject, favicon-mmh3, dkim, dkim-signature</dd>
+<dt>Other</dt>
+<dd>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
+<dt>Payload delivery</dt>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
+<dt>Payload installation</dt>
+<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
+<dt>Payload type</dt>
+<dd>comment, text, other, anonymised</dd>
+<dt>Persistence mechanism</dt>
+<dd>filename, regkey, regkey|value, comment, text, other, hex, anonymised</dd>
+<dt>Person</dt>
+<dd>first-name, middle-name, last-name, full-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key</dd>
+<dt>Social network</dt>
+<dd>github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key</dd>
+<dt>Support Tool</dt>
+<dd>link, text, attachment, comment, other, hex, anonymised</dd>
+<dt>Targeting data</dt>
+<dd>target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised</dd>
+</dl>
+<t>Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.</t>
 </section>
 
-<section anchor="category-1" title="category">
-<t>category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.
-</t>
-<t>category is represented as a JSON string. category MUST be present and it MUST be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.
-</t>
+<section anchor="category-1"><name>category</name>
+<t>category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.</t>
+<t>category is represented as a JSON string. category <bcp14>MUST</bcp14> be present and it <bcp14>MUST</bcp14> be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.</t>
 </section>
 
-<section anchor="toids-1" title="to_ids">
-<t>to_ids represents whether the Attribute to be created if the ShadowAttribute is accepted is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.
-</t>
-<t>to_ids is represented as a JSON boolean. to_ids MUST be present.
-</t>
+<section anchor="to-ids-1"><name>to_ids</name>
+<t>to_ids represents whether the Attribute to be created if the ShadowAttribute is accepted is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.</t>
+<t>to_ids is represented as a JSON boolean. to_ids <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="eventid-1" title="event_id">
-<t>event_id represents a human-readable identifier referencing the Event object that the ShadowAttribute belongs to.
-</t>
-<t>The event_id SHOULD be updated when the event is imported to reflect the newly created event's id on the instance.
-</t>
-<t>event_id is represented as a JSON string. event_id MUST be present.
-</t>
+<section anchor="event-id-1"><name>event_id</name>
+<t>event_id represents a human-readable identifier referencing the Event object that the ShadowAttribute belongs to.</t>
+<t>The event_id <bcp14>SHOULD</bcp14> be updated when the event is imported to reflect the newly created event's id on the instance.</t>
+<t>event_id is represented as a JSON string. event_id <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="oldid" title="old_id">
-<t>old_id represents a human-readable identifier referencing the Attribute object that the ShadowAttribute belongs to. A ShadowAttribute can this way target an existing Attribute, implying that it is a proposal to modify an existing Attribute, or alternatively it can be a proposal to create a new Attribute for the containing Event.
-</t>
-<t>The old_id SHOULD be updated when the event is imported to reflect the newly created Attribute's id on the instance. Alternatively, if the ShadowAttribute proposes the creation of a new Attribute, it should be set to 0.
-</t>
-<t>old_id is represented as a JSON string. old_id MUST be present.
-</t>
+<section anchor="old-id"><name>old_id</name>
+<t>old_id represents a human-readable identifier referencing the Attribute object that the ShadowAttribute belongs to. A ShadowAttribute can this way target an existing Attribute, implying that it is a proposal to modify an existing Attribute, or alternatively it can be a proposal to create a new Attribute for the containing Event.</t>
+<t>The old_id <bcp14>SHOULD</bcp14> be updated when the event is imported to reflect the newly created Attribute's id on the instance. Alternatively, if the ShadowAttribute proposes the creation of a new Attribute, it should be set to 0.</t>
+<t>old_id is represented as a JSON string. old_id <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="timestamp-2" title="timestamp">
-<t>timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
-</t>
-<t>timestamp is represented as a JSON string. timestamp MUST be present.
-</t>
+<section anchor="timestamp-2"><name>timestamp</name>
+<t>timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <bcp14>MUST</bcp14> be UTC.</t>
+<t>timestamp is represented as a JSON string. timestamp <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="comment-1" title="comment">
-<t>comment is a contextual comment field.
-</t>
-<t>comment is represented by a JSON string. comment MAY be present.
-</t>
+<section anchor="comment-1"><name>comment</name>
+<t>comment is a contextual comment field.</t>
+<t>comment is represented by a JSON string. comment <bcp14>MAY</bcp14> be present.</t>
 </section>
 
-<section anchor="orgid-1" title="org_id">
-<t>org_id represents a human-readable identifier referencing the proposal creator's Organisation object. A human-readable identifier MUST be represented as an unsigned integer.
-</t>
-<t>Whilst attributes can only be created by the event creator organisation, shadow attributes can be created by third parties. org_id tracks the creator organisation.
-</t>
-<t>org_id is represented by a JSON string and MUST be present.
-</t>
+<section anchor="org-id-1"><name>org_id</name>
+<t>org_id represents a human-readable identifier referencing the proposal creator's Organisation object. A human-readable identifier <bcp14>MUST</bcp14> be represented as an unsigned integer.</t>
+<t>Whilst attributes can only be created by the event creator organisation, shadow attributes can be created by third parties. org_id tracks the creator organisation.</t>
+<t>org_id is represented by a JSON string and <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="proposaltodelete" title="proposal_to_delete">
-<t>proposal_to_delete is a boolean flag that sets whether the shadow attribute proposes to alter an attribute, or whether it proposes to remove it completely.
-</t>
-<t>Accepting a shadow attribute with this flag set will remove the target attribute.
-</t>
-<t>proposal_to_delete is a JSON boolean and it MUST be present. If proposal_to_delete is set to true, old_id MUST NOT be 0.
-</t>
+<section anchor="proposal-to-delete"><name>proposal_to_delete</name>
+<t>proposal_to_delete is a boolean flag that sets whether the shadow attribute proposes to alter an attribute, or whether it proposes to remove it completely.</t>
+<t>Accepting a shadow attribute with this flag set will remove the target attribute.</t>
+<t>proposal_to_delete is a JSON boolean and it <bcp14>MUST</bcp14> be present. If proposal_to_delete is set to true, old_id <bcp14>MUST NOT</bcp14> be 0.</t>
 </section>
 
-<section anchor="deleted-1" title="deleted">
-<t>deleted represents a setting that allows shadow attributes to be revoked. Revoked shadow attributes only serve to inform other instances that the shadow attribute is no longer active.
-</t>
-<t>deleted is represented by a JSON boolean. deleted SHOULD be present.
-</t>
+<section anchor="deleted-1"><name>deleted</name>
+<t>deleted represents a setting that allows shadow attributes to be revoked. Revoked shadow attributes only serve to inform other instances that the shadow attribute is no longer active.</t>
+<t>deleted is represented by a JSON boolean. deleted <bcp14>SHOULD</bcp14> be present.</t>
 </section>
 
-<section anchor="data-1" title="data">
+<section anchor="data-1"><name>data</name>
 <t>data contains the base64 encoded contents of an attachment or a malware sample. For malware samples,
-the sample MUST be encrypted using a password protected zip archive, with the password being &quot;infected&quot;.
-</t>
-<t>data is represented by a JSON string in base64 encoding. data MUST be set for shadow attributes of type malware-sample and attachment.
-</t>
+the sample <bcp14>MUST</bcp14> be encrypted using a password protected zip archive, with the password being &quot;infected&quot;.</t>
+<t>data is represented by a JSON string in base64 encoding. data <bcp14>MUST</bcp14> be set for shadow attributes of type malware-sample and attachment.</t>
 </section>
 
-<section anchor="firstseen-1" title="first_seen">
-<t>first_seen represents a reference time when the attribute was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support.
-</t>
-<t>first_seen is represented as a JSON string. first_seen MAY be present.
-</t>
+<section anchor="first-seen-1"><name>first_seen</name>
+<t>first_seen represents a reference time when the attribute was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support.</t>
+<t>first_seen is represented as a JSON string. first_seen <bcp14>MAY</bcp14> be present.</t>
 </section>
 
-<section anchor="lastseen-1" title="last_seen">
-<t>last_seen represents a reference time when the attribute was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support.
-</t>
-<t>last_seen is represented as a JSON string. last_seen MAY be present.
-</t>
+<section anchor="last-seen-1"><name>last_seen</name>
+<t>last_seen represents a reference time when the attribute was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support.</t>
+<t>last_seen is represented as a JSON string. last_seen <bcp14>MAY</bcp14> be present.</t>
+</section>
+
+<section anchor="value-1"><name>value</name>
+<t>value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.</t>
+<t>value is represented by a JSON string. value <bcp14>MUST</bcp14> be present.</t>
 </section>
 </section>
 
-<section anchor="org-1" title="Org">
-<t>An Org object is composed of an uuid, name and id.
-</t>
-<t>The uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"/> of the organization.
-The organization UUID is globally assigned to an organization and SHALL be kept overtime.
-</t>
-<t>The name is a readable description of the organization and SHOULD be present.
+<section anchor="shadowattribute-objects"><name>ShadowAttribute Objects</name>
+
+<section anchor="org-1"><name>Org</name>
+<t>An Org object is composed of an uuid, name and id.</t>
+<t>The uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> of the organization.
+The organization UUID is globally assigned to an organization and <bcp14>SHALL</bcp14> be kept overtime.</t>
+<t>The name is a readable description of the organization and <bcp14>SHOULD</bcp14> be present.
 The id is a human-readable identifier generated by the instance and used as reference in the event.
-A human-readable identifier MUST be represented as an unsigned integer.
-</t>
-<t>uuid, name and id are represented as a JSON string. uuid, name and id MUST be present.
-</t>
+A human-readable identifier <bcp14>MUST</bcp14> be represented as an unsigned integer.</t>
+<t>uuid, name and id are represented as a JSON string. uuid, name and id <bcp14>MUST</bcp14> be present.</t>
 
-<section anchor="sample-org-object-1" title="Sample Org Object">
+<section anchor="sample-org-object-1"><name>Sample Org Object</name>
 
-<figure align="center"><artwork align="center">
-"Org": {
-        "id": "2",
-        "name": "CIRCL",
-        "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
+<artwork>&quot;Org&quot;: {
+        &quot;id&quot;: &quot;2&quot;,
+        &quot;name&quot;: &quot;CIRCL&quot;,
+        &quot;uuid&quot;: &quot;55f6ea5e-2c60-40e5-964f-47a8950d210f&quot;
        }
-</artwork></figure>
+</artwork>
 </section>
-
-<section anchor="value-1" title="value">
-<t>value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.
-</t>
-<t>value is represented by a JSON string. value MUST be present.
-</t>
 </section>
 </section>
 </section>
 
-<section anchor="object" title="Object">
+<section anchor="object"><name>Object</name>
 <t>Objects serve as a contextual bond between a list of attributes within an event. Their main purpose is to describe more complex structures than can be described by a single attribute
-Each object is created using an Object Template and carries the meta-data of the template used for its creation within. Objects belong to a meta-category and are defined by a name.
-</t>
-<t>The schema used is described by the template_uuid and template_version fields.
-</t>
-<t>A MISP document containing an Object MUST contain a name, a meta-category, a description, a template_uuid and a template_version as described in the &quot;Object Attributes&quot; section.
-</t>
+Each object is created using an Object Template and carries the meta-data of the template used for its creation within. Objects belong to a meta-category and are defined by a name.</t>
+<t>The schema used is described by the template_uuid and template_version fields.</t>
+<t>A MISP document containing an Object <bcp14>MUST</bcp14> contain a name, a meta-category, a description, a template_uuid and a template_version as described in the &quot;Object Attributes&quot; section.</t>
 
-<section anchor="sample-object" title="Sample Object">
+<section anchor="sample-object"><name>Sample Object</name>
 
-<figure anchor="fig-sample-object" align="center"><artwork align="center">
-"Object": {
-   "id": "588",
-   "name": "file",
-   "meta-category": "file",
-   "description": "File object describing a file with meta-information",
-   "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
-   "template_version": "3",
-   "event_id": "56",
-   "uuid": "398b0094-0384-4c48-9bf0-22b3dff9c4d3",
-   "timestamp": "1505747965",
-   "distribution": "5",
-   "sharing_group_id": "0",
-   "comment": "",
-   "deleted": false,
-   "ObjectReference": [],
-   "Attribute": [
+<artwork anchor="fig-sample-object">&quot;Object&quot;: {
+   &quot;id&quot;: &quot;588&quot;,
+   &quot;name&quot;: &quot;file&quot;,
+   &quot;meta-category&quot;: &quot;file&quot;,
+   &quot;description&quot;: &quot;File object describing a file with meta-information&quot;,
+   &quot;template_uuid&quot;: &quot;688c46fb-5edb-40a3-8273-1af7923e2215&quot;,
+   &quot;template_version&quot;: &quot;3&quot;,
+   &quot;event_id&quot;: &quot;56&quot;,
+   &quot;uuid&quot;: &quot;398b0094-0384-4c48-9bf0-22b3dff9c4d3&quot;,
+   &quot;timestamp&quot;: &quot;1505747965&quot;,
+   &quot;distribution&quot;: &quot;5&quot;,
+   &quot;sharing_group_id&quot;: &quot;0&quot;,
+   &quot;comment&quot;: &quot;&quot;,
+   &quot;deleted&quot;: false,
+   &quot;ObjectReference&quot;: [],
+   &quot;Attribute&quot;: [
      {
-                 "id": "7822",
-                 "type": "filename",
-                 "category": "Payload delivery",
-                 "to_ids": true,
-                 "uuid": "59bfe3fb-bde0-4dfe-b5b1-2b10a07724d1",
-                 "event_id": "56",
-                 "distribution": "0",
-                 "timestamp": "1505747963",
-                 "comment": "",
-                 "sharing_group_id": "0",
-                 "deleted": false,
-                 "disable_correlation": false,
-                 "object_id": "588",
-                 "object_relation": "filename",
-                 "value": "StarCraft.exe",
-                 "ShadowAttribute": [],
-                 "first_seen": null,
-                 "last_seen": null
+                 &quot;id&quot;: &quot;7822&quot;,
+                 &quot;type&quot;: &quot;filename&quot;,
+                 &quot;category&quot;: &quot;Payload delivery&quot;,
+                 &quot;to_ids&quot;: true,
+                 &quot;uuid&quot;: &quot;59bfe3fb-bde0-4dfe-b5b1-2b10a07724d1&quot;,
+                 &quot;event_id&quot;: &quot;56&quot;,
+                 &quot;distribution&quot;: &quot;0&quot;,
+                 &quot;timestamp&quot;: &quot;1505747963&quot;,
+                 &quot;comment&quot;: &quot;&quot;,
+                 &quot;sharing_group_id&quot;: &quot;0&quot;,
+                 &quot;deleted&quot;: false,
+                 &quot;disable_correlation&quot;: false,
+                 &quot;object_id&quot;: &quot;588&quot;,
+                 &quot;object_relation&quot;: &quot;filename&quot;,
+                 &quot;value&quot;: &quot;StarCraft.exe&quot;,
+                 &quot;ShadowAttribute&quot;: [],
+                 &quot;first_seen&quot;: null,
+                 &quot;last_seen&quot;: null
      },
-     "first_seen": "2019-06-02T22:14:28.711954+00:00",
-     "last_seen": null
+     &quot;first_seen&quot;: &quot;2019-06-02T22:14:28.711954+00:00&quot;,
+     &quot;last_seen&quot;: null
    ]
 }
-</artwork></figure>
+</artwork>
 </section>
 
-<section anchor="object-attributes" title="Object Attributes">
+<section anchor="object-attributes"><name>Object Attributes</name>
 
-<section anchor="uuid-3" title="uuid">
-<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"/> of the object. The uuid MUST be preserved
-for any updates or transfer of the same object. UUID version 4 is RECOMMENDED when assigning it to a new object.
-</t>
+<section anchor="uuid-3"><name>uuid</name>
+<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> of the object. The uuid <bcp14>MUST</bcp14> be preserved
+for any updates or transfer of the same object. UUID version 4 is <bcp14>RECOMMENDED</bcp14> when assigning it to a new object.</t>
 </section>
 
-<section anchor="id-3" title="id">
-<t>id represents the human-readable identifier associated to the object for a specific MISP instance. A human-readable identifier MUST be
-represented as an unsigned integer.
-</t>
-<t>id is represented as a JSON string. id SHALL be present.
-</t>
+<section anchor="id-3"><name>id</name>
+<t>id represents the human-readable identifier associated to the object for a specific MISP instance. A human-readable identifier <bcp14>MUST</bcp14> be
+represented as an unsigned integer.</t>
+<t>id is represented as a JSON string. id <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="name" title="name">
-<t>name represents the human-readable name of the object describing the intent of the object package.
-</t>
-<t>name is represented as a JSON string. name MUST be present
-</t>
+<section anchor="name"><name>name</name>
+<t>name represents the human-readable name of the object describing the intent of the object package.</t>
+<t>name is represented as a JSON string. name <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="metacategory" title="meta-category">
+<section anchor="meta-category"><name>meta-category</name>
 <t>meta-category represents the sub-category of objects that the given object belongs to. meta-categories are not
-tied to a fixed list of options but can be created on the fly.
-</t>
-<t>meta-category is represented as a JSON string. meta-category MUST be present
-</t>
+tied to a fixed list of options but can be created on the fly.</t>
+<t>meta-category is represented as a JSON string. meta-category <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="description" title="description">
-<t>description is a human-readable description of the given object type, as derived from the template used for creation.
-</t>
-<t>description is represented as a JSON string. id SHALL be present.
-</t>
+<section anchor="description"><name>description</name>
+<t>description is a human-readable description of the given object type, as derived from the template used for creation.</t>
+<t>description is represented as a JSON string. description <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="templateuuid" title="template_uuid">
-<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"/> of the template used to create the object. The uuid MUST be preserved
-to preserve the object's association with the correct template used for creation. UUID version 4 is RECOMMENDED when assigning it to a new object.
-</t>
+<section anchor="template-uuid"><name>template_uuid</name>
+<t>template_uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> of the template used to create the object. The uuid <bcp14>MUST</bcp14> be preserved
+to preserve the object's association with the correct template used for creation. UUID version 4 is <bcp14>RECOMMENDED</bcp14> when assigning it to a new object.</t>
+<t>template_uuid is represented as a JSON string. template_uuid <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="templateversion" title="template_version">
+<section anchor="template-version"><name>template_version</name>
 <t>template_version represents a numeric incrementing version of the template used to create the object. It is used to associate the object to the
-correct version of the template and together with the template_uuid forms an association to the correct template type and version.
-</t>
-<t>version is represented as a JSON string. version MUST be present.
-</t>
+correct version of the template and together with the template_uuid forms an association to the correct template type and version.</t>
+<t>template_version is represented as a JSON string. template_version <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="eventid-2" title="event_id">
-<t>event_id represents the human-readable identifier of the event that the object belongs to on a specific MISP instance. A human-readable identifier MUST be
-represented as an unsigned integer.
-</t>
-<t>event_id is represented as a JSON string. event_id SHALL be present.
-</t>
+<section anchor="event-id-2"><name>event_id</name>
+<t>event_id represents the human-readable identifier of the event that the object belongs to on a specific MISP instance. A human-readable identifier <bcp14>MUST</bcp14> be
+represented as an unsigned integer.</t>
+<t>event_id is represented as a JSON string. event_id <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="timestamp-3" title="timestamp">
-<t>timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
-</t>
-<t>timestamp is represented as a JSON string. timestamp MUST be present.
-</t>
+<section anchor="timestamp-3"><name>timestamp</name>
+<t>timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <bcp14>MUST</bcp14> be UTC.</t>
+<t>timestamp is represented as a JSON string. timestamp <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="distribution-2" title="distribution">
-<t>distribution represents the basic distribution rules of the object. The system must adhere to the distribution setting for access control and for dissemination of the object.
-</t>
-<t>distribution is represented by a JSON string. distribution MUST be present and be one of the following options:
-</t>
-<t>
-<list style="hanging">
-<t hangText="0">
-<vspace />
-Your Organisation Only</t>
-<t hangText="1">
-<vspace />
-This Community Only</t>
-<t hangText="2">
-<vspace />
-Connected Communities</t>
-<t hangText="3">
-<vspace />
-All Communities</t>
-<t hangText="4">
-<vspace />
-Sharing Group</t>
-</list>
-</t>
+<section anchor="distribution-2"><name>distribution</name>
+<t>distribution represents the basic distribution rules of the object. The system must adhere to the distribution setting for access control and for dissemination of the object.</t>
+<t>distribution is represented by a JSON string. distribution <bcp14>MUST</bcp14> be present and be one of the following options:</t>
+
+<dl spacing="compact">
+<dt>0</dt>
+<dd>Your Organisation Only</dd>
+<dt>1</dt>
+<dd>This Community Only</dd>
+<dt>2</dt>
+<dd>Connected Communities</dd>
+<dt>3</dt>
+<dd>All Communities</dd>
+<dt>4</dt>
+<dd>Sharing Group</dd>
+</dl>
 </section>
 
-<section anchor="sharinggroupid-2" title="sharing_group_id">
-<t>sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the object, if distribution level &quot;4&quot; is set. A human-readable identifier MUST be represented as an unsigned integer.
-</t>
-<t>sharing_group_id is represented by a JSON string and SHOULD be present. If a distribution level other than &quot;4&quot; is chosen the sharing_group_id MUST be set to &quot;0&quot;.
-</t>
+<section anchor="sharing-group-id-2"><name>sharing_group_id</name>
+<t>sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the object, if distribution level &quot;4&quot; is set. A human-readable identifier <bcp14>MUST</bcp14> be represented as an unsigned integer.</t>
+<t>sharing_group_id is represented by a JSON string and <bcp14>SHOULD</bcp14> be present. If a distribution level other than &quot;4&quot; is chosen the sharing_group_id <bcp14>MUST</bcp14> be set to &quot;0&quot;.</t>
 </section>
 
-<section anchor="comment-2" title="comment">
-<t>comment is a contextual comment field.
-</t>
-<t>comment is represented by a JSON string. comment MAY be present.
-</t>
+<section anchor="comment-2"><name>comment</name>
+<t>comment is a contextual comment field.</t>
+<t>comment is represented by a JSON string. comment <bcp14>MAY</bcp14> be present.</t>
 </section>
 
-<section anchor="deleted-2" title="deleted">
-<t>deleted represents a setting that allows attributes to be revoked. Revoked attributes are not actionable and exist merely to inform other instances of a revocation.
-</t>
-<t>deleted is represented by a JSON boolean. deleted MUST be present.
-</t>
+<section anchor="deleted-2"><name>deleted</name>
+<t>deleted represents a setting that allows objects to be revoked. Revoked objects are not actionable and exist merely to inform other instances of a revocation.</t>
+<t>deleted is represented by a JSON boolean. deleted <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="attribute-1" title="Attribute">
-<t>Attribute is an array of attributes that describe the object with data.
-</t>
-<t>Each attribute in an object MUST contain the parent event's ID in the event_id field and the parent object's ID in the object_id field.
-</t>
+<section anchor="attribute-1"><name>Attribute</name>
+<t>Attribute is an array of attributes that describe the object with data.</t>
+<t>Each attribute in an object <bcp14>MUST</bcp14> contain the parent event's ID in the event_id field and the parent object's ID in the object_id field.</t>
 </section>
 
-<section anchor="firstseen-2" title="first_seen">
-<t>first_seen represents a reference time when the object was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support.
-</t>
-<t>first_seen is represented as a JSON string. first_seen MAY be present.
-</t>
+<section anchor="first-seen-2"><name>first_seen</name>
+<t>first_seen represents a reference time when the object was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support.</t>
+<t>first_seen is represented as a JSON string. first_seen <bcp14>MAY</bcp14> be present.</t>
 </section>
 
-<section anchor="lastseen-2" title="last_seen">
-<t>last_seen represents a reference time when the object was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support.
-</t>
-<t>last_seen is represented as a JSON string. last_seen MAY be present.
-</t>
+<section anchor="last-seen-2"><name>last_seen</name>
+<t>last_seen represents a reference time when the object was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support.</t>
+<t>last_seen is represented as a JSON string. last_seen <bcp14>MAY</bcp14> be present.</t>
 </section>
 </section>
 </section>
 
-<section anchor="object-references" title="Object References">
-<t>Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary.
-</t>
-<t>The relationship_type is recommended to be taken from the MISP object relationship list [<xref target="MISP-R"/>] is RECOMMENDED to ensure a coherent naming of the tags
-</t>
-<t>All Object References MUST contain an object_uuid, a referenced_uuid and a relationship type.
-</t>
+<section anchor="object-references"><name>Object References</name>
+<t>Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary.</t>
+<t>The relationship_type is recommended to be taken from the MISP object relationship list [<xref target="MISP-R"></xref>] is <bcp14>RECOMMENDED</bcp14> to ensure a coherent naming of the tags</t>
+<t>All Object References <bcp14>MUST</bcp14> contain an object_uuid, a referenced_uuid and a relationship type.</t>
 
-<section anchor="sample-objectreference-object" title="Sample ObjectReference object">
+<section anchor="sample-objectreference-object"><name>Sample ObjectReference object</name>
 
-<figure align="center"><artwork align="center">
-"ObjectReference": {
-                    "id": "195",
-                    "uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1",
-                    "timestamp": "1505892908",
-                    "object_id": "591",
-                    "event_id": "113",
-                    "referenced_id": "590",
-                    "referenced_type": "1",
-                    "relationship_type": "derived-from",
-                    "comment": "",
-                    "deleted": false,
-                    "object_uuid": "59c1134d-8a40-4c14-ad94-0f7ba07724d1",
-                    "referenced_uuid": "59c1133c-9adc-4d06-a34b-0f7ca07724d1",
+<artwork>&quot;ObjectReference&quot;: {
+                    &quot;id&quot;: &quot;195&quot;,
+                    &quot;uuid&quot;: &quot;59c21a2c-c0ac-4083-93b3-363da07724d1&quot;,
+                    &quot;timestamp&quot;: &quot;1505892908&quot;,
+                    &quot;object_id&quot;: &quot;591&quot;,
+                    &quot;event_id&quot;: &quot;113&quot;,
+                    &quot;referenced_id&quot;: &quot;590&quot;,
+                    &quot;referenced_type&quot;: &quot;1&quot;,
+                    &quot;relationship_type&quot;: &quot;derived-from&quot;,
+                    &quot;comment&quot;: &quot;&quot;,
+                    &quot;deleted&quot;: false,
+                    &quot;object_uuid&quot;: &quot;59c1134d-8a40-4c14-ad94-0f7ba07724d1&quot;,
+                    &quot;referenced_uuid&quot;: &quot;59c1133c-9adc-4d06-a34b-0f7ca07724d1&quot;,
                    }
-</artwork></figure>
+</artwork>
 </section>
 
-<section anchor="objectreference-attributes" title="ObjectReference Attributes">
+<section anchor="objectreference-attributes"><name>ObjectReference Attributes</name>
 
-<section anchor="uuid-4" title="uuid">
-<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"/> of the object reference. The uuid MUST be preserved
-for any updates or transfer of the same object reference. UUID version 4 is RECOMMENDED when assigning it to a new object reference.
-</t>
+<section anchor="uuid-4"><name>uuid</name>
+<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> of the object reference. The uuid <bcp14>MUST</bcp14> be preserved
+for any updates or transfer of the same object reference. UUID version 4 is <bcp14>RECOMMENDED</bcp14> when assigning it to a new object reference.</t>
 </section>
 
-<section anchor="id-4" title="id">
-<t>id represents the human-readable identifier associated to the object reference for a specific MISP instance.
-</t>
-<t>id is represented as a JSON string. id SHALL be present.
-</t>
+<section anchor="id-4"><name>id</name>
+<t>id represents the human-readable identifier associated to the object reference for a specific MISP instance.</t>
+<t>id is represented as a JSON string. id <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="timestamp-4" title="timestamp">
-<t>timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
-</t>
-<t>timestamp is represented as a JSON string. timestamp MUST be present.
-</t>
+<section anchor="timestamp-4"><name>timestamp</name>
+<t>timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <bcp14>MUST</bcp14> be UTC.</t>
+<t>timestamp is represented as a JSON string. timestamp <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="objectid" title="object_id">
-<t>object_id represents the human-readable identifier of the object that the object reference belongs to on a specific MISP instance. A human-readable identifier MUST be
-represented as an unsigned integer.
-</t>
-<t>event_id is represented as a JSON string. event_id SHALL be present.
-</t>
+<section anchor="object-id"><name>object_id</name>
+<t>object_id represents the human-readable identifier of the object that the object reference belongs to on a specific MISP instance. A human-readable identifier <bcp14>MUST</bcp14> be
+represented as an unsigned integer.</t>
+<t>object_id is represented as a JSON string. object_id <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="eventid-3" title="event_id">
-<t>event_id represents the human-readable identifier of the event that the object reference belongs to on a specific MISP instance. A human-readable identifier MUST be
-represented as an unsigned integer.
-</t>
-<t>event_id is represented as a JSON string. event_id SHALL be present.
-</t>
+<section anchor="event-id-3"><name>event_id</name>
+<t>event_id represents the human-readable identifier of the event that the object reference belongs to on a specific MISP instance. A human-readable identifier <bcp14>MUST</bcp14> be
+represented as an unsigned integer.</t>
+<t>event_id is represented as a JSON string. event_id <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="referencedid" title="referenced_id">
-<t>referenced_id represents the human-readable identifier of the object or attribute that the parent object  of the object reference points to on a specific MISP instance.
-</t>
-<t>referenced_id is represented as a JSON string. referenced_id MAY be present.
-</t>
+<section anchor="referenced-id"><name>referenced_id</name>
+<t>referenced_id represents the human-readable identifier of the object or attribute that the parent object  of the object reference points to on a specific MISP instance.</t>
+<t>referenced_id is represented as a JSON string. referenced_id <bcp14>MAY</bcp14> be present.</t>
 </section>
 
-<section anchor="referencedtype" title="referenced_type">
-<t>referenced_type represents the numeric value describing what the object reference points to, &quot;0&quot; representing an attribute and &quot;1&quot; representing an object
-</t>
-<t>referenced_type is represented as a JSON string. referenced_type MAY be present.
-</t>
+<section anchor="referenced-type"><name>referenced_type</name>
+<t>referenced_type represents the numeric value describing what the object reference points to, &quot;0&quot; representing an attribute and &quot;1&quot; representing an object</t>
+<t>referenced_type is represented as a JSON string. referenced_type <bcp14>MAY</bcp14> be present.</t>
 </section>
 
-<section anchor="relationshiptype" title="relationship_type">
-<t>relationship_type represents the human-readable context of the relationship between an object and another object or attribute as described by the object_reference.
-</t>
-<t>referenced_type is represented as a JSON string. relationship_type MUST be present.
-</t>
+<section anchor="relationship-type"><name>relationship_type</name>
+<t>relationship_type represents the human-readable context of the relationship between an object and another object or attribute as described by the object_reference.</t>
+<t>relationship_type is represented as a JSON string. relationship_type <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="comment-3" title="comment">
-<t>comment is a contextual comment field.
-</t>
-<t>comment is represented by a JSON string. comment MAY be present.
-</t>
+<section anchor="comment-3"><name>comment</name>
+<t>comment is a contextual comment field.</t>
+<t>comment is represented by a JSON string. comment <bcp14>MAY</bcp14> be present.</t>
 </section>
 
-<section anchor="deleted-3" title="deleted">
-<t>deleted represents a setting that allows object references to be revoked. Revoked object references are not actionable and exist merely to inform other instances of a revocation.
-</t>
-<t>deleted is represented by a JSON boolean. deleted MUST be present.
-</t>
+<section anchor="deleted-3"><name>deleted</name>
+<t>deleted represents a setting that allows object references to be revoked. Revoked object references are not actionable and exist merely to inform other instances of a revocation.</t>
+<t>deleted is represented by a JSON boolean. deleted <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="objectuuid" title="object_uuid">
-<t>object_uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"/> of the object that the given object reference belongs to. The object_uuid MUST be preserved
-to preserve the object reference's association with the object.
-</t>
+<section anchor="object-uuid"><name>object_uuid</name>
+<t>object_uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> of the object that the given object reference belongs to. The object_uuid <bcp14>MUST</bcp14> be preserved
+to preserve the object reference's association with the object.</t>
 </section>
 
-<section anchor="referenceduuid" title="referenced_uuid">
-<t>referenced_uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"/> of the object or attribute that is being referenced by the object reference. The referenced_uuid MUST be preserved
-to preserve the object reference's association with the object or attribute.
-</t>
+<section anchor="referenced-uuid"><name>referenced_uuid</name>
+<t>referenced_uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> of the object or attribute that is being referenced by the object reference. The referenced_uuid <bcp14>MUST</bcp14> be preserved
+to preserve the object reference's association with the object or attribute.</t>
 </section>
 </section>
 </section>
 
-<section anchor="eventreport" title="EventReport">
+<section anchor="eventreport"><name>EventReport</name>
 <t>EventReport are used to complement an event with one or more report in Markdown format. The EventReport contains unstructured information which can be linked to Attributes, Objects, Tags or Galaxy with
-an extension to the Markdown marking language.
-</t>
+an extension to the Markdown marking language.</t>
 
-<section anchor="id-5" title="id">
-<t>id represents the human-readable identifier associated to the EventReport for a specific MISP instance. A human-readable identifier MUST be
-represented as an unsigned integer.
-</t>
-<t>id is represented as a JSON string. id SHALL be present.
-</t>
+<section anchor="id-5"><name>id</name>
+<t>id represents the human-readable identifier associated to the EventReport for a specific MISP instance. A human-readable identifier <bcp14>MUST</bcp14> be
+represented as an unsigned integer.</t>
+<t>id is represented as a JSON string. id <bcp14>SHALL</bcp14> be present.</t>
 </section>
 
-<section anchor="uuid-5" title="UUID">
-<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"/> of the EventReport. The uuid MUST be preserved for any updates or transfer of the same EventReport. UUID version 4 is RECOMMENDED when assigning it to a new EventReport.
-</t>
-<t>uuid is represented as a JSON string. uuid MUST be present.
-</t>
+<section anchor="uuid-5"><name>UUID</name>
+<t>uuid represents the Universally Unique IDentifier (UUID) <xref target="RFC4122"></xref> of the EventReport. The uuid <bcp14>MUST</bcp14> be preserved for any updates or transfer of the same EventReport. UUID version 4 is <bcp14>RECOMMENDED</bcp14> when assigning it to a new EventReport.</t>
+<t>uuid is represented as a JSON string. uuid <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="eventid-4" title="event_id">
-<t>event_id represents the human-readable identifier associating the EventReport to an event on a specific MISP instance. A human-readable identifier MUST be
-represented as an unsigned integer.
-</t>
-<t>event_id is represented as a JSON string. event_id  MUST be present.
-</t>
+<section anchor="event-id-4"><name>event_id</name>
+<t>event_id represents the human-readable identifier associating the EventReport to an event on a specific MISP instance. A human-readable identifier <bcp14>MUST</bcp14> be
+represented as an unsigned integer.</t>
+<t>event_id is represented as a JSON string. event_id  <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="name-1" title="name">
+<section anchor="name-1"><name>name</name>
 <t>name represents the information field of the EventReport. name is a free-text value to provide a human-readable summary
-of the report. name SHOULD NOT be bigger than 256 characters and SHOULD NOT include new-lines.
-</t>
-<t>name is represented as a JSON string. name MUST be present.
-</t>
+of the report. name <bcp14>SHOULD</bcp14> NOT be bigger than 256 characters and <bcp14>SHOULD</bcp14> NOT include new-lines.</t>
+<t>name is represented as a JSON string. name <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="content" title="content">
-<t>content includes the raw EventReport in Markdown format with or without the specific MISP Markdown markup extension.
-</t>
-<t>The markdown extension for MISP is composed with a symbol as prefix then between square bracket the scope (attribute, object, tag or galaxymatrix) followed by the UUID in parenthesis.
-</t>
-<t>content is represented as a JSON string. content MUST be present.
-</t>
+<section anchor="content"><name>content</name>
+<t>content includes the raw EventReport in Markdown format with or without the specific MISP Markdown markup extension.</t>
+<t>The markdown extension for MISP is composed with a symbol as prefix then between square bracket the scope (attribute, object, tag or galaxymatrix) followed by the UUID in parenthesis.</t>
+<t>content is represented as a JSON string. content <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="distribution-3" title="distribution">
-<t>distribution represents the basic distribution rules of the EventReport. The system must adhere to the distribution setting for access control and for dissemination of the EventReport.
-</t>
-<t>distribution is represented by a JSON string. distribution MUST be present and be one of the following options:
-</t>
-<t>
-<list style="hanging">
-<t hangText="0">
-<vspace />
-Your Organisation Only</t>
-<t hangText="1">
-<vspace />
-This Community Only</t>
-<t hangText="2">
-<vspace />
-Connected Communities</t>
-<t hangText="3">
-<vspace />
-All Communities</t>
-<t hangText="4">
-<vspace />
-Sharing Group</t>
-<t hangText="5">
-<vspace />
-Inherit Event</t>
-</list>
-</t>
+<section anchor="distribution-3"><name>distribution</name>
+<t>distribution represents the basic distribution rules of the EventReport. The system must adhere to the distribution setting for access control and for dissemination of the EventReport.</t>
+<t>distribution is represented by a JSON string. distribution <bcp14>MUST</bcp14> be present and be one of the following options:</t>
+
+<dl spacing="compact">
+<dt>0</dt>
+<dd>Your Organisation Only</dd>
+<dt>1</dt>
+<dd>This Community Only</dd>
+<dt>2</dt>
+<dd>Connected Communities</dd>
+<dt>3</dt>
+<dd>All Communities</dd>
+<dt>4</dt>
+<dd>Sharing Group</dd>
+<dt>5</dt>
+<dd>Inherit Event</dd>
+</dl>
 </section>
 
-<section anchor="sharinggroupid-3" title="sharing_group_id">
-<t>sharing_group_id represents the local id to the MISP local instance of the Sharing Group associated for the distribution.
-</t>
-<t>sharing_group_id is represented by a JSON string. sharing_group_id MUST be present and set to &quot;0&quot; if not used.
-</t>
+<section anchor="sharing-group-id-3"><name>sharing_group_id</name>
+<t>sharing_group_id represents the local id to the MISP local instance of the Sharing Group associated for the distribution.</t>
+<t>sharing_group_id is represented by a JSON string. sharing_group_id <bcp14>MUST</bcp14> be present and set to &quot;0&quot; if not used.</t>
 </section>
 
-<section anchor="timestamp-5" title="timestamp">
-<t>timestamp represents a reference time when the EventReport was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
-</t>
-<t>timestamp is represented as a JSON string. timestamp MUST be present.
-</t>
+<section anchor="timestamp-5"><name>timestamp</name>
+<t>timestamp represents a reference time when the EventReport was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <bcp14>MUST</bcp14> be UTC.</t>
+<t>timestamp is represented as a JSON string. timestamp <bcp14>MUST</bcp14> be present.</t>
 </section>
 
-<section anchor="deleted-4" title="deleted">
-<t>deleted represents a setting that allows EventReport to be revoked. Revoked EventReport are not actionable and exist merely to inform other instances of a revocation.
-</t>
-<t>deleted is represented by a JSON boolean. deleted MUST be present.
-</t>
+<section anchor="deleted-4"><name>deleted</name>
+<t>deleted represents a setting that allows EventReport to be revoked. Revoked EventReport are not actionable and exist merely to inform other instances of a revocation.</t>
+<t>deleted is represented by a JSON boolean. deleted <bcp14>MUST</bcp14> be present.</t>
 </section>
 </section>
 
-<section anchor="tag" title="Tag">
-<t>A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[<xref target="MISP-T"/>]. When an event is distributed outside an organisation, the use of MISP taxonomies[<xref target="MISP-T"/>] is RECOMMENDED to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array SHALL be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.
-</t>
-<t>exportable represents a setting if the tag is kept local or exportable to other MISP instances. exportable is represented by a JSON boolean. id is a human-readable identifier that references the tag on the local instance. colour represents an RGB value of the tag.
-</t>
-<t>name MUST be present. colour, id and exportable SHALL be present.
-</t>
+<section anchor="tag"><name>Tag</name>
+<t>A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[<xref target="MISP-T"></xref>]. When an event is distributed outside an organisation, the use of MISP taxonomies[<xref target="MISP-T"></xref>] is <bcp14>RECOMMENDED</bcp14> to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array <bcp14>SHALL</bcp14> be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.</t>
+<t>exportable represents a setting if the tag is kept local or exportable to other MISP instances. exportable is represented by a JSON boolean. id is a human-readable identifier that references the tag on the local instance. colour represents an RGB value of the tag.</t>
+<t>name <bcp14>MUST</bcp14> be present. colour, id and exportable <bcp14>SHALL</bcp14> be present.</t>
 
-<section anchor="sample-tag" title="Sample Tag">
+<section anchor="sample-tag"><name>Sample Tag</name>
 
-<figure align="center"><artwork align="center">
-"Tag": [{
-        "exportable": true,
-        "colour": "#ffffff",
-        "name": "tlp:white",
-        "id": "2" }]
-</artwork></figure>
+<artwork>&quot;Tag&quot;: [{
+        &quot;exportable&quot;: true,
+        &quot;colour&quot;: &quot;#ffffff&quot;,
+        &quot;name&quot;: &quot;tlp:white&quot;,
+        &quot;id&quot;: &quot;2&quot; }]
+</artwork>
 </section>
 </section>
 
-<section anchor="sighting" title="Sighting">
+<section anchor="sighting"><name>Sighting</name>
 <t>A sighting is an ascertainment which describes whether an attribute has been seen under a given set of conditions. The sighting can include the organisation who sighted the attribute or can
-be anonymised. Sighting is composed of a JSON array in which each element describes one singular instance of a sighting. A sighting element is a JSON object composed of the following values:
-</t>
-<t>type MUST be present. type describes the type of a sighting. MISP allows 3 default types:
-</t>
-<texttable>
-<ttcol align="center">Sighting type</ttcol>
-<ttcol align="center">Description</ttcol>
+be anonymised. Sighting is composed of a JSON array in which each element describes one singular instance of a sighting. A sighting element is a JSON object composed of the following values:</t>
+<t>type <bcp14>MUST</bcp14> be present. type describes the type of a sighting. MISP allows 3 default types:</t>
+<table>
+<thead>
+<tr>
+<th>Sighting type</th>
+<th align="center">Description</th>
+</tr>
+</thead>
 
-<c>0</c><c>denotes an attribute which has been seen</c>
-<c>1</c><c>denotes an attribute which has been seen and confirmed as false-positive</c>
-<c>2</c><c>denotes an attribute which will be expired at the time of the sighting</c>
-</texttable>
-<t>uuid MUST be present. uuid references the uuid of the sighted attribute.
-</t>
-<t>date_sighting MUST be present. date_sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.
-</t>
-<t>source MAY be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.
-</t>
-<t>id, event_id and attribute_id MAY be present.
-</t>
+<tbody>
+<tr>
+<td>0</td>
+<td align="center">denotes an attribute which has been seen</td>
+</tr>
+
+<tr>
+<td>1</td>
+<td align="center">denotes an attribute which has been seen and confirmed as false-positive</td>
+</tr>
+
+<tr>
+<td>2</td>
+<td align="center">denotes an attribute which will be expired at the time of the sighting</td>
+</tr>
+</tbody>
+</table><t>uuid <bcp14>MUST</bcp14> be present. uuid references the uuid of the sighted attribute.</t>
+<t>date_sighting <bcp14>MUST</bcp14> be present. date_sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.</t>
+<t>source <bcp14>MAY</bcp14> be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.</t>
+<t>id, event_id and attribute_id are represented as a JSON string and <bcp14>MAY</bcp14> be present.</t>
 <t>id represents the human-readable identifier of the sighting reference which belongs to a specific MISP instance.
 event_id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance.
-attribute_id represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.
-</t>
-<t>org_id MAY be present along the JSON object describing the organisation. If the org_id is not present, the sighting is considered as anonymised.
-</t>
-<t>org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.
-</t>
-<t>A human-readable identifier MUST be represented as an unsigned integer.
-</t>
+attribute_id represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.</t>
+<t>org_id <bcp14>MAY</bcp14> be present along the JSON object describing the organisation. If the org_id is not present, the sighting is considered as anonymised.</t>
+<t>org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.</t>
+<t>A human-readable identifier <bcp14>MUST</bcp14> be considered as an unsigned integer.</t>
 
-<section anchor="sample-sighting" title="Sample Sighting">
+<section anchor="sample-sighting"><name>Sample Sighting</name>
 
-<figure align="center"><artwork align="center">
-"Sighting": [
+<artwork>&quot;Sighting&quot;: [
 		   {
-				"id": "13599",
-				"attribute_id": "1201615",
-				"event_id": "10164",
-				"org_id": "2",
-				"date_sighting": "1517581400",
-				"uuid": "5a747459-41b4-4826-9b29-42dd950d210f",
-				"source": "M2M-CIRCL",
-				"type": "0",
-				"Organisation": {
-					"id": "2",
-					"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
-					"name": "CIRCL"
+				&quot;id&quot;: &quot;13599&quot;,
+				&quot;attribute_id&quot;: &quot;1201615&quot;,
+				&quot;event_id&quot;: &quot;10164&quot;,
+				&quot;org_id&quot;: &quot;2&quot;,
+				&quot;date_sighting&quot;: &quot;1517581400&quot;,
+				&quot;uuid&quot;: &quot;5a747459-41b4-4826-9b29-42dd950d210f&quot;,
+				&quot;source&quot;: &quot;M2M-CIRCL&quot;,
+				&quot;type&quot;: &quot;0&quot;,
+				&quot;Organisation&quot;: {
+					&quot;id&quot;: &quot;2&quot;,
+					&quot;uuid&quot;: &quot;55f6ea5e-2c60-40e5-964f-47a8950d210f&quot;,
+					&quot;name&quot;: &quot;CIRCL&quot;
 				}
 			},
 			{
-				"id": "13601",
-				"attribute_id": "1201615",
-				"event_id": "10164",
-				"org_id": "2",
-				"date_sighting": "1517581401",
-				"uuid": "5a74745a-a190-4d04-b719-4916950d210f",
-				"source": "M2M-CIRCL",
-				"type": "0",
-				"Organisation": {
-					"id": "2",
-					"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
-					"name": "CIRCL"
+				&quot;id&quot;: &quot;13601&quot;,
+				&quot;attribute_id&quot;: &quot;1201615&quot;,
+				&quot;event_id&quot;: &quot;10164&quot;,
+				&quot;org_id&quot;: &quot;2&quot;,
+				&quot;date_sighting&quot;: &quot;1517581401&quot;,
+				&quot;uuid&quot;: &quot;5a74745a-a190-4d04-b719-4916950d210f&quot;,
+				&quot;source&quot;: &quot;M2M-CIRCL&quot;,
+				&quot;type&quot;: &quot;0&quot;,
+				&quot;Organisation&quot;: {
+					&quot;id&quot;: &quot;2&quot;,
+					&quot;uuid&quot;: &quot;55f6ea5e-2c60-40e5-964f-47a8950d210f&quot;,
+					&quot;name&quot;: &quot;CIRCL&quot;
 				}
 			}
 		]
-</artwork></figure>
+</artwork>
 </section>
 </section>
 
-<section anchor="galaxy" title="Galaxy">
-<t>A galaxy is a simple method to express a large object called cluster that can be attached to MISP events. A cluster can be composed of one or more elements. Elements are expressed as key-values.
-</t>
+<section anchor="galaxy"><name>Galaxy</name>
+<t>A galaxy is a simple method to express a large object called cluster that can be attached to MISP events. A cluster can be composed of one or more elements. Elements are expressed as key-values.</t>
 
-<section anchor="sample-galaxy" title="Sample Galaxy">
+<section anchor="sample-galaxy"><name>Sample Galaxy</name>
 
-<figure align="center"><artwork align="center">
-"Galaxy": [ {
-           "id": "18",
-           "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3",
-           "name": "Threat Actor",
-           "type": "threat-actor",
-           "description": "Threat actors are characteristics of malicious actors
+<artwork>&quot;Galaxy&quot;: [ {
+           &quot;id&quot;: &quot;18&quot;,
+           &quot;uuid&quot;: &quot;698774c7-8022-42c4-917f-8d6e4f06ada3&quot;,
+           &quot;name&quot;: &quot;Threat Actor&quot;,
+           &quot;type&quot;: &quot;threat-actor&quot;,
+           &quot;description&quot;: &quot;Threat actors are characteristics of malicious actors
                           (or adversaries) representing a cyber attack threat
-                          including presumed intent and historically observed behaviour.",
-                "version": "1",
-        "GalaxyCluster": [
+                          including presumed intent and historically observed behaviour.&quot;,
+                &quot;version&quot;: &quot;1&quot;,
+        &quot;GalaxyCluster&quot;: [
             {
-                "id": "1699",
-                "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-                "type": "threat-actor",
-                "value": "Anunak",
-                "tag_name": "misp-galaxy:threat-actor=\"Anunak\"",
-                "description": "Groups targeting financial organizations
-                    or people with significant financial assets.",
-                "galaxy_id": "18",
-                "source": "MISP Project",
-                "authors": [
-                    "Alexandre Dulaunoy",
-                    "Florian Roth",
-                    "Thomas Schreck",
-                    "Timo Steffens",
-                    "Various"
+                &quot;id&quot;: &quot;1699&quot;,
+                &quot;uuid&quot;: &quot;7cdff317-a673-4474-84ec-4f1754947823&quot;,
+                &quot;type&quot;: &quot;threat-actor&quot;,
+                &quot;value&quot;: &quot;Anunak&quot;,
+                &quot;tag_name&quot;: &quot;misp-galaxy:threat-actor=\&quot;Anunak\&quot;&quot;,
+                &quot;description&quot;: &quot;Groups targeting financial organizations
+                    or people with significant financial assets.&quot;,
+                &quot;galaxy_id&quot;: &quot;18&quot;,
+                &quot;source&quot;: &quot;MISP Project&quot;,
+                &quot;authors&quot;: [
+                    &quot;Alexandre Dulaunoy&quot;,
+                    &quot;Florian Roth&quot;,
+                    &quot;Thomas Schreck&quot;,
+                    &quot;Timo Steffens&quot;,
+                    &quot;Various&quot;
                 ],
-                "tag_id": "111",
-                        "meta": {
-                            "synonyms": [
-                                "Carbanak",
-                                "Carbon Spider"
+                &quot;tag_id&quot;: &quot;111&quot;,
+                        &quot;meta&quot;: {
+                            &quot;synonyms&quot;: [
+                                &quot;Carbanak&quot;,
+                                &quot;Carbon Spider&quot;
                             ],
-                            "country": [
-                                "RU"
+                            &quot;country&quot;: [
+                                &quot;RU&quot;
                             ],
-                            "motive": [
-                                "Cybercrime"
+                            &quot;motive&quot;: [
+                                &quot;Cybercrime&quot;
                             ]
                         }
                     }
                 ]
             }
         ]
-</artwork></figure>
+</artwork>
 </section>
 </section>
 </section>
 
-<section anchor="json-schema" title="JSON Schema">
-<t>The JSON Schema <xref target="JSON-SCHEMA"/> below defines the structure of the MISP core format
+<section anchor="json-schema"><name>JSON Schema</name>
+<t>The JSON Schema <xref target="JSON-SCHEMA"></xref> below defines the structure of the MISP core format
 as literally described before. The JSON Schema is used to validate MISP events at creation time
-or parsing.
-</t>
+or parsing.</t>
 
-<figure align="center"><artwork align="center">
-{
-  "$schema": "http://json-schema.org/draft-04/schema#",
-  "title": "Validator for misp events",
-  "id": "https://github.com/MISP/MISP/blob/2.4/format/2.4/schema.json",
-  "defs": {
-    "org": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+<artwork>{
+  &quot;$schema&quot;: &quot;http://json-schema.org/draft-04/schema#&quot;,
+  &quot;title&quot;: &quot;Validator for misp events&quot;,
+  &quot;id&quot;: &quot;https://github.com/MISP/MISP/blob/2.4/format/2.4/schema.json&quot;,
+  &quot;defs&quot;: {
+    &quot;org&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "name": {
-          "type": "string"
+        &quot;name&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "uuid": {
-          "type": "string"
+        &quot;uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         }
       },
-      "required": [
-        "uuid"
+      &quot;required&quot;: [
+        &quot;uuid&quot;
       ]
     },
-    "orgc": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;orgc&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "name": {
-          "type": "string"
+        &quot;name&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "uuid": {
-          "type": "string"
+        &quot;uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         }
       },
-      "required": [
-        "uuid"
+      &quot;required&quot;: [
+        &quot;uuid&quot;
       ]
     },
-    "sharing_group": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;sharing_group&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "name": {
-          "type": "string"
+        &quot;name&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "releasability": {
-          "type": "string"
+        &quot;releasability&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "description": {
-          "type": "string"
+        &quot;description&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "uuid": {
-          "type": "string"
+        &quot;uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "organisation_uuid": {
-          "type": "string"
+        &quot;organisation_uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "org_id": {
-          "type": "string"
+        &quot;org_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "sync_user_id": {
-          "type": "string"
+        &quot;sync_user_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "active": {
-          "type": "boolean"
+        &quot;active&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "created": {
-          "type": "string"
+        &quot;created&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "modified": {
-          "type": "string"
+        &quot;modified&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "local": {
-          "type": "boolean"
+        &quot;local&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "roaming": {
-          "type": "boolean"
+        &quot;roaming&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "Organisation": {
-          "$ref": "#/defs/org"
+        &quot;Organisation&quot;: {
+          &quot;$ref&quot;: &quot;#/defs/org&quot;
         },
-        "SharingGroupOrg": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "$ref": "#/defs/sharing_group_org"
+        &quot;SharingGroupOrg&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/sharing_group_org&quot;
           }
         },
-        "SharingGroupServer": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "$ref": "#/defs/sharing_group_server"
+        &quot;SharingGroupServer&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/sharing_group_server&quot;
           }
         },
-        "required": [
-          "uuid"
+        &quot;required&quot;: [
+          &quot;uuid&quot;
         ]
       },
-      "required": [
-        "uuid"
+      &quot;required&quot;: [
+        &quot;uuid&quot;
       ]
     },
-    "sharing_group_org": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;sharing_group_org&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "sharing_group_id": {
-          "type": "string"
+        &quot;sharing_group_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "org_id": {
-          "type": "string"
+        &quot;org_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "extend": {
-          "type": "boolean"
+        &quot;extend&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "Organisation": {
-          "$ref": "#/defs/org"
+        &quot;Organisation&quot;: {
+          &quot;$ref&quot;: &quot;#/defs/org&quot;
         }
       }
     },
-    "sharing_group_server": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;sharing_group_server&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "sharing_group_id": {
-          "type": "string"
+        &quot;sharing_group_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "server_id": {
-          "type": "string"
+        &quot;server_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "all_orgs": {
-          "type": "boolean"
+        &quot;all_orgs&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "Server": {
-          "$ref": "#/defs/server"
+        &quot;Server&quot;: {
+          &quot;$ref&quot;: &quot;#/defs/server&quot;
         }
       }
     },
-    "server": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;server&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "url": {
-          "type": "string"
+        &quot;url&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "name": {
-          "type": "string"
+        &quot;name&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         }
       }
     },
-    "object": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "uuid": {
-          "type": "string"
+    &quot;object&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "name": {
-          "type": "string"
+        &quot;name&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "event_id": {
-          "type": "string"
+        &quot;event_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "description": {
-          "type": "string"
+        &quot;description&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "template_uuid": {
-          "type": "string"
+        &quot;template_uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "template_version": {
-          "type": "string"
+        &quot;template_version&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "id": {
-          "type": "string"
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "meta-category": {
-          "type": "string"
+        &quot;meta-category&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "deleted": {
-          "type": "boolean"
+        &quot;deleted&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "timestamp": {
-          "type": "string"
+        &quot;timestamp&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "first_seen": {
-          "type": "string"
+        &quot;first_seen&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "last_seen": {
-          "type": "string"
+        &quot;last_seen&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "distribution": {
-          "type": "string"
+        &quot;distribution&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "sharing_group_id": {
-          "type": "string"
+        &quot;sharing_group_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "comment": {
-          "type": "string"
+        &quot;comment&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "ObjectReference": {
-            "type": "array",
-            "uniqueItems": true,
-            "items": {
-              "$ref": "#/defs/objectreference"
+        &quot;ObjectReference&quot;: {
+            &quot;type&quot;: &quot;array&quot;,
+            &quot;uniqueItems&quot;: true,
+            &quot;items&quot;: {
+              &quot;$ref&quot;: &quot;#/defs/objectreference&quot;
             }
         },
-        "Attribute": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "$ref": "#/defs/attribute"
+        &quot;Attribute&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/attribute&quot;
           }
         }
       }
     },
-    "sighthing": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;sighthing&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "attribute_id": {
-          "type": "string"
+        &quot;attribute_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "event_id": {
-          "type": "string"
+        &quot;event_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "source": {
-          "type": "string"
+        &quot;source&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "type": {
-          "type": "string"
+        &quot;type&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "org_id": {
-          "type": "string"
+        &quot;org_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "date_sighting": {
-          "type": "string"
+        &quot;date_sighting&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "uuid": {
-          "type": "string"
+        &quot;uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "Organisation": {
-            "$ref": "#/defs/organisation"
+        &quot;Organisation&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/organisation&quot;
         }
       }
     },
-    "organisation": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;organisation&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "uuid": {
-          "type": "string"
+        &quot;uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "name": {
-          "type": "string"
+        &quot;name&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         }
       }
     },
-    "objectreference": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "deleted": {
-          "type": "boolean"
+    &quot;objectreference&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;deleted&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "object_id": {
-          "type": "string"
+        &quot;object_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "event_id": {
-          "type": "string"
+        &quot;event_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "timestamp": {
-          "type": "string"
+        &quot;timestamp&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "id": {
-          "type": "string"
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "uuid": {
-          "type": "string"
+        &quot;uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "type": {
-          "type": "string"
+        &quot;type&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "referenced_id": {
-          "type": "string"
+        &quot;referenced_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "referenced_uuid": {
-          "type": "string"
+        &quot;referenced_uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "referenced_type": {
-          "type": "string"
+        &quot;referenced_type&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "relationship_type": {
-          "type": "string"
+        &quot;relationship_type&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "object_uuid": {
-          "type": "string"
+        &quot;object_uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "comment": {
-          "type": "string"
+        &quot;comment&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "Object": {
-          "$ref": "#/defs/object"
+        &quot;Object&quot;: {
+          &quot;$ref&quot;: &quot;#/defs/object&quot;
         }
       }
     },
-    "attribute": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;attribute&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "old_id": {
-          "type": "string"
+        &quot;old_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "type": {
-          "type": "string"
+        &quot;type&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "category": {
-          "type": "string"
+        &quot;category&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "to_ids": {
-          "type": "boolean"
+        &quot;to_ids&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "uuid": {
-          "type": "string"
+        &quot;uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "event_id": {
-          "type": "string"
+        &quot;event_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "event_uuid": {
-          "type": "string"
+        &quot;event_uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "proposal_to_delete": {
-          "type": "boolean"
+        &quot;proposal_to_delete&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "validationIssue": {
-          "type": "boolean"
+        &quot;validationIssue&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "Org": {
-          "$ref": "#/defs/organisation"
+        &quot;Org&quot;: {
+          &quot;$ref&quot;: &quot;#/defs/organisation&quot;
         },
-        "org_id": {
-          "type": "string"
+        &quot;org_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "distribution": {
-          "type": "string"
+        &quot;distribution&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "timestamp": {
-          "type": "string"
+        &quot;timestamp&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "first_seen": {
-          "type": "string"
+        &quot;first_seen&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "last_seen": {
-          "type": "string"
+        &quot;last_seen&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "comment": {
-          "type": "string"
+        &quot;comment&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "sharing_group_id": {
-          "type": "string"
+        &quot;sharing_group_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "deleted": {
-          "type": "boolean"
+        &quot;deleted&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "disable_correlation": {
-          "type": "boolean"
+        &quot;disable_correlation&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "value": {
-          "type": "string"
+        &quot;value&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "data": {
-          "type": "string"
+        &quot;data&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "object_relation": {
-          "type": ["string", "null"]
+        &quot;object_relation&quot;: {
+          &quot;type&quot;: [&quot;string&quot;, &quot;null&quot;]
         },
-        "object_id": {
-          "type": "string"
+        &quot;object_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "SharingGroup": {
-          "$ref": "#/defs/sharing_group"
+        &quot;SharingGroup&quot;: {
+          &quot;$ref&quot;: &quot;#/defs/sharing_group&quot;
         },
-        "ShadowAttribute": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "$ref": "#/defs/attribute"
+        &quot;ShadowAttribute&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/attribute&quot;
           }
         },
-        "Sighting": {
-            "type": "array",
-            "uniqueItems": true,
-            "items": {
-              "$ref": "#/defs/sighthing"
+        &quot;Sighting&quot;: {
+            &quot;type&quot;: &quot;array&quot;,
+            &quot;uniqueItems&quot;: true,
+            &quot;items&quot;: {
+              &quot;$ref&quot;: &quot;#/defs/sighthing&quot;
             }
         },
-        "Galaxy": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "$ref": "#/defs/galaxy"
+        &quot;Galaxy&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/galaxy&quot;
           }
         },
-        "Tag": {
-          "uniqueItems": true,
-          "type": "array",
-          "items": {
-            "$ref": "#/defs/tag"
+        &quot;Tag&quot;: {
+          &quot;uniqueItems&quot;: true,
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;items&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/tag&quot;
           }
         }
       }
     },
-    "event": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;event&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "orgc_id": {
-          "type": "string"
+        &quot;orgc_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "org_id": {
-          "type": "string"
+        &quot;org_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "date": {
-          "type": "string"
+        &quot;date&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "extends_uuid": {
-            "type": "string"
+        &quot;extends_uuid&quot;: {
+            &quot;type&quot;: &quot;string&quot;
         },
-        "threat_level_id": {
-          "type": "string"
+        &quot;threat_level_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "info": {
-          "type": "string"
+        &quot;info&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "published": {
-          "type": "boolean"
+        &quot;published&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "uuid": {
-          "type": "string"
+        &quot;uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "attribute_count": {
-          "type": "string"
+        &quot;attribute_count&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "analysis": {
-          "type": "string"
+        &quot;analysis&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "timestamp": {
-          "type": "string"
+        &quot;timestamp&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "distribution": {
-          "type": "string"
+        &quot;distribution&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "proposal_email_lock": {
-          "type": "boolean"
+        &quot;proposal_email_lock&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "locked": {
-          "type": "boolean"
+        &quot;locked&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "publish_timestamp": {
-          "type": "string"
+        &quot;publish_timestamp&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "sharing_group_id": {
-          "type": "string"
+        &quot;sharing_group_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "disable_correlation": {
-          "type": "boolean"
+        &quot;disable_correlation&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "event_creator_email": {
-          "type": "string"
+        &quot;event_creator_email&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "Org": {
-          "$ref": "#/defs/org"
+        &quot;Org&quot;: {
+          &quot;$ref&quot;: &quot;#/defs/org&quot;
         },
-        "Orgc": {
-          "$ref": "#/defs/org"
+        &quot;Orgc&quot;: {
+          &quot;$ref&quot;: &quot;#/defs/org&quot;
         },
-        "SharingGroup": {
-          "$ref": "#/defs/sharing_group"
+        &quot;SharingGroup&quot;: {
+          &quot;$ref&quot;: &quot;#/defs/sharing_group&quot;
         },
-        "Attribute": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "$ref": "#/defs/attribute"
+        &quot;Attribute&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/attribute&quot;
           }
         },
-        "ShadowAttribute": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "$ref": "#/defs/attribute"
+        &quot;ShadowAttribute&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/attribute&quot;
           }
         },
-        "RelatedEvent": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "type": "object",
-            "additionalProperties": false,
-            "properties": {
-                "Event":{
-                  "$ref": "#/defs/event"
+        &quot;RelatedEvent&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;type&quot;: &quot;object&quot;,
+            &quot;additionalProperties&quot;: false,
+            &quot;properties&quot;: {
+                &quot;Event&quot;:{
+                  &quot;$ref&quot;: &quot;#/defs/event&quot;
                 }
             }
           }
         },
-        "Galaxy": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "$ref": "#/defs/galaxy"
+        &quot;Galaxy&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/galaxy&quot;
           }
         },
-        "Object": {
-            "type": "array",
-            "uniqueItems": true,
-            "items": {
-                "$ref": "#/defs/object"
+        &quot;Object&quot;: {
+            &quot;type&quot;: &quot;array&quot;,
+            &quot;uniqueItems&quot;: true,
+            &quot;items&quot;: {
+                &quot;$ref&quot;: &quot;#/defs/object&quot;
             }
         },
-        "Tag": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "$ref": "#/defs/tag"
+        &quot;Tag&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/tag&quot;
           }
         }
       }
     },
-    "tag": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;tag&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "name": {
-          "type": "string"
+        &quot;name&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "colour": {
-          "type": "string"
+        &quot;colour&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "exportable": {
-          "type": "boolean"
+        &quot;exportable&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "hide_tag": {
-          "type": "boolean"
+        &quot;hide_tag&quot;: {
+          &quot;type&quot;: &quot;boolean&quot;
         },
-        "user_id": {
-          "type": "string"
+        &quot;user_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         }
       }
     },
-    "galaxy": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;galaxy&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "uuid": {
-          "type": "string"
+        &quot;uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "name": {
-          "type": "string"
+        &quot;name&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "type": {
-          "type": "string"
+        &quot;type&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "description": {
-          "type": "string"
+        &quot;description&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "version": {
-          "type": "string"
+        &quot;version&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "icon": {
-          "type": "string"
+        &quot;icon&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "namespace": {
-          "type": "string"
+        &quot;namespace&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "GalaxyCluster": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "$ref": "#/defs/galaxy_cluster"
+        &quot;GalaxyCluster&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;$ref&quot;: &quot;#/defs/galaxy_cluster&quot;
           }
         }
       }
     },
-    "galaxy_cluster": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "id": {
-          "type": "string"
+    &quot;galaxy_cluster&quot;: {
+      &quot;type&quot;: &quot;object&quot;,
+      &quot;additionalProperties&quot;: false,
+      &quot;properties&quot;: {
+        &quot;id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "uuid": {
-          "type": "string"
+        &quot;uuid&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "type": {
-          "type": "string"
+        &quot;type&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "value": {
-          "type": "string"
+        &quot;value&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "tag_name": {
-          "type": "string"
+        &quot;tag_name&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "description": {
-          "type": "string"
+        &quot;description&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "galaxy_id": {
-          "type": "string"
+        &quot;galaxy_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "version": {
-          "type": "string"
+        &quot;version&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "source": {
-          "type": "string"
+        &quot;source&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "authors": {
-          "type": "array",
-          "uniqueItems": true,
-          "items": {
-            "type": "string"
+        &quot;authors&quot;: {
+          &quot;type&quot;: &quot;array&quot;,
+          &quot;uniqueItems&quot;: true,
+          &quot;items&quot;: {
+            &quot;type&quot;: &quot;string&quot;
           }
         },
-        "tag_id": {
-          "type": "string"
+        &quot;tag_id&quot;: {
+          &quot;type&quot;: &quot;string&quot;
         },
-        "meta": {
-          "type": "object"
+        &quot;meta&quot;: {
+          &quot;type&quot;: &quot;object&quot;
         }
       }
     }
   },
-  "type": "object",
-  "properties": {
-    "Event": {
-      "$ref": "#/defs/event"
+  &quot;type&quot;: &quot;object&quot;,
+  &quot;properties&quot;: {
+    &quot;Event&quot;: {
+      &quot;$ref&quot;: &quot;#/defs/event&quot;
     }
   },
-  "required": [
-    "Event"
+  &quot;required&quot;: [
+    &quot;Event&quot;
   ]
 }
-</artwork></figure>
+</artwork>
 </section>
 
-<section anchor="manifest" title="Manifest">
+<section anchor="manifest"><name>Manifest</name>
 <t>MISP events can be shared over an HTTP repository, a file package or USB key. A manifest file is used to
 provide an index of MISP events allowing to only fetch the recently updated files without the need to parse
-each json file.
-</t>
+each json file.</t>
 
-<section anchor="format-1" title="Format">
+<section anchor="format-1"><name>Format</name>
 <t>A manifest file is a simple JSON file named manifest.json in a directory where the MISP events are located.
-Each MISP event is a file located in the same directory with the event uuid as filename with the json extension.
-</t>
-<t>The manifest format is a JSON object composed of a dictionary where the field is the uuid of the event.
-</t>
+Each MISP event is a file located in the same directory with the event uuid as filename with the json extension.</t>
+<t>The manifest format is a JSON object composed of a dictionary where the field is the uuid of the event.</t>
 <t>Each uuid is composed of a JSON object with the following fields which came from the original event referenced
-by the same uuid:
-</t>
-<t>
-<list style="symbols">
-<t>info (MUST)</t>
-<t>Orgc object (MUST)</t>
-<t>analysis (SHALL)</t>
-<t>timestamp (MUST)</t>
-<t>date (MUST)</t>
-<t>threat_level_id (SHALL)</t>
-</list>
-</t>
-<t>In addition to the fields originating from the event, the following fields can be added:
-</t>
-<t>
-<list style="symbols">
-<t>integrity:sha256 represents the SHA256 value in hexadecimal representation of the associated MISP event file to ensure integrity of the file. (SHOULD)</t>
-<t>integrity:pgp represents a detached PGP signature <xref target="RFC4880"/> of the associated MISP event file to ensure integrity of the file. (SHOULD)</t>
-</list>
-</t>
-<t>If a detached PGP signature is used for each MISP event, a detached PGP signature is a MUST to ensure integrity of the manifest file.
-A detached PGP signature for a manifest file is a manifest.json.asc file containing the PGP signature.
-</t>
+by the same uuid:</t>
 
-<section anchor="sample-manifest" title="Sample Manifest">
+<ul spacing="compact">
+<li>info (<bcp14>MUST</bcp14>)</li>
+<li>Orgc object (<bcp14>MUST</bcp14>)</li>
+<li>analysis (<bcp14>SHALL</bcp14>)</li>
+<li>timestamp (<bcp14>MUST</bcp14>)</li>
+<li>date (<bcp14>MUST</bcp14>)</li>
+<li>threat_level_id (<bcp14>SHALL</bcp14>)</li>
+</ul>
+<t>In addition to the fields originating from the event, the following fields can be added:</t>
 
-<figure align="center"><artwork align="center">
-{
-  "57c6ac4c-c60c-4f79-a38f-b666950d210f": {
-    "info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo",
-    "Orgc": {
-      "id": "2",
-      "name": "CIRCL",
-      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
+<ul spacing="compact">
+<li>integrity:sha256 represents the SHA256 value in hexadecimal representation of the associated MISP event file to ensure integrity of the file. (<bcp14>SHOULD</bcp14>)</li>
+<li>integrity:pgp represents a detached PGP signature <xref target="RFC4880"></xref> of the associated MISP event file to ensure integrity of the file. (<bcp14>SHOULD</bcp14>)</li>
+</ul>
+<t>If a detached PGP signature is used for each MISP event, a detached PGP signature is a <bcp14>MUST</bcp14> to ensure integrity of the manifest file.
+A detached PGP signature for a manifest file is a manifest.json.asc file containing the PGP signature.</t>
+
+<section anchor="sample-manifest"><name>Sample Manifest</name>
+
+<artwork>{
+  &quot;57c6ac4c-c60c-4f79-a38f-b666950d210f&quot;: {
+    &quot;info&quot;: &quot;Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo&quot;,
+    &quot;Orgc&quot;: {
+      &quot;id&quot;: &quot;2&quot;,
+      &quot;name&quot;: &quot;CIRCL&quot;,
+      &quot;uuid&quot;: &quot;55f6ea5e-2c60-40e5-964f-47a8950d210f&quot;
     },
-    "analysis": "0",
-    "Tag": [
+    &quot;analysis&quot;: &quot;0&quot;,
+    &quot;Tag&quot;: [
       {
-        "colour": "#3d7a00",
-        "name": "circl:incident-classification=\"malware\""
+        &quot;colour&quot;: &quot;#3d7a00&quot;,
+        &quot;name&quot;: &quot;circl:incident-classification=\&quot;malware\&quot;&quot;
       },
       {
-        "colour": "#ffffff",
-        "name": "tlp:white"
+        &quot;colour&quot;: &quot;#ffffff&quot;,
+        &quot;name&quot;: &quot;tlp:white&quot;
       }
     ],
-    "timestamp": "1472638251",
-    "date": "2016-08-31",
-    "threat_level_id": "3"
+    &quot;timestamp&quot;: &quot;1472638251&quot;,
+    &quot;date&quot;: &quot;2016-08-31&quot;,
+    &quot;threat_level_id&quot;: &quot;3&quot;
   },
-  "5720accd-dd28-45f8-80e5-4605950d210f": {
-    "info": "Malspam 2016-04-27 - Locky",
-    "Orgc": {
-      "id": "2",
-      "name": "CIRCL"
+  &quot;5720accd-dd28-45f8-80e5-4605950d210f&quot;: {
+    &quot;info&quot;: &quot;Malspam 2016-04-27 - Locky&quot;,
+    &quot;Orgc&quot;: {
+      &quot;id&quot;: &quot;2&quot;,
+      &quot;name&quot;: &quot;CIRCL&quot;
     },
-    "analysis": "2",
-    "Tag": [
+    &quot;analysis&quot;: &quot;2&quot;,
+    &quot;Tag&quot;: [
       {
-        "colour": "#ffffff",
-        "name": "tlp:white"
+        &quot;colour&quot;: &quot;#ffffff&quot;,
+        &quot;name&quot;: &quot;tlp:white&quot;
       },
       {
-        "colour": "#3d7a00",
-        "name": "circl:incident-classification=\"malware\""
+        &quot;colour&quot;: &quot;#3d7a00&quot;,
+        &quot;name&quot;: &quot;circl:incident-classification=\&quot;malware\&quot;&quot;
       },
       {
-        "colour": "#2c4f00",
-        "name": "malware_classification:malware-category=\"Ransomware\""
+        &quot;colour&quot;: &quot;#2c4f00&quot;,
+        &quot;name&quot;: &quot;malware_classification:malware-category=\&quot;Ransomware\&quot;&quot;
       }
     ],
-    "timestamp": "1461764231",
-    "date": "2016-04-27",
-    "threat_level_id": "3"
+    &quot;timestamp&quot;: &quot;1461764231&quot;,
+    &quot;date&quot;: &quot;2016-04-27&quot;,
+    &quot;threat_level_id&quot;: &quot;3&quot;
   }
 }
-</artwork></figure>
+</artwork>
 </section>
 </section>
 </section>
 
-<section anchor="implementation" title="Implementation">
+<section anchor="implementation"><name>Implementation</name>
 <t>MISP format is implemented by different software including the MISP threat sharing
-platform and libraries like PyMISP <xref target="MISP-P"/>. Implementations use the format
+platform and libraries like PyMISP <xref target="MISP-P"></xref>. Implementations use the format
 as an export/import mechanism, staging transport format or synchronisation format
 as used in the MISP core platform. MISP format doesn't impose any restriction on
-the data representation of the format in data-structure of other implementations.
-</t>
+the data representation of the format in data-structure of other implementations.</t>
 </section>
 
-<section anchor="security-considerations" title="Security Considerations">
+<section anchor="security-considerations"><name>Security Considerations</name>
 <t>MISP events might contain sensitive or confidential information. Adequate
 access control and encryption measures shall be implemented to ensure
-the confidentiality of the MISP events.
-</t>
+the confidentiality of the MISP events.</t>
 <t>Adversaries might include malicious content in MISP events and attributes.
-Implementation MUST consider the input of malicious inputs beside the
-standard threat information that might already include malicious intended inputs.
-</t>
+Implementation <bcp14>MUST</bcp14> consider the input of malicious inputs beside the
+standard threat information that might already include malicious intended inputs.</t>
 </section>
 
-<section anchor="acknowledgements" title="Acknowledgements">
+<section anchor="acknowledgements"><name>Acknowledgements</name>
 <t>The authors wish to thank all the MISP community who are supporting the creation
 of open standards in threat intelligence sharing. A special thank to Nicolas Bareil
-for the review of the JSON Schema.
-</t>
+for the review of the JSON Schema.</t>
 </section>
 
-<section anchor="references" title="References">
+<section anchor="references"><name>References</name>
 </section>
 
 </middle>
+
 <back>
-<references title="Normative References">
-<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?>
-<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4122.xml"?>
-<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4880.xml"?>
-<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8259.xml"?>
+<references><name>Normative References</name>
+<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
+<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4122.xml"/>
+<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4880.xml"/>
+<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8259.xml"/>
 </references>
-<references title="Informative References">
-<reference anchor='JSON-SCHEMA' target='https://tools.ietf.org/html/draft-wright-json-schema'>
+<references><name>Informative References</name>
+<reference anchor="JSON-SCHEMA" target="https://tools.ietf.org/html/draft-wright-json-schema">
   <front>
     <title>JSON Schema: A Media Type for Describing JSON Documents</title>
-    <author initials='' surname='' fullname='Austin Wright'></author>
+    <author fullname="Austin Wright"></author>
     <date year="2016"></date>
   </front>
 </reference>
-<reference anchor='MISP-P' target='https://github.com/MISP'>
+<reference anchor="MISP-P" target="https://github.com/MISP">
   <front>
-   <title>MISP Project - Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing</title>
-   <author initials='' surname='MISP' fullname='MISP Community'></author>
-   <date></date>
+    <title>MISP Project - Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing</title>
+    <author fullname="MISP Community" surname="MISP"></author>
+    <date></date>
   </front>
 </reference>
-<reference anchor='MISP-R' target='https://github.com/MISP/misp-objects/tree/master/relationships'>
+<reference anchor="MISP-R" target="https://github.com/MISP/misp-objects/tree/master/relationships">
   <front>
-   <title>MISP Object Relationship Types - common vocabulary of relationships</title>
-   <author initials='' surname='MISP' fullname='MISP Community'></author>
-   <date></date>
+    <title>MISP Object Relationship Types - common vocabulary of relationships</title>
+    <author fullname="MISP Community" surname="MISP"></author>
+    <date></date>
   </front>
 </reference>
-<reference anchor='MISP-T' target='https://github.com/MISP/misp-taxonomies'>
+<reference anchor="MISP-T" target="https://github.com/MISP/misp-taxonomies">
   <front>
-   <title>MISP Taxonomies - shared and common vocabularies of tags</title>
-   <author initials='' surname='MISP' fullname='MISP Community'></author>
-   <date></date>
+    <title>MISP Taxonomies - shared and common vocabularies of tags</title>
+    <author fullname="MISP Community" surname="MISP"></author>
+    <date></date>
   </front>
 </reference>
 </references>
 
 </back>
+
 </rfc>