MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

Latest export added

pull/6/head
Alexandre Dulaunoy 2016-10-16 12:13:34 +02:00
parent 04da2cbcb1
commit 89ef0d5e83
1 changed files with 30 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
misp-taxonomy-format/raw.md.txt
View File

@ -83,7 +83,7 @@ Table of Contents
1. Introduction 1. Introduction
Sharing threat information became a fundamental requirements in the Sharing threat information became a fundamental requirements on the
Internet, security and intelligence community at large. Threat Internet, security and intelligence community at large. Threat
information can include indicators of compromise, malicious file information can include indicators of compromise, malicious file
indicators, financial fraud indicators or even detailed information indicators, financial fraud indicators or even detailed information
@ -94,16 +94,16 @@ Table of Contents
vocabularies that can be used in threat information sharing. vocabularies that can be used in threat information sharing.
Machine tags were introduced in 2007 [machine-tags] to allow users to Machine tags were introduced in 2007 [machine-tags] to allow users to
be more precise when tagging their picture with geolocation. So a be more precise when tagging their pictures with geolocation. So a
machine tag is a tag which use a special syntax to provide more machine tag is a tag which uses a special syntax to provide more
information to user and machines. Machine tags are also known as information to users and machines. Machine tags are also known as
triple tags due to the their format. triple tags due to their format.
In MISP taxonomy context, machine tags help analysts to classify In the MISP taxonomy context, machine tags help analysts to classify
their cybersecurity events, indicators or threats. MISP taxonomy can their cybersecurity events, indicators or threats. MISP taxonomies
be used for classification, filtering, triggering action or can be used for classification, filtering, triggering actions or
visualization depending on their use in threat intelligence platforms visualisation depending on their use in threat intelligence platforms
like MISP [MISP-P]. such as MISP [MISP-P].
@ -125,9 +125,9 @@ Internet-Draft MISP taxonomy format October 2016
A machine tag is composed of a namespace (MUST), a predicate (MUST) A machine tag is composed of a namespace (MUST), a predicate (MUST)
and an optional value (OPTIONAL). and an optional value (OPTIONAL).
Machine tags are represented as a string. Below a set of sample Machine tags are represented as a string. Below listed are a set of
machine tags for different namespaces like tlp, admiralty-scale or sample machine tags for different namespaces such as tlp, admiralty-
osint. scale and osint.
tlp:amber tlp:amber
admiralty-scale:information-credibility="1" admiralty-scale:information-credibility="1"
@ -135,14 +135,13 @@ Internet-Draft MISP taxonomy format October 2016
The MISP taxonomy format describes how to define a machine tag The MISP taxonomy format describes how to define a machine tag
namespace in a parseable format. The objective is to provide a namespace in a parseable format. The objective is to provide a
simple format to describe machine tags (aka triple tags) simple format to describe machine tag (aka triple tag) vocabularies.
vocabularies.
2.1. Overview 2.1. Overview
The MISP taxonomy format uses the JSON [RFC4627] format. Each The MISP taxonomy format uses the JSON [RFC4627] format. Each
namespace is represented as a JSON object with meta information namespace is represented as a JSON object with meta information
including the following fields namespace, description, version. including the following fields: namespace, description, version.
namespace defines the overall namespace of the machine tag. The namespace defines the overall namespace of the machine tag. The
namespace is represented as a string and MUST be present. The namespace is represented as a string and MUST be present. The
@ -154,14 +153,15 @@ Internet-Draft MISP taxonomy format October 2016
predicates MUST be present and MUST at least content one element. predicates MUST be present and MUST at least content one element.
values defines all the values for each predicate in the namespace values defines all the values for each predicate in the namespace
defined. values SHOULD ne present. defined. values SHOULD be present.
2.2. predicates 2.2. predicates
predicates array contain one or more JSON objects which lists all the The predicates array contains one or more JSON objects which lists
possible predicate. The JSON object contains two fields: value and all the possible predicates. The JSON object contains two fields:
expanded. value and expanded MUST be present. value is represented as value and expanded. value and expanded MUST be present. value is
a string and describes the predicate value. The predicate value MUST represented as a string and describes the predicate value. The
predicate value MUST not contain spaces or colons. expanded is
@ -170,18 +170,18 @@ Dulaunoy & Iklody Expires April 16, 2017 [Page 3]
Internet-Draft MISP taxonomy format October 2016 Internet-Draft MISP taxonomy format October 2016
not contain spaces or colons. expanded is represented as a string and represented as a string and describes the human-readable version of
describes the human-readable version of the predicate value. the predicate value.
2.3. values 2.3. values
values array contain one or more JSON objects which lists all the The values array contain one or more JSON objects which lists all the
possible values of a predicate. The JSON object contain two fields: possible values of a predicate. The JSON object contains two fields:
predicate and entry. predicate is represented as a string and predicate and entry. predicate is represented as a string and
describes the predicate value. entry is an array with one or more describes the predicate value. entry is an array with one or more
JSON objects. The JSON object contains two fields: value and JSON objects. The JSON object contains two fields: value and
expanded. value and expanded MUST be present. value is represented as expanded. value and expanded MUST be present. value is represented as
a string and describe the value machine parsable. expanded is a string and describes the machine parsable value. expanded is
represented as a string and describes the human-readable version of represented as a string and describes the human-readable version of
the value. the value.
@ -190,7 +190,7 @@ Internet-Draft MISP taxonomy format October 2016
2.4.1. colour 2.4.1. colour
colour fields MAY be used at predicates or values level to set a colour fields MAY be used at predicates or values level to set a
specify colour that *MAY** be used by the implementation. The colour specify colour that MAY be used by the implementation. The colour
field is described as an RGB colour fill in hexadecimal field is described as an RGB colour fill in hexadecimal
representation. representation.
@ -217,7 +217,7 @@ Internet-Draft MISP taxonomy format October 2016
description fields MAY be used at predicates or values level to add a description fields MAY be used at predicates or values level to add a
descriptive and human-readable information about the specific descriptive and human-readable information about the specific
predicate or value. The field is represented as a string. predicate or value. The field is represented as a string.
Implementations *_MAY_ use the description field to improve more Implementations MAY use the description field to improve more
@ -231,9 +231,9 @@ Internet-Draft MISP taxonomy format October 2016
2.4.3. numerical_value 2.4.3. numerical_value
numerical_value fields MAY be used at predicates or values level to numerical_value fields MAY be used at a predicate or value level to
add a machine-readable numeric value to a specific predicate or add a machine-readable numeric value to a specific predicate or
value. The field is represented as JSON number. Implementations value. The field is represented as a JSON number. Implementations
SHOULD use the decimal value provided to support scoring or SHOULD use the decimal value provided to support scoring or
filtering. filtering.