From 2b3bdb89c1c1f3f7466fb5874a38ea377569bac9 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Wed, 9 May 2018 15:42:49 +0200
Subject: [PATCH 1/5] Internet-Draft 02 published
---
.../draft-dulaunoy-misp-galaxy-format-02.xml | 249 ++++++++++++++++++
1 file changed, 249 insertions(+)
create mode 100755 misp-galaxy-format/draft-dulaunoy-misp-galaxy-format-02.xml
diff --git a/misp-galaxy-format/draft-dulaunoy-misp-galaxy-format-02.xml b/misp-galaxy-format/draft-dulaunoy-misp-galaxy-format-02.xml
new file mode 100755
index 0000000..5ee3b60
--- /dev/null
+++ b/misp-galaxy-format/draft-dulaunoy-misp-galaxy-format-02.xml
@@ -0,0 +1,249 @@
+
+
+
+
+
+
+
+
+
+
+
+
+MISP galaxy format
+
+
+Computer Incident Response Center Luxembourg
+
+
+16, bd d'Avranches
+Luxembourg
+L-1611
+Luxembourg
+
+
++352 247 88444
+alexandre.dulaunoy@circl.lu
+
+
+
+
+Computer Incident Response Center Luxembourg
+
+
+ 16, bd d'Avranches
+Luxembourg
+L-1611
+Luxembourg
+
+
++352 247 88444
+andras.iklody@circl.lu
+
+
+
+
+Computer Incident Response Center Luxembourg
+
+
+ 16, bd d'Avranches
+Luxembourg
+L-1611
+Luxembourg
+
+
++352 247 88444
+deborah.servili@circl.lu
+
+
+
+
+
+Security
+
+
+
+
+This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.
+
+
+
+
+
+
+
+
+
+Sharing threat information became a fundamental requirements on the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. Some of these informations, such as malware or threat actors are common to several security events. MISP galaxy is a public repository of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.
+
+In the MISP galaxy context, clusters help analysts to give more informations about their cybersecurity events, indicators or threats. MISP galaxies can be used for classification, filtering, triggering actions or visualisation depending on their use in threat intelligence platforms such as MISP .
+
+
+
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+document are to be interpreted as described in RFC 2119 .
+
+
+
+
+
+A cluster is composed of a value (MUST), a description (OPTIONAL) and metadata (OPTIONAL).
+
+Clusters are represented as a JSON dictionary.
+
+
+
+The MISP galaxy format uses the JSON format. Each galaxy is represented as a JSON object with meta information including the following fields: name, uuid, description, version, type, authors, source, values.
+
+name defines the name of the galaxy. The name is represented as a string and MUST be present. The uuid represents the Universally Unique IDentifier (UUID) of the object reference. The uuid MUST be preserved. For any updates or transfer of the same object reference. UUID version 4 is RECOMMENDED when assigning it to a new object reference and MUST be present. The description is represented as a string and MUST be present. The uuid is represented as a string and MUST be present. The version is represented as a decimal and MUST be present. The source is represented as a string and MUST be present. Authors are represented as an array containing one or more authors and MUST be present.
+
+Values are represented as an array containing one or more values and MUST be present. Values defines all values available in the galaxy.
+
+
+
+
+The values array contains one or more JSON objects which represent all the possible values in the galaxy. The JSON object contains four fields: value, description, uuid and meta.
+The value is represented as a string and MUST be present. The description is represented as a string and SHOULD be present. The meta or metadata is represented as a JSON list and SHOULD be present.
+The uuid represents the Universally Unique IDentifier (UUID) of the value reference. The uuid SHOULD can be present and MUST be preserved.
+
+
+
+
+Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as 'properties, complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, derivated_from, status, date, encryption, extensions, ransomnotes' wherever applicable.
+
+properties is used to provide clusters with additional properties. Properties are represented as an array containing one or more strings ans MAY be present.
+
+derivated_from, refs, synonyms SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present. derivated_from is represented as an array containing one or more strings and SHALL be present.
+
+date, status MAY be used to give time information about an cluster. date is represented as a string describing a time or period and SHALL be present. status is represented as a string describing the current status of the clusters. It MAY also describe a time or period and SHALL be present.
+
+colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.
+
+complexity, effectiveness, impact, possible_issues MAY be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and SHALL be present. effectiveness is represented by an enumerated value from a fixed vocabulary and SHALL be present. impact is represented by an enumerated value from a fixed vocabulary and SHALL be present. possible_issues is represented as a string and SHOULD be present.
+
+Example use of the complexity, effectiveness, impact, possible_issues fields in the preventive-measure galaxy:
+
+
+
+country, motive MAY be used to give further information in threat-actor galaxy. country is represented as a string and SHOULD be present. motive is represented as a string and SHOULD be present.
+
+Example use of the country, motive fields in the threat-actor galaxy:
+
+
+
+encryption, extensions, ransomnotes MAY be used to give further information in ransomware galaxy. encryption is represented as a string and SHALL be present. extensions is represented as an array containing one or more strings and SHALL be present. ransomnotes is represented as an array containing one or more strings ans SHALL be present.
+
+Example use of the encryption, extensions, ransomnotes fields in the ransomware galaxy:
+
+
+
+source-uuid, target-uuid SHALL be used to describe relationships. source-uuid and target-uuid represent the Universally Unique IDentifier (UUID) of the value reference. source-uuid and target-uuid MUST be preserved.
+
+Example use of the source-uuid, target-uuid fields in the mitre-enterprise-attack-relationship galaxy:
+
+
+
+
+
+
+
+The authors wish to thank all the MISP community who are supporting the creation
+of open standards in threat intelligence sharing.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MISP Galaxy -
+
+
+
+
+
+
+ MISP Project - Malware Information Sharing Platform and Threat Sharing
+
+
+
+
+
+
+
+
From 003d2794efc7b3b50e0937591b19e5382d4201c2 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Wed, 9 May 2018 15:58:26 +0200
Subject: [PATCH 2/5] Index updated
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 5056e69..fa85ef8 100755
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ All the formats can be freely reused by everyone.
* [misp-core-format](misp-core-format/raw.md.txt) ([markdown source](misp-core-format/raw.md)) which describes the core JSON format of MISP. Current Internet-Draft: [04](https://tools.ietf.org/html/draft-dulaunoy-misp-core-format)
* [misp-taxonomy-format](misp-taxonomy-format/raw.md.txt) ([markdown source](misp-taxonomy-format/raw.md)) which describes the taxonomy JSON format of MISP. Current Internet-Draft: [04](https://tools.ietf.org/html/draft-dulaunoy-misp-taxonomy-format)
-* [misp-galaxy-format](misp-galaxy-format/raw.md.txt) which describes the [galaxy](https://github.com/MISP/misp-galaxy) template format used to expand the threat actor modelling of MISP. Current Internet-Draft: [01](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-galaxy-format/)
+* [misp-galaxy-format](misp-galaxy-format/raw.md.txt) which describes the [galaxy](https://github.com/MISP/misp-galaxy) template format used to expand the threat actor modelling of MISP. Current Internet-Draft: [02](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-galaxy-format/)
* [misp-object-template-format](misp-object-template-format/raw.md.txt) which describes the [object](https://github.com/MISP/misp-objects) template format to add combinedand composite object to the MISP core format. Current Internet-Draft: [01](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-object-template-format/)
## MISP Format in design phase and implemented in at least one software prototype
From 3430e4325ffa9fd7b2f9707e58da18ba74e362bb Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Fri, 1 Jun 2018 10:55:35 +0200
Subject: [PATCH 3/5] chg: Internet-Draft of MISP taxonomy format updated
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index fa85ef8..39a2492 100755
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ All the formats can be freely reused by everyone.
## MISP Formats in use and implemented in multiple software
* [misp-core-format](misp-core-format/raw.md.txt) ([markdown source](misp-core-format/raw.md)) which describes the core JSON format of MISP. Current Internet-Draft: [04](https://tools.ietf.org/html/draft-dulaunoy-misp-core-format)
-* [misp-taxonomy-format](misp-taxonomy-format/raw.md.txt) ([markdown source](misp-taxonomy-format/raw.md)) which describes the taxonomy JSON format of MISP. Current Internet-Draft: [04](https://tools.ietf.org/html/draft-dulaunoy-misp-taxonomy-format)
+* [misp-taxonomy-format](misp-taxonomy-format/raw.md.txt) ([markdown source](misp-taxonomy-format/raw.md)) which describes the taxonomy JSON format of MISP. Current Internet-Draft: [05](https://tools.ietf.org/html/draft-dulaunoy-misp-taxonomy-format)
* [misp-galaxy-format](misp-galaxy-format/raw.md.txt) which describes the [galaxy](https://github.com/MISP/misp-galaxy) template format used to expand the threat actor modelling of MISP. Current Internet-Draft: [02](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-galaxy-format/)
* [misp-object-template-format](misp-object-template-format/raw.md.txt) which describes the [object](https://github.com/MISP/misp-objects) template format to add combinedand composite object to the MISP core format. Current Internet-Draft: [01](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-object-template-format/)
From d00db387635d702b8ea92417b89943186614d8d2 Mon Sep 17 00:00:00 2001
From: Nicolas Bareil
Date: Mon, 4 Jun 2018 10:00:41 +0200
Subject: [PATCH 4/5] Update raw.md
---
misp-core-format/raw.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md
index 7abac51..7eddc03 100755
--- a/misp-core-format/raw.md
+++ b/misp-core-format/raw.md
@@ -677,6 +677,7 @@ A MISP document containing an Object **MUST** contain a name, a meta-category, a
"deleted": false,
"ObjectReference": [],
"Attribute": [
+ {
"id": "7822",
"type": "filename",
"category": "Payload delivery",
@@ -693,7 +694,8 @@ A MISP document containing an Object **MUST** contain a name, a meta-category, a
"object_relation": "filename",
"value": "StarCraft.exe",
"ShadowAttribute": []
- ]
+ }
+ ]
}
~~~~~
From 7fc9b3f254d1c69debffc984548b504562ea75fe Mon Sep 17 00:00:00 2001
From: Nicolas Bareil
Date: Mon, 4 Jun 2018 14:30:40 +0200
Subject: [PATCH 5/5] Updating JSON Schema
---
misp-core-format/raw.md | 217 +++++++++++++++++++++++++++++++++++++++-
1 file changed, 216 insertions(+), 1 deletion(-)
diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md
index 7eddc03..f0dc66d 100755
--- a/misp-core-format/raw.md
+++ b/misp-core-format/raw.md
@@ -1215,6 +1215,161 @@ or parsing.
}
}
},
+ "object": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "uuid": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "event_id": {
+ "type": "string"
+ },
+ "description": {
+ "type": "string"
+ },
+ "template_uuid": {
+ "type": "string"
+ },
+ "template_version": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "meta-category": {
+ "type": "string"
+ },
+ "deleted": {
+ "type": "boolean"
+ },
+ "timestamp": {
+ "type": "string"
+ },
+ "distribution": {
+ "type": "string"
+ },
+ "sharing_group_id": {
+ "type": "string"
+ },
+ "comment": {
+ "type": "string"
+ },
+ "ObjectReference": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/defs/objectreference"
+ }
+ },
+ "Attribute": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/defs/attribute"
+ }
+ }
+ }
+ },
+ "sighthing": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "id": {
+ "type": "string"
+ },
+ "attribute_id": {
+ "type": "string"
+ },
+ "event_id": {
+ "type": "string"
+ },
+ "source": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "org_id": {
+ "type": "string"
+ },
+ "date_sighting": {
+ "type": "string"
+ },
+ "uuid": {
+ "type": "string"
+ },
+ "Organisation": {
+ "$ref": "#/defs/organisation"
+ }
+ }
+ },
+ "organisation": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "id": {
+ "type": "string"
+ },
+ "uuid": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ }
+ },
+ "objectreference": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "deleted": {
+ "type": "boolean"
+ },
+ "object_id": {
+ "type": "string"
+ },
+ "event_id": {
+ "type": "string"
+ },
+ "timestamp": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "uuid": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "referenced_id": {
+ "type": "string"
+ },
+ "referenced_uuid": {
+ "type": "string"
+ },
+ "referenced_type": {
+ "type": "string"
+ },
+ "relationship_type": {
+ "type": "string"
+ },
+ "object_uuid": {
+ "type": "string"
+ },
+ "comment": {
+ "type": "string"
+ },
+ "Object": {
+ "$ref": "#/defs/object"
+ }
+ }
+ },
"attribute": {
"type": "object",
"additionalProperties": false,
@@ -1222,6 +1377,9 @@ or parsing.
"id": {
"type": "string"
},
+ "old_id": {
+ "type": "string"
+ },
"type": {
"type": "string"
},
@@ -1237,6 +1395,21 @@ or parsing.
"event_id": {
"type": "string"
},
+ "event_uuid": {
+ "type": "string"
+ },
+ "proposal_to_delete": {
+ "type": "boolean"
+ },
+ "validationIssue": {
+ "type": "boolean"
+ },
+ "Org": {
+ "$ref": "#/defs/organisation"
+ },
+ "org_id": {
+ "type": "string"
+ },
"distribution": {
"type": "string"
},
@@ -1261,6 +1434,12 @@ or parsing.
"data": {
"type": "string"
},
+ "object_relation": {
+ "type": ["string", "null"]
+ },
+ "object_id": {
+ "type": "string"
+ },
"SharingGroup": {
"$ref": "#/defs/sharing_group"
},
@@ -1271,9 +1450,23 @@ or parsing.
"$ref": "#/defs/attribute"
}
},
- "Tag": {
+ "Sighting": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/defs/sighthing"
+ }
+ },
+ "Galaxy": {
"type": "array",
"uniqueItems": true,
+ "items": {
+ "$ref": "#/defs/galaxy"
+ }
+ },
+ "Tag": {
+ "uniqueItems": true,
+ "type": "array",
"items": {
"$ref": "#/defs/tag"
}
@@ -1296,6 +1489,9 @@ or parsing.
"date": {
"type": "string"
},
+ "extends_uuid": {
+ "type": "string"
+ },
"threat_level_id": {
"type": "string"
},
@@ -1381,6 +1577,13 @@ or parsing.
"$ref": "#/defs/galaxy"
}
},
+ "Object": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/defs/object"
+ }
+ },
"Tag": {
"type": "array",
"uniqueItems": true,
@@ -1408,6 +1611,9 @@ or parsing.
},
"hide_tag": {
"type": "boolean"
+ },
+ "user_id": {
+ "type": "string"
}
}
},
@@ -1433,6 +1639,12 @@ or parsing.
"version": {
"type": "string"
},
+ "icon": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ },
"GalaxyCluster": {
"type": "array",
"uniqueItems": true,
@@ -1467,6 +1679,9 @@ or parsing.
"galaxy_id": {
"type": "string"
},
+ "version": {
+ "type": "string"
+ },
"source": {
"type": "string"
},