chg: [misp-query-format] add a sample query with financial fraud

pull/21/head
Alexandre Dulaunoy 2018-10-07 12:02:58 +02:00
parent 3b577a0ad6
commit 8891052e2a
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
4 changed files with 132 additions and 23 deletions

View File

@ -105,6 +105,16 @@ type **MAY** be present. If set, the returned data set will be filtered on the a
category **MAY** be present. If set, the returned data set will be filtered on the attribute category field. category **MAY** be a string or a sub-string, the latter of which start with, ends with or is encapsulated in wildcard (\%) characters. The list of valid categories is described in the MISP core format [@?MISP-C] in the attribute type section. category **MAY** be present. If set, the returned data set will be filtered on the attribute category field. category **MAY** be a string or a sub-string, the latter of which start with, ends with or is encapsulated in wildcard (\%) characters. The list of valid categories is described in the MISP core format [@?MISP-C] in the attribute type section.
A sample query to lookup for the last 30 days of indicators in the `Financial fraud` category and output in CSV format:
~~~~
{
"returnFormat": "csv",
"last": "30d",
"category": "Financial fraud"
}
~~~~
# Security Considerations # Security Considerations
MISP threat intelligence instances might contain sensitive or confidential information. Adequate access control and encryption measures shall be implemented to ensure the confidentiality of the threat intelligence. MISP threat intelligence instances might contain sensitive or confidential information. Adequate access control and encryption measures shall be implemented to ensure the confidentiality of the threat intelligence.

View File

@ -541,23 +541,44 @@
<td class="center">csv</td> <td class="center">csv</td>
<td class="center">CSV format</td> <td class="center">CSV format</td>
</tr> </tr>
<tr>
<td class="center">rpz</td>
<td class="center">Response policy zone format</td>
</tr>
<tr>
<td class="center">text</td>
<td class="center">Raw value list format</td>
</tr>
</tbody> </tbody>
</table> </table>
<h1 id="rfc.section.2.2.2"> <h1 id="rfc.section.2.2.2">
<a href="#rfc.section.2.2.2">2.2.2.</a> <a href="#limit" id="limit">limit</a> <a href="#rfc.section.2.2.2">2.2.2.</a> <a href="#limit" id="limit">limit</a>
</h1> </h1>
<p id="rfc.section.2.2.2.p.1">limit MAY be present. If present, the page parameter MUST also be supplied. limit sets the number of returned elements when paginating, depending on the scope of the request (x number of attributes or x number of events) as converted into the output format. </p>
<h1 id="rfc.section.2.2.3"> <h1 id="rfc.section.2.2.3">
<a href="#rfc.section.2.2.3">2.2.3.</a> <a href="#page" id="page">page</a> <a href="#rfc.section.2.2.3">2.2.3.</a> <a href="#page" id="page">page</a>
</h1> </h1>
<p id="rfc.section.2.2.3.p.1">page MAY be present. If present, the page parameter MUST also be supplied. page generates the offset for the pagination and will return a result set consisting of a slice of the query results starting with offset (limit * page) + 1 and ending with (limit * (page+1)). </p>
<h1 id="rfc.section.2.2.4"> <h1 id="rfc.section.2.2.4">
<a href="#rfc.section.2.2.4">2.2.4.</a> <a href="#value" id="value">value</a> <a href="#rfc.section.2.2.4">2.2.4.</a> <a href="#value" id="value">value</a>
</h1> </h1>
<p id="rfc.section.2.2.4.p.1">value MAY be present. If set, the returned data set will be filtered on the attribute value field. value MAY be a string or a sub-string, the latter of which start with, ends with or is encapsulated in wildcard (\%) characters. </p>
<h1 id="rfc.section.2.2.5"> <h1 id="rfc.section.2.2.5">
<a href="#rfc.section.2.2.5">2.2.5.</a> <a href="#type" id="type">type</a> <a href="#rfc.section.2.2.5">2.2.5.</a> <a href="#type" id="type">type</a>
</h1> </h1>
<p id="rfc.section.2.2.5.p.1">type MAY be present. If set, the returned data set will be filtered on the attribute type field. type MAY be a string or a sub-string, the latter of which start with, ends with or is encapsulated in wildcard (\%) characters. The list of valid attribute types is described in the MISP core format <a href="#MISP-C" class="xref">[MISP-C]</a> in the attribute type section. </p>
<h1 id="rfc.section.2.2.6"> <h1 id="rfc.section.2.2.6">
<a href="#rfc.section.2.2.6">2.2.6.</a> <a href="#category" id="category">category</a> <a href="#rfc.section.2.2.6">2.2.6.</a> <a href="#category" id="category">category</a>
</h1> </h1>
<p id="rfc.section.2.2.6.p.1">category MAY be present. If set, the returned data set will be filtered on the attribute category field. category MAY be a string or a sub-string, the latter of which start with, ends with or is encapsulated in wildcard (\%) characters. The list of valid categories is described in the MISP core format <a href="#MISP-C" class="xref">[MISP-C]</a> in the attribute type section. </p>
<p id="rfc.section.2.2.6.p.2">A sample query to lookup for the last 30 days of indicators in the <samp>Financial fraud</samp> category and output in CSV format: </p>
<pre>
{
"returnFormat": "csv",
"last": "30d",
"category": "Financial fraud"
}
</pre>
<h1 id="rfc.section.3"> <h1 id="rfc.section.3">
<a href="#rfc.section.3">3.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a> <a href="#rfc.section.3">3.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>
</h1> </h1>

View File

@ -76,15 +76,15 @@ Table of Contents
2.2.1. returnFormat . . . . . . . . . . . . . . . . . . . . 3 2.2.1. returnFormat . . . . . . . . . . . . . . . . . . . . 3
2.2.2. limit . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2.2. limit . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.3. page . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2.3. page . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.4. value . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2.4. value . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2.5. type . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2.5. type . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2.6. category . . . . . . . . . . . . . . . . . . . . . . 3 2.2.6. category . . . . . . . . . . . . . . . . . . . . . . 4
3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 3. Security Considerations . . . . . . . . . . . . . . . . . . . 4
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. Normative References . . . . . . . . . . . . . . . . . . 4 5.1. Normative References . . . . . . . . . . . . . . . . . . 5
5.2. Informative References . . . . . . . . . . . . . . . . . 4 5.2. Informative References . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction 1. Introduction
@ -143,24 +143,24 @@ Internet-Draft MISP query format October 2018
| suricata | Suricata NIDS format | | suricata | Suricata NIDS format |
| snort | Snort NIDS format | | snort | Snort NIDS format |
| csv | CSV format | | csv | CSV format |
| rpz | Response policy zone format |
| text | Raw value list format |
+----------+------------------------------------------------+ +----------+------------------------------------------------+
2.2.2. limit 2.2.2. limit
limit MAY be present. If present, the page parameter MUST also be
supplied. limit sets the number of returned elements when paginating,
depending on the scope of the request (x number of attributes or x
number of events) as converted into the output format.
2.2.3. page 2.2.3. page
2.2.4. value page MAY be present. If present, the page parameter MUST also be
supplied. page generates the offset for the pagination and will
2.2.5. type return a result set consisting of a slice of the query results
starting with offset (limit * page) + 1 and ending with (limit *
2.2.6. category (page+1)).
3. Security Considerations
MISP threat intelligence instances might contain sensitive or
confidential information. Adequate access control and encryption
measures shall be implemented to ensure the confidentiality of the
threat intelligence.
@ -170,11 +170,62 @@ Dulaunoy & Iklody Expires April 11, 2019 [Page 3]
Internet-Draft MISP query format October 2018 Internet-Draft MISP query format October 2018
2.2.4. value
value MAY be present. If set, the returned data set will be filtered
on the attribute value field. value MAY be a string or a sub-string,
the latter of which start with, ends with or is encapsulated in
wildcard (\%) characters.
2.2.5. type
type MAY be present. If set, the returned data set will be filtered
on the attribute type field. type MAY be a string or a sub-string,
the latter of which start with, ends with or is encapsulated in
wildcard (\%) characters. The list of valid attribute types is
described in the MISP core format [MISP-C] in the attribute type
section.
2.2.6. category
category MAY be present. If set, the returned data set will be
filtered on the attribute category field. category MAY be a string or
a sub-string, the latter of which start with, ends with or is
encapsulated in wildcard (\%) characters. The list of valid
categories is described in the MISP core format [MISP-C] in the
attribute type section.
A sample query to lookup for the last 30 days of indicators in the
"Financial fraud" category and output in CSV format:
{
"returnFormat": "csv",
"last": "30d",
"category": "Financial fraud"
}
3. Security Considerations
MISP threat intelligence instances might contain sensitive or
confidential information. Adequate access control and encryption
measures shall be implemented to ensure the confidentiality of the
threat intelligence.
Adversaries might include malicious content in MISP queries. Adversaries might include malicious content in MISP queries.
Implementation MUST consider the input of malicious inputs beside the Implementation MUST consider the input of malicious inputs beside the
standard threat information that might already include malicious standard threat information that might already include malicious
intended inputs. intended inputs.
Dulaunoy & Iklody Expires April 11, 2019 [Page 4]
Internet-Draft MISP query format October 2018
4. Acknowledgements 4. Acknowledgements
The authors wish to thank all the MISP community who are supporting The authors wish to thank all the MISP community who are supporting
@ -221,7 +272,12 @@ Authors' Addresses
Dulaunoy & Iklody Expires April 11, 2019 [Page 4]
Dulaunoy & Iklody Expires April 11, 2019 [Page 5]
Internet-Draft MISP query format October 2018 Internet-Draft MISP query format October 2018
@ -277,4 +333,4 @@ Internet-Draft MISP query format October 2018
Dulaunoy & Iklody Expires April 11, 2019 [Page 5] Dulaunoy & Iklody Expires April 11, 2019 [Page 6]

