mirror of https://github.com/MISP/misp-rfc
Latest export added
parent
04da2cbcb1
commit
89ef0d5e83
|
|
@ -83,7 +83,7 @@ Table of Contents
|
|||
|
||||
1. Introduction
|
||||
|
||||
Sharing threat information became a fundamental requirements in the
|
||||
Sharing threat information became a fundamental requirements on the
|
||||
Internet, security and intelligence community at large. Threat
|
||||
information can include indicators of compromise, malicious file
|
||||
indicators, financial fraud indicators or even detailed information
|
||||
|
|
@ -94,16 +94,16 @@ Table of Contents
|
|||
vocabularies that can be used in threat information sharing.
|
||||
|
||||
Machine tags were introduced in 2007 [machine-tags] to allow users to
|
||||
be more precise when tagging their picture with geolocation. So a
|
||||
machine tag is a tag which use a special syntax to provide more
|
||||
information to user and machines. Machine tags are also known as
|
||||
triple tags due to the their format.
|
||||
be more precise when tagging their pictures with geolocation. So a
|
||||
machine tag is a tag which uses a special syntax to provide more
|
||||
information to users and machines. Machine tags are also known as
|
||||
triple tags due to their format.
|
||||
|
||||
In MISP taxonomy context, machine tags help analysts to classify
|
||||
their cybersecurity events, indicators or threats. MISP taxonomy can
|
||||
be used for classification, filtering, triggering action or
|
||||
visualization depending on their use in threat intelligence platforms
|
||||
like MISP [MISP-P].
|
||||
In the MISP taxonomy context, machine tags help analysts to classify
|
||||
their cybersecurity events, indicators or threats. MISP taxonomies
|
||||
can be used for classification, filtering, triggering actions or
|
||||
visualisation depending on their use in threat intelligence platforms
|
||||
such as MISP [MISP-P].
|
||||
|
||||
|
||||
|
||||
|
|
@ -125,9 +125,9 @@ Internet-Draft MISP taxonomy format October 2016
|
|||
A machine tag is composed of a namespace (MUST), a predicate (MUST)
|
||||
and an optional value (OPTIONAL).
|
||||
|
||||
Machine tags are represented as a string. Below a set of sample
|
||||
machine tags for different namespaces like tlp, admiralty-scale or
|
||||
osint.
|
||||
Machine tags are represented as a string. Below listed are a set of
|
||||
sample machine tags for different namespaces such as tlp, admiralty-
|
||||
scale and osint.
|
||||
|
||||
tlp:amber
|
||||
admiralty-scale:information-credibility="1"
|
||||
|
|
@ -135,14 +135,13 @@ Internet-Draft MISP taxonomy format October 2016
|
|||
|
||||
The MISP taxonomy format describes how to define a machine tag
|
||||
namespace in a parseable format. The objective is to provide a
|
||||
simple format to describe machine tags (aka triple tags)
|
||||
vocabularies.
|
||||
simple format to describe machine tag (aka triple tag) vocabularies.
|
||||
|
||||
2.1. Overview
|
||||
|
||||
The MISP taxonomy format uses the JSON [RFC4627] format. Each
|
||||
namespace is represented as a JSON object with meta information
|
||||
including the following fields namespace, description, version.
|
||||
including the following fields: namespace, description, version.
|
||||
|
||||
namespace defines the overall namespace of the machine tag. The
|
||||
namespace is represented as a string and MUST be present. The
|
||||
|
|
@ -154,14 +153,15 @@ Internet-Draft MISP taxonomy format October 2016
|
|||
predicates MUST be present and MUST at least content one element.
|
||||
|
||||
values defines all the values for each predicate in the namespace
|
||||
defined. values SHOULD ne present.
|
||||
defined. values SHOULD be present.
|
||||
|
||||
2.2. predicates
|
||||
|
||||
predicates array contain one or more JSON objects which lists all the
|
||||
possible predicate. The JSON object contains two fields: value and
|
||||
expanded. value and expanded MUST be present. value is represented as
|
||||
a string and describes the predicate value. The predicate value MUST
|
||||
The predicates array contains one or more JSON objects which lists
|
||||
all the possible predicates. The JSON object contains two fields:
|
||||
value and expanded. value and expanded MUST be present. value is
|
||||
represented as a string and describes the predicate value. The
|
||||
predicate value MUST not contain spaces or colons. expanded is
|
||||
|
||||
|
||||
|
||||
|
|
@ -170,18 +170,18 @@ Dulaunoy & Iklody Expires April 16, 2017 [Page 3]
|
|||
Internet-Draft MISP taxonomy format October 2016
|
||||
|
||||
|
||||
not contain spaces or colons. expanded is represented as a string and
|
||||
describes the human-readable version of the predicate value.
|
||||
represented as a string and describes the human-readable version of
|
||||
the predicate value.
|
||||
|
||||
2.3. values
|
||||
|
||||
values array contain one or more JSON objects which lists all the
|
||||
possible values of a predicate. The JSON object contain two fields:
|
||||
The values array contain one or more JSON objects which lists all the
|
||||
possible values of a predicate. The JSON object contains two fields:
|
||||
predicate and entry. predicate is represented as a string and
|
||||
describes the predicate value. entry is an array with one or more
|
||||
JSON objects. The JSON object contains two fields: value and
|
||||
expanded. value and expanded MUST be present. value is represented as
|
||||
a string and describe the value machine parsable. expanded is
|
||||
a string and describes the machine parsable value. expanded is
|
||||
represented as a string and describes the human-readable version of
|
||||
the value.
|
||||
|
||||
|
|
@ -190,7 +190,7 @@ Internet-Draft MISP taxonomy format October 2016
|
|||
2.4.1. colour
|
||||
|
||||
colour fields MAY be used at predicates or values level to set a
|
||||
specify colour that *MAY** be used by the implementation. The colour
|
||||
specify colour that MAY be used by the implementation. The colour
|
||||
field is described as an RGB colour fill in hexadecimal
|
||||
representation.
|
||||
|
||||
|
|
@ -217,7 +217,7 @@ Internet-Draft MISP taxonomy format October 2016
|
|||
description fields MAY be used at predicates or values level to add a
|
||||
descriptive and human-readable information about the specific
|
||||
predicate or value. The field is represented as a string.
|
||||
Implementations *_MAY_ use the description field to improve more
|
||||
Implementations MAY use the description field to improve more
|
||||
|
||||
|
||||
|
||||
|
|
@ -231,9 +231,9 @@ Internet-Draft MISP taxonomy format October 2016
|
|||
|
||||
2.4.3. numerical_value
|
||||
|
||||
numerical_value fields MAY be used at predicates or values level to
|
||||
numerical_value fields MAY be used at a predicate or value level to
|
||||
add a machine-readable numeric value to a specific predicate or
|
||||
value. The field is represented as JSON number. Implementations
|
||||
value. The field is represented as a JSON number. Implementations
|
||||
SHOULD use the decimal value provided to support scoring or
|
||||
filtering.
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue