diff --git a/README.md b/README.md
index 39a2492..959a05d 100755
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ All the formats can be freely reused by everyone.
* [misp-core-format](misp-core-format/raw.md.txt) ([markdown source](misp-core-format/raw.md)) which describes the core JSON format of MISP. Current Internet-Draft: [04](https://tools.ietf.org/html/draft-dulaunoy-misp-core-format)
* [misp-taxonomy-format](misp-taxonomy-format/raw.md.txt) ([markdown source](misp-taxonomy-format/raw.md)) which describes the taxonomy JSON format of MISP. Current Internet-Draft: [05](https://tools.ietf.org/html/draft-dulaunoy-misp-taxonomy-format)
-* [misp-galaxy-format](misp-galaxy-format/raw.md.txt) which describes the [galaxy](https://github.com/MISP/misp-galaxy) template format used to expand the threat actor modelling of MISP. Current Internet-Draft: [02](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-galaxy-format/)
+* [misp-galaxy-format](misp-galaxy-format/raw.md.txt) which describes the [galaxy](https://github.com/MISP/misp-galaxy) template format used to expand the threat actor modelling of MISP. Current Internet-Draft: [04](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-galaxy-format/)
* [misp-object-template-format](misp-object-template-format/raw.md.txt) which describes the [object](https://github.com/MISP/misp-objects) template format to add combinedand composite object to the MISP core format. Current Internet-Draft: [01](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-object-template-format/)
## MISP Format in design phase and implemented in at least one software prototype
diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md
index 45d1f68..79cedcf 100755
--- a/misp-core-format/raw.md
+++ b/misp-core-format/raw.md
@@ -5,7 +5,7 @@
% ipr= "trust200902"
% area = "Security"
%
-% date = 2018-04-10T00:00:00Z
+% date = 2018-08-08T00:00:00Z
%
% [[author]]
% initials="A."
@@ -305,53 +305,53 @@ type represents the means through which an attribute tries to describe the inten
type is represented as a JSON string. type **MUST** be present and it **MUST** be a valid selection for the chosen category. The list of valid category-type combinations is as follows:
-**Internal reference**
-: text, link, comment, other, hex
-
-**Targeting data**
-: target-user, target-email, target-machine, target-org, target-location, target-external, comment
-
**Antivirus detection**
: link, comment, text, hex, attachment, other
-**Payload delivery**
-: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, ip-src, ip-dst, hostname, domain, email-src, email-dst, email-subject, email-attachment, url, user-agent, AS, pattern-in-file, pattern-in-traffic, yara, attachment, malware-sample, link, malware-type, mime-type, comment, text, vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-src|port, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id
-
**Artifacts dropped**
-: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, sigma, stix2-pattern, gene, attachment, malware-sample, mime-type, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, other
+: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type
-**Payload installation**
-: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|pehash, pattern-in-file, mime-type, pattern-in-traffic, pattern-in-memory, yara, stix2-pattern, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, mobile-application-id, other
+**Attribution**
+: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email
-**Persistence mechanism**
-: filename, regkey, regkey|value, comment, text, other, text
+**External analysis**
+: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, github-repository, other, cortex
+
+**Financial fraud**
+: btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex
+
+**Internal reference**
+: text, link, comment, other, hex
**Network activity**
-: ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, pattern-in-traffic, stix2-pattern, attachment, comment, text, x509-fingerprint-sha1, other, hex, cookie
+: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-sha1, other, hex, cookie, hostname|port, bro
+
+**Other**
+: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean
+
+**Payload delivery**
+: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email
+
+**Payload installation**
+: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type
**Payload type**
: comment, text, other
-**Attribution**
-: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, other
-
-**External analysis**
-: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, github-repository, other
-
-**Financial fraud**
-: btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex
-
-**Support tool**
-: attachment, link, comment, text, other, hex
-
-**Social network**
-: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other
+**Persistence mechanism**
+: filename, regkey, regkey|value, comment, text, other, hex
**Person**
: first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number
-**Other**
-: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number
+**Social network**
+: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email
+
+**Support Tool**
+: link, text, attachment, comment, other, hex
+
+**Targeting data**
+: target-user, target-email, target-machine, target-org, target-location, target-external, comment
Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.
@@ -501,53 +501,53 @@ type represents the means through which an attribute tries to describe the inten
type is represented as a JSON string. type **MUST** be present and it **MUST** be a valid selection for the chosen category. The list of valid category-type combinations is as follows:
-**Internal reference**
-: text, link, comment, other, hex
-
-**Targeting data**
-: target-user, target-email, target-machine, target-org, target-location, target-external, comment
-
**Antivirus detection**
: link, comment, text, hex, attachment, other
-**Payload delivery**
-: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, ip-src, ip-dst, hostname, domain, email-src, email-dst, email-subject, email-attachment, url, user-agent, AS, pattern-in-file, pattern-in-traffic, yara, attachment, malware-sample, link, malware-type, mime-type, comment, text, vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-src|port, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id
-
**Artifacts dropped**
-: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, sigma, gene, stix2-pattern, attachment, malware-sample, mime-type, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, other
+: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type
-**Payload installation**
-: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|pehash, mime-type, pattern-in-file, pattern-in-traffic, pattern-in-memory, yara, stix2-pattern, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, mobile-application-id, other
+**Attribution**
+: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email
-**Persistence mechanism**
-: filename, regkey, regkey|value, comment, text, other, text
+**External analysis**
+: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, github-repository, other, cortex
+
+**Financial fraud**
+: btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex
+
+**Internal reference**
+: text, link, comment, other, hex
**Network activity**
-: ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, pattern-in-traffic, stix2-pattern, attachment, comment, text, x509-fingerprint-sha1, other, hex, cookie
+: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-sha1, other, hex, cookie, hostname|port, bro
+
+**Other**
+: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean
+
+**Payload delivery**
+: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email
+
+**Payload installation**
+: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type
**Payload type**
: comment, text, other
-**Attribution**
-: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, other
-
-**External analysis**
-: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, github-repository, other
-
-**Financial fraud**
-: btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex
-
-**Support tool**
-: attachment, link, comment, text, other, hex
-
-**Social network**
-: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other
+**Persistence mechanism**
+: filename, regkey, regkey|value, comment, text, other, hex
**Person**
: first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number
-**Other**
-: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number
+**Social network**
+: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email
+
+**Support Tool**
+: link, text, attachment, comment, other, hex
+
+**Targeting data**
+: target-user, target-email, target-machine, target-org, target-location, target-external, comment
Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.
diff --git a/misp-core-format/raw.md.txt b/misp-core-format/raw.md.txt
index 6618c89..3fa2676 100755
--- a/misp-core-format/raw.md.txt
+++ b/misp-core-format/raw.md.txt
@@ -76,15 +76,15 @@ Table of Contents
2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8
2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9
- 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 14
+ 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 15
2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 15
2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 15
- 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 20
+ 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 21
- 2.6.1. Sample Object object . . . . . . . . . . . . . . . . 21
- 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 22
+ 2.6.1. Sample Object object . . . . . . . . . . . . . . . . 22
+ 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 23
2.7. Object References . . . . . . . . . . . . . . . . . . . . 25
- 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 25
+ 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 26
2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 26
2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 28
@@ -497,7 +497,7 @@ Internet-Draft MISP core format April 2018
MUST be a valid selection for the chosen category. The list of valid
category-type combinations is as follows:
- Internal reference
+ Antivirus detection
@@ -506,32 +506,8 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 9]
Internet-Draft MISP core format April 2018
- text, link, comment, other, hex
-
- Targeting data
- target-user, target-email, target-machine, target-org, target-
- location, target-external, comment
-
- Antivirus detection
link, comment, text, hex, attachment, other
- Payload delivery
- md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
- ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
- filename|md5, filename|sha1, filename|sha224, filename|sha256,
- filename|sha384, filename|sha512, filename|sha512/224,
- filename|sha512/256, filename|authentihash, filename|ssdeep,
- filename|tlsh, filename|imphash, filename|impfuzzy,
- filename|pehash, ip-src, ip-dst, hostname, domain, email-src,
- email-dst, email-subject, email-attachment, url, user-agent, AS,
- pattern-in-file, pattern-in-traffic, yara, attachment, malware-
- sample, link, malware-type, mime-type, comment, text,
- vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
- src|port, hostname|port, email-dst-display-name, email-src-
- display-name, email-header, email-reply-to, email-x-mailer, email-
- mime-boundary, email-thread-index, email-message-id, mobile-
- application-id
-
Artifacts dropped
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5,
@@ -539,21 +515,45 @@ Internet-Draft MISP core format April 2018
filename|sha512, filename|sha512/224, filename|sha512/256,
filename|authentihash, filename|ssdeep, filename|tlsh,
filename|imphash, filename|impfuzzy, filename|pehash, regkey,
- regkey|value, pattern-in-file, pattern-in-memory, pdb, yara,
- sigma, stix2-pattern, gene, attachment, malware-sample, mime-type,
- named pipe, mutex, windows-scheduled-task, windows-service-name,
+ regkey|value, pattern-in-file, pattern-in-memory, pdb,
+ stix2-pattern, yara, sigma, attachment, malware-sample, named