View File

@ -101,22 +101,44 @@ document are to be interpreted as described in RFC 2119 <xref target="RFC2119"/>
<c>suricata</c><c>Suricata NIDS format</c> <c>suricata</c><c>Suricata NIDS format</c>
<c>snort</c><c>Snort NIDS format</c> <c>snort</c><c>Snort NIDS format</c>
<c>csv</c><c>CSV format</c> <c>csv</c><c>CSV format</c>
<c>rpz</c><c>Response policy zone format</c>
<c>text</c><c>Raw value list format</c>
</texttable> </texttable>
</section> </section>
<section anchor="limit" title="limit"> <section anchor="limit" title="limit">
<t>limit MAY be present. If present, the page parameter MUST also be supplied. limit sets the number of returned elements when paginating, depending on the scope of the request (x number of attributes or x number of events) as converted into the output format.
</t>
</section> </section>
<section anchor="page" title="page"> <section anchor="page" title="page">
<t>page MAY be present. If present, the page parameter MUST also be supplied. page generates the offset for the pagination and will return a result set consisting of a slice of the query results starting with offset (limit * page) + 1 and ending with (limit * (page+1)).
</t>
</section> </section>
<section anchor="value" title="value"> <section anchor="value" title="value">
<t>value MAY be present. If set, the returned data set will be filtered on the attribute value field. value MAY be a string or a sub-string, the latter of which start with, ends with or is encapsulated in wildcard (\%) characters.
</t>
</section> </section>
<section anchor="type" title="type"> <section anchor="type" title="type">
<t>type MAY be present. If set, the returned data set will be filtered on the attribute type field. type MAY be a string or a sub-string, the latter of which start with, ends with or is encapsulated in wildcard (\%) characters. The list of valid attribute types is described in the MISP core format <xref target="MISP-C"/> in the attribute type section.
</t>
</section> </section>
<section anchor="category" title="category"> <section anchor="category" title="category">
<t>category MAY be present. If set, the returned data set will be filtered on the attribute category field. category MAY be a string or a sub-string, the latter of which start with, ends with or is encapsulated in wildcard (\%) characters. The list of valid categories is described in the MISP core format <xref target="MISP-C"/> in the attribute type section.
</t>
<t>A sample query to lookup for the last 30 days of indicators in the <spanx style="verb">Financial fraud</spanx> category and output in CSV format:
</t>
<figure align="center"><artwork align="center">
{
"returnFormat": "csv",
"last": "30d",
"category": "Financial fraud"
}
</artwork></figure>
</section> </section>
</section> </section>
</section> </section>