+ pipe, mutex, windows-scheduled-task, windows-service-name,
windows-service-displayname, comment, text, hex, x509-fingerprint-
- sha1, other
+ sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other,
+ cookie, gene, mime-type
- Payload installation
- md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
- ssdeep, imphash, authentihash, pehash, tlsh, filename,
- filename|md5, filename|sha1, filename|sha224, filename|sha256,
- filename|sha384, filename|sha512, filename|sha512/224,
- filename|sha512/256, filename|authentihash, filename|ssdeep,
- filename|tlsh, filename|imphash, filename|pehash, pattern-in-file,
- mime-type, pattern-in-traffic, pattern-in-memory, yara,
- stix2-pattern, vulnerability, attachment, malware-sample, malware-
+ Attribution
+ threat-actor, campaign-name, campaign-id, whois-registrant-phone,
+ whois-registrant-email, whois-registrant-name, whois-registrant-
+ org, whois-registrar, whois-creation-date, comment, text, x509-
+ fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
+ other, dns-soa-email
+
+ External analysis
+ md5, sha1, sha256, filename, filename|md5, filename|sha1,
+ filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
+ address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
+ regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-
+ traffic, pattern-in-memory, vulnerability, attachment, malware-
+ sample, link, comment, text, x509-fingerprint-sha1, x509-
+ fingerprint-md5, x509-fingerprint-sha256, github-repository,
+ other, cortex
+
+ Financial fraud
+ btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number,
+ prtn, phone-number, comment, text, other, hex
+
+ Internal reference
+ text, link, comment, other, hex
+
+ Network activity
+ ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
+ domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
+ agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
+ pattern-in-traffic, attachment, comment, text, x509-fingerprint-
+ sha1, other, hex, cookie, hostname|port
+
+ Other
@@ -562,44 +562,46 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 10]
Internet-Draft MISP core format April 2018
- type, comment, text, hex, x509-fingerprint-sha1, mobile-
- application-id, other
+ comment, text, other, size-in-bytes, counter, datetime, cpe, port,
+ float, hex, phone-number, boolean
- Persistence mechanism
- filename, regkey, regkey|value, comment, text, other, text
+ Payload delivery
+ md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
+ ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
+ filename|md5, filename|sha1, filename|sha224, filename|sha256,
+ filename|sha384, filename|sha512, filename|sha512/224,
+ filename|sha512/256, filename|authentihash, filename|ssdeep,
+ filename|tlsh, filename|imphash, filename|impfuzzy,
+ filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-
+ dst|port, ip-src|port, hostname, domain, email-src, email-dst,
+ email-subject, email-attachment, email-body, url, user-agent, AS,
+ pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma,
+ mime-type, attachment, malware-sample, link, malware-type,
+ comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-
+ fingerprint-md5, x509-fingerprint-sha256, other, hostname|port,
+ email-dst-display-name, email-src-display-name, email-header,
+ email-reply-to, email-x-mailer, email-mime-boundary, email-thread-
+ index, email-message-id, mobile-application-id, whois-registrant-
+ email
- Network activity
- ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri,
- user-agent, http-method, AS, snort, pattern-in-file, pattern-in-
- traffic, stix2-pattern, attachment, comment, text, x509-
- fingerprint-sha1, other, hex, cookie
+ Payload installation
+ md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
+ ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
+ filename|md5, filename|sha1, filename|sha224, filename|sha256,
+ filename|sha384, filename|sha512, filename|sha512/224,
+ filename|sha512/256, filename|authentihash, filename|ssdeep,
+ filename|tlsh, filename|imphash, filename|impfuzzy,
+ filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-
+ memory, stix2-pattern, yara, sigma, vulnerability, attachment,
+ malware-sample, malware-type, comment, text, hex, x509-
+ fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
+ mobile-application-id, other, mime-type
Payload type
comment, text, other
- Attribution
- threat-actor, campaign-name, campaign-id, whois-registrant-phone,
- whois-registrant-email, whois-registrant-name, whois-registrar,
- whois-creation-date, comment, text, x509-fingerprint-sha1, other
-
- External analysis
- md5, sha1, sha256, filename, filename|md5, filename|sha1,
- filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url,
- user-agent, regkey, regkey|value, AS, snort, pattern-in-file,
- pattern-in-traffic, pattern-in-memory, vulnerability, attachment,
- malware-sample, link, comment, text, x509-fingerprint-sha1,
- github-repository, other
-
- Financial fraud
- btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn,
- phone-number, comment, text, other, hex
-
- Support tool
- attachment, link, comment, text, other, hex
-
- Social network
- github-username, github-repository, github-organisation, jabber-
- id, twitter-id, email-src, email-dst, comment, text, other
+ Persistence mechanism
+ filename, regkey, regkey|value, comment, text, other, hex
Person
first-name, middle-name, last-name, date-of-birth, place-of-birth,
@@ -608,8 +610,6 @@ Internet-Draft MISP core format April 2018
primary-residence, country-of-residence, special-service-request,
frequent-flyer-number, travel-details, payment-details, place-
port-of-original-embarkation, place-port-of-clearance, place-port-
- of-onward-foreign-destination, passenger-name-record-locator-
- number, comment, text, other, phone-number, identity-card-number
@@ -618,9 +618,20 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 11]
Internet-Draft MISP core format April 2018
- Other
- comment, text, other, size-in-bytes, counter, datetime, cpe, port,
- float, hex, phone-number
+ of-onward-foreign-destination, passenger-name-record-locator-
+ number, comment, text, other, phone-number, identity-card-number
+
+ Social network
+ github-username, github-repository, github-organisation, jabber-
+ id, twitter-id, email-src, email-dst, comment, text, other, whois-
+ registrant-email
+
+ Support Tool
+ link, text, attachment, comment, other, hex
+
+ Targeting data
+ target-user, target-email, target-machine, target-org, target-
+ location, target-external, comment
Attributes are based on the usage within their different communities.
Attributes can be extended on a regular basis and this reference
@@ -656,6 +667,13 @@ Internet-Draft MISP core format April 2018
event_id is represented as a JSON string. event_id MUST be present.
+
+
+Dulaunoy & Iklody Expires October 12, 2018 [Page 12]
+�
+Internet-Draft MISP core format April 2018
+
+
2.4.2.7. distribution
distribution represents the basic distribution rules of the
@@ -666,14 +684,6 @@ Internet-Draft MISP core format April 2018
present and be one of the following options:
0
-
-
-
-Dulaunoy & Iklody Expires October 12, 2018 [Page 12]
-�
-Internet-Draft MISP core format April 2018
-
-
Your Organisation Only
1
@@ -712,6 +722,14 @@ Internet-Draft MISP core format April 2018
if distribution level "4" is set. A human-readable identifier MUST
be represented as an unsigned integer.
+
+
+
+Dulaunoy & Iklody Expires October 12, 2018 [Page 13]
+�
+Internet-Draft MISP core format April 2018
+
+
sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the
sharing_group_id MUST be set to "0".
@@ -722,14 +740,6 @@ Internet-Draft MISP core format April 2018
Revoked attributes are not actionable and exist merely to inform
other instances of a revocation.
-
-
-
-Dulaunoy & Iklody Expires October 12, 2018 [Page 13]
-�
-Internet-Draft MISP core format April 2018
-
-
deleted is represented by a JSON boolean. deleted MUST be present.
2.4.2.12. data
@@ -766,6 +776,16 @@ Internet-Draft MISP core format April 2018
containing attribute's ID in the old_id field and the event's ID in
the event_id field.
+
+
+
+
+
+Dulaunoy & Iklody Expires October 12, 2018 [Page 14]
+�
+Internet-Draft MISP core format April 2018
+
+
2.4.2.15. value
value represents the payload of an attribute. The format of the
@@ -778,14 +798,6 @@ Internet-Draft MISP core format April 2018
ShadowAttributes are 3rd party created attributes that either propose
to add new information to an event or modify existing information.
They are not meant to be actionable until the event creator accepts
-
-
-
-Dulaunoy & Iklody Expires October 12, 2018 [Page 14]
-�
-Internet-Draft MISP core format April 2018
-
-
them - at which point they will be converted into attributes or
modify an existing attribute.
@@ -818,6 +830,18 @@ Internet-Draft MISP core format April 2018
2.5.2. ShadowAttribute Attributes
+
+
+
+
+
+
+
+Dulaunoy & Iklody Expires October 12, 2018 [Page 15]
+�
+Internet-Draft MISP core format April 2018
+
+
2.5.2.1. uuid
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
@@ -834,14 +858,6 @@ Internet-Draft MISP core format April 2018
represented as an unsigned integer. id is represented as a JSON
string. id SHALL be present.
-
-
-
-Dulaunoy & Iklody Expires October 12, 2018 [Page 15]
-�
-Internet-Draft MISP core format April 2018
-
-
2.5.2.3. type
type represents the means through which an attribute tries to
@@ -852,33 +868,9 @@ Internet-Draft MISP core format April 2018
MUST be a valid selection for the chosen category. The list of valid
category-type combinations is as follows:
- Internal reference
- text, link, comment, other, hex
-
- Targeting data
- target-user, target-email, target-machine, target-org, target-
- location, target-external, comment
-
Antivirus detection
link, comment, text, hex, attachment, other
- Payload delivery
- md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
- ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
- filename|md5, filename|sha1, filename|sha224, filename|sha256,
- filename|sha384, filename|sha512, filename|sha512/224,
- filename|sha512/256, filename|authentihash, filename|ssdeep,
- filename|tlsh, filename|imphash, filename|impfuzzy,
- filename|pehash, ip-src, ip-dst, hostname, domain, email-src,
- email-dst, email-subject, email-attachment, url, user-agent, AS,
- pattern-in-file, pattern-in-traffic, yara, attachment, malware-
- sample, link, malware-type, mime-type, comment, text,
- vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
- src|port, hostname|port, email-dst-display-name, email-src-
- display-name, email-header, email-reply-to, email-x-mailer, email-
- mime-boundary, email-thread-index, email-message-id, mobile-
- application-id
-
Artifacts dropped
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5,
@@ -886,9 +878,17 @@ Internet-Draft MISP core format April 2018
filename|sha512, filename|sha512/224, filename|sha512/256,
filename|authentihash, filename|ssdeep, filename|tlsh,
filename|imphash, filename|impfuzzy, filename|pehash, regkey,
- regkey|value, pattern-in-file, pattern-in-memory, pdb, yara,
- sigma, gene, stix2-pattern, attachment, malware-sample, mime-type,
- named pipe, mutex, windows-scheduled-task, windows-service-name,
+ regkey|value, pattern-in-file, pattern-in-memory, pdb,
+ stix2-pattern, yara, sigma, attachment, malware-sample, named
+ pipe, mutex, windows-scheduled-task, windows-service-name,
+ windows-service-displayname, comment, text, hex, x509-fingerprint-
+ sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other,
+ cookie, gene, mime-type
+
+ Attribution
+ threat-actor, campaign-name, campaign-id, whois-registrant-phone,
+ whois-registrant-email, whois-registrant-name, whois-registrant-
+ org, whois-registrar, whois-creation-date, comment, text, x509-
@@ -898,53 +898,53 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 16]
Internet-Draft MISP core format April 2018
- windows-service-displayname, comment, text, hex, x509-fingerprint-
- sha1, other
-
- Payload installation
- md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
- ssdeep, imphash, authentihash, pehash, tlsh, filename,
- filename|md5, filename|sha1, filename|sha224, filename|sha256,
- filename|sha384, filename|sha512, filename|sha512/224,
- filename|sha512/256, filename|authentihash, filename|ssdeep,
- filename|tlsh, filename|imphash, filename|pehash, mime-type,
- pattern-in-file, pattern-in-traffic, pattern-in-memory, yara,
- stix2-pattern, vulnerability, attachment, malware-sample, malware-
- type, comment, text, hex, x509-fingerprint-sha1, mobile-
- application-id, other
-
- Persistence mechanism
- filename, regkey, regkey|value, comment, text, other, text
-
- Network activity
- ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri,
- user-agent, http-method, AS, snort, pattern-in-file, pattern-in-
- traffic, stix2-pattern, attachment, comment, text, x509-
- fingerprint-sha1, other, hex, cookie
-
- Payload type
- comment, text, other
-
- Attribution
- threat-actor, campaign-name, campaign-id, whois-registrant-phone,
- whois-registrant-email, whois-registrant-name, whois-registrant-
- org, whois-registrar, whois-creation-date, comment, text, x509-
- fingerprint-sha1, other
+ fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
+ other, dns-soa-email
External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1,
- filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url,
- user-agent, regkey, regkey|value, AS, snort, pattern-in-file,
- pattern-in-traffic, pattern-in-memory, vulnerability, attachment,
- malware-sample, link, comment, text, x509-fingerprint-sha1,
- github-repository, other
+ filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
+ address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
+ regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-
+ traffic, pattern-in-memory, vulnerability, attachment, malware-
+ sample, link, comment, text, x509-fingerprint-sha1, x509-
+ fingerprint-md5, x509-fingerprint-sha256, github-repository,
+ other, cortex
Financial fraud
- btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn,
- phone-number, comment, text, other, hex
+ btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number,
+ prtn, phone-number, comment, text, other, hex
- Support tool
- attachment, link, comment, text, other, hex
+ Internal reference
+ text, link, comment, other, hex
+
+ Network activity
+ ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
+ domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
+ agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
+ pattern-in-traffic, attachment, comment, text, x509-fingerprint-
+ sha1, other, hex, cookie, hostname|port
+
+ Other
+ comment, text, other, size-in-bytes, counter, datetime, cpe, port,
+ float, hex, phone-number, boolean
+
+ Payload delivery
+ md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
+ ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
+ filename|md5, filename|sha1, filename|sha224, filename|sha256,
+ filename|sha384, filename|sha512, filename|sha512/224,
+ filename|sha512/256, filename|authentihash, filename|ssdeep,
+ filename|tlsh, filename|imphash, filename|impfuzzy,
+ filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-
+ dst|port, ip-src|port, hostname, domain, email-src, email-dst,
+ email-subject, email-attachment, email-body, url, user-agent, AS,
+ pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma,
+ mime-type, attachment, malware-sample, link, malware-type,
+ comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-
+ fingerprint-md5, x509-fingerprint-sha256, other, hostname|port,
+ email-dst-display-name, email-src-display-name, email-header,
+ email-reply-to, email-x-mailer, email-mime-boundary, email-thread-
@@ -954,9 +954,27 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 17]
Internet-Draft MISP core format April 2018
- Social network
- github-username, github-repository, github-organisation, jabber-
- id, twitter-id, email-src, email-dst, comment, text, other
+ index, email-message-id, mobile-application-id, whois-registrant-
+ email
+
+ Payload installation
+ md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
+ ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
+ filename|md5, filename|sha1, filename|sha224, filename|sha256,
+ filename|sha384, filename|sha512, filename|sha512/224,
+ filename|sha512/256, filename|authentihash, filename|ssdeep,
+ filename|tlsh, filename|imphash, filename|impfuzzy,
+ filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-
+ memory, stix2-pattern, yara, sigma, vulnerability, attachment,
+ malware-sample, malware-type, comment, text, hex, x509-
+ fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
+ mobile-application-id, other, mime-type
+
+ Payload type
+ comment, text, other
+
+ Persistence mechanism
+ filename, regkey, regkey|value, comment, text, other, hex
Person
first-name, middle-name, last-name, date-of-birth, place-of-birth,
@@ -968,14 +986,30 @@ Internet-Draft MISP core format April 2018
of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number
- Other
- comment, text, other, size-in-bytes, counter, datetime, cpe, port,
- float, hex, phone-number
+ Social network
+ github-username, github-repository, github-organisation, jabber-
+ id, twitter-id, email-src, email-dst, comment, text, other, whois-
+ registrant-email
+
+ Support Tool
+ link, text, attachment, comment, other, hex
+
+ Targeting data
+ target-user, target-email, target-machine, target-org, target-
+ location, target-external, comment
Attributes are based on the usage within their different communities.
Attributes can be extended on a regular basis and this reference
document is updated accordingly.
+
+
+
+Dulaunoy & Iklody Expires October 12, 2018 [Page 18]
+�
+Internet-Draft MISP core format April 2018
+
+
2.5.2.4. category
category represents the intent of what the attribute is describing as
@@ -1001,15 +1035,6 @@ Internet-Draft MISP core format April 2018
event_id represents a human-readable identifier referencing the Event
object that the ShadowAttribute belongs to.
-
-
-
-
-Dulaunoy & Iklody Expires October 12, 2018 [Page 18]
-�
-Internet-Draft MISP core format April 2018
-
-
The event_id SHOULD be updated when the event is imported to reflect
the newly created event's id on the instance.
@@ -1031,6 +1056,16 @@ Internet-Draft MISP core format April 2018
old_id is represented as a JSON string. old_id MUST be present.
+
+
+
+
+
+Dulaunoy & Iklody Expires October 12, 2018 [Page 19]
+�
+Internet-Draft MISP core format April 2018
+
+
2.5.2.8. timestamp
timestamp represents a reference time when the attribute was created
@@ -1057,15 +1092,6 @@ Internet-Draft MISP core format April 2018
org_id is represented by a JSON string and MUST be present.
-
-
-
-
-Dulaunoy & Iklody Expires October 12, 2018 [Page 19]
-�
-Internet-Draft MISP core format April 2018
-
-
2.5.2.11. proposal_to_delete
proposal_to_delete is a boolean flag that sets whether the shadow
@@ -1086,6 +1112,16 @@ Internet-Draft MISP core format April 2018
deleted is represented by a JSON boolean. deleted SHOULD be present.
+
+
+
+
+
+Dulaunoy & Iklody Expires October 12, 2018 [Page 20]
+�
+Internet-Draft MISP core format April 2018
+
+
2.5.2.13. data
data contains the base64 encoded contents of an attachment or a
@@ -1112,16 +1148,6 @@ Internet-Draft MISP core format April 2018
uuid, name and id are represented as a JSON string. uuid, name and id
MUST be present.
-
-
-
-
-
-Dulaunoy & Iklody Expires October 12, 2018 [Page 20]
-�
-Internet-Draft MISP core format April 2018
-
-
2.5.3.1. Sample Org Object
"Org": {
@@ -1143,6 +1169,15 @@ Internet-Draft MISP core format April 2018
within an event. Their main purpose is to describe more complex
structures than can be described by a single attribute Each object is
created using an Object Template and carries the meta-data of the
+
+
+
+
+Dulaunoy & Iklody Expires October 12, 2018 [Page 21]
+�
+Internet-Draft MISP core format April 2018
+
+
template used for its creation within. Objects belong to a meta-
category and are defined by a name.
@@ -1155,29 +1190,6 @@ Internet-Draft MISP core format April 2018
2.6.1. Sample Object object
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Dulaunoy & Iklody Expires October 12, 2018 [Page 21]
-�
-Internet-Draft MISP core format April 2018
-
-
"Object": {
"id": "588",
"name": "file",
@@ -1215,6 +1227,13 @@ Internet-Draft MISP core format April 2018
]
}
+
+
+Dulaunoy & Iklody Expires October 12, 2018 [Page 22]
+�
+Internet-Draft MISP core format April 2018
+
+
2.6.2. Object Attributes
2.6.2.1. uuid
@@ -1224,16 +1243,6 @@ Internet-Draft MISP core format April 2018
of the same object. UUID version 4 is RECOMMENDED when assigning it
to a new object.
-
-
-
-
-
-Dulaunoy & Iklody Expires October 12, 2018 [Page 22]
-�
-Internet-Draft MISP core format April 2018
-
-
2.6.2.2. id
id represents the human-readable identifier associated to the object
@@ -1273,6 +1282,14 @@ Internet-Draft MISP core format April 2018
for creation. UUID version 4 is RECOMMENDED when assigning it to a
new object.
+
+
+
+Dulaunoy & Iklody Expires October 12, 2018 [Page 23]
+�
+Internet-Draft MISP core format April 2018
+
+
2.6.2.7. template_version
template_version represents a numeric incrementing version of the
@@ -1283,13 +1300,6 @@ Internet-Draft MISP core format April 2018
version is represented as a JSON string. version MUST be present.
-
-
-Dulaunoy & Iklody Expires October 12, 2018 [Page 23]
-�
-Internet-Draft MISP core format April 2018
-
-
2.6.2.8. event_id
event_id represents the human-readable identifier of the event that
@@ -1328,6 +1338,14 @@ Internet-Draft MISP core format April 2018
All Communities
4
+
+
+
+Dulaunoy & Iklody Expires October 12, 2018 [Page 24]
+�
+Internet-Draft MISP core format April 2018
+
+
Sharing Group
2.6.2.11. sharing_group_id
@@ -1337,15 +1355,6 @@ Internet-Draft MISP core format April 2018
distribution level "4" is set. A human-readable identifier MUST be
represented as an unsigned integer.
-
-
-
-
-Dulaunoy & Iklody Expires October 12, 2018 [Page 24]
-�
-Internet-Draft MISP core format April 2018
-
-
sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the
sharing_group_id MUST be set to "0".
@@ -1385,15 +1394,6 @@ Internet-Draft MISP core format April 2018
All Object References MUST contain an object_uuid, a referenced_uuid
and a relationship type.
-2.7.1. Sample ObjectReference object
-
-
-
-
-
-
-
-
@@ -1402,6 +1402,8 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 25]
Internet-Draft MISP core format April 2018
+2.7.1. Sample ObjectReference object
+
"ObjectReference": {
"id": "195",
"uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1",
@@ -1451,8 +1453,6 @@ Internet-Draft MISP core format April 2018
-
-
Dulaunoy & Iklody Expires October 12, 2018 [Page 26]
�
Internet-Draft MISP core format April 2018
diff --git a/misp-galaxy-format/raw.md b/misp-galaxy-format/raw.md
index d666854..32a74a8 100644
--- a/misp-galaxy-format/raw.md
+++ b/misp-galaxy-format/raw.md
@@ -5,7 +5,7 @@
% ipr= "trust200902"
% area = "Security"
%
-% date = 2018-04-01T00:00:00Z
+% date = 2018-09-20T00:00:00Z
%
% [[author]]
% initials="A."
@@ -54,7 +54,7 @@
.# Abstract
-This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository [@?MISP-G] of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.
+This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository [@?MISP-G] [@?MISP-G-DOC] of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.
{mainmatter}
@@ -90,9 +90,21 @@ The values array contains one or more JSON objects which represent all the possi
The value is represented as a string and **MUST** be present. The description is represented as a string and **SHOULD** be present. The meta or metadata is represented as a JSON list and **SHOULD** be present.
The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the value reference. The uuid **SHOULD** can be present and **MUST** be preserved.
+## related
+
+Related contains a list of JSON key value pairs which describe the related values in this galaxy cluster or to other galaxy clusters. The JSON object contains three fields, dest-uuid, type and tags. The dest-uuid represents the target UUID which encompasses a relation of some type. The dest-uuid is represented as a string and **MUST** be present. The type is represented as a string and **MUST** be present and **SHOULD** be selected from the relationship types available in MISP objects [@?MISP-R]. The tags is a list of string which labels the related relationship such as the level of similarities, level of certainty, trust or confidence in the relationship, false-positive. A tag is represented in machine tag format which is a string an **SHOULD** be present.
+
+~~~~
+"related": [ {
+ "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
+ "type": "similar",
+ "tags": ["estimative-language:likelihood-probability=\"very-likely\""]
+} ]
+~~~~
+
## meta
-Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category wherever applicable.
+Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category wherever applicable.
refs, synonyms **SHALL** be used to give further informations. refs is represented as an array containing one or more strings and **SHALL** be present. synonyms is represented as an array containing one or more strings and **SHALL** be present.
@@ -191,7 +203,7 @@ Example use of the source-uuid, target-uuid fields in the mitre-enterprise-attac
}
~~~~
-cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category **MAY** be used to report information gathered from CFR's (Council on Foreign Relations) Cyber Operations Tracker. cfr-suspected-victims is represented as an array containing one or more strings and **SHALL** be present. cfr-suspected-state-sponsor is represented as a string and **SHALL** be present. cfr-type-of-incident is represented as a string and **SHALL** be present. cfr-target-category is represented as an array containing one or more strings ans **SHALL** be present.
+cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category **MAY** be used to report information gathered from CFR's (Council on Foreign Relations) [@?CFR] Cyber Operations Tracker. cfr-suspected-victims is represented as an array containing one or more strings and **SHALL** be present. cfr-suspected-state-sponsor is represented as a string and **SHALL** be present. cfr-type-of-incident is represented as a string and **SHALL** be present. cfr-target-category is represented as an array containing one or more strings ans **SHALL** be present.
Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category fields in the threat-actor galaxy:
~~~~
@@ -217,6 +229,173 @@ Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-
},
~~~~
+# JSON Schema
+
+The JSON Schema [@?JSON-SCHEMA] below defines the overall MISP galaxy formats. The main format is the MISP galaxy format used for the clusters.
+
+## MISP galaxy format - clusters
+
+~~~~
+{
+ "$schema": "http://json-schema.org/schema#",
+ "title": "Validator for misp-galaxies - Clusters",
+ "id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "description": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "version": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "uuid": {
+ "type": "string"
+ },
+ "source": {
+ "type": "string"
+ },
+ "values": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "description": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "uuid": {
+ "type": "string"
+ },
+ "related": {
+ "type": "array",
+ "additionalProperties": false,
+ "items": {
+ "type": "object"
+ },
+ "properties": {
+ "dest-uuid": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "meta": {
+ "type": "object",
+ "additionalProperties": true,
+ "properties": {
+ "type": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ },
+ "complexity": {
+ "type": "string"
+ },
+ "effectiveness": {
+ "type": "string"
+ },
+ "country": {
+ "type": "string"
+ },
+ "possible_issues": {
+ "type": "string"
+ },
+ "colour": {
+ "type": "string"
+ },
+ "motive": {
+ "type": "string"
+ },
+ "impact": {
+ "type": "string"
+ },
+ "refs": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ },
+ "synonyms": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ },
+ "status": {
+ "type": "string"
+ },
+ "date": {
+ "type": "string"
+ },
+ "encryption": {
+ "type": "string"
+ },
+ "extensions": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ },
+ "ransomnotes": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "required": [
+ "value"
+ ]
+ }
+ },
+ "authors": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ }
+ },
+ "required": [
+ "description",
+ "type",
+ "version",
+ "name",
+ "uuid",
+ "values",
+ "authors",
+ "source"
+ ]
+}
+~~~~
# Acknowledgements
@@ -241,12 +420,21 @@ of open standards in threat intelligence sharing.
- MISP Galaxy -
+ MISP Galaxy - Public Repository
+
+
+ MISP Galaxy - Documentation of the Public Repository
+
+
+
+
+
+
MISP Object Relationship Types - common vocabulary of relationships
@@ -263,5 +451,12 @@ of open standards in threat intelligence sharing.
+
+
+ Cyber Operations Tracker - Council on Foreign Relations
+
+
+
+
{backmatter}
diff --git a/misp-galaxy-format/raw.md.txt b/misp-galaxy-format/raw.md.txt
index 8a3a17a..6e81e0b 100755
--- a/misp-galaxy-format/raw.md.txt
+++ b/misp-galaxy-format/raw.md.txt
@@ -19,9 +19,9 @@ Abstract
attached to MISP events or attributes. A public directory of MISP
galaxies is available and relies on the MISP galaxy format. MISP
galaxies are used to add further informations on a MISP event. MISP
- galaxy is a public repository [MISP-G] of known malware, threats
- actors and various other collections of data that can be used to
- mark, classify or label data in threat information sharing.
+ galaxy is a public repository [MISP-G] [MISP-G-DOC] of known malware,
+ threats actors and various other collections of data that can be used
+ to mark, classify or label data in threat information sharing.
Status of This Memo
@@ -31,7 +31,7 @@ Status of This Memo
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
- Drafts is at http://datatracker.ietf.org/drafts/current/.
+ Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
@@ -47,7 +47,7 @@ Copyright Notice
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
- (http://trustee.ietf.org/license-info) in effect on the date of
+ (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
@@ -67,15 +67,18 @@ Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2
- 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2.3. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
- 4. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
- 4.1. Normative References . . . . . . . . . . . . . . . . . . 4
- 4.2. Informative References . . . . . . . . . . . . . . . . . 5
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 3.1. MISP galaxy format - clusters . . . . . . . . . . . . . . 7
+ 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
+ 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
+ 5.1. Normative References . . . . . . . . . . . . . . . . . . 11
+ 5.2. Informative References . . . . . . . . . . . . . . . . . 11
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
@@ -101,10 +104,7 @@ Table of Contents
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
-2. Format
- A cluster is composed of a value (MUST), a description (OPTIONAL) and
- metadata (OPTIONAL).
@@ -114,6 +114,11 @@ Dulaunoy, et al. Expires October 3, 2018 [Page 2]
Internet-Draft MISP galaxy format April 2018
+2. Format
+
+ A cluster is composed of a value (MUST), a description (OPTIONAL) and
+ metadata (OPTIONAL).
+
Clusters are represented as a JSON [RFC4627] dictionary.
2.1. Overview
@@ -131,16 +136,17 @@ Internet-Draft MISP galaxy format April 2018
object reference and MUST be present. The description is represented
as a string and MUST be present. The uuid is represented as a string
and MUST be present. The version is represented as a decimal and
- MUST be present. The source is represented as a string and MUST be
- present. Authors are represented as an array containing one or more
- authors and MUST be present.
+ MUST be present. The type is represented as a string and MUST be
+ present and MUST match the name of the galaxy file. The source is
+ represented as a string and MUST be present. Authors are represented
+ as an array containing one or more authors and MUST be present.
Values are represented as an array containing one or more values and
MUST be present. Values defines all values available in the galaxy.
2.2. values
- The values array contains one or more JSON objects which represents
+ The values array contains one or more JSON objects which represent
all the possible values in the galaxy. The JSON object contains four
fields: value, description, uuid and meta. The value is represented
as a string and MUST be present. The description is represented as a
@@ -149,19 +155,13 @@ Internet-Draft MISP galaxy format April 2018
Universally Unique IDentifier (UUID) [RFC4122] of the value
reference. The uuid SHOULD can be present and MUST be preserved.
-2.3. meta
-
- Meta contains a list of custom defined JSON key value pairs. Users
- SHOULD reuse commonly used keys such as 'properties, complexity,
- effectiveness, country, possible_issues, colour, motive, impact,
- refs, synonyms, derivated_from, status, date, encryption, extensions,
- ransomnotes' wherever applicable.
-
- properties is used to provide clusters with additional properties.
- Properties are represented as an array containing one or more strings
- ans MAY be present.
-
+2.3. related
+ Related contains a list of JSON key value pairs which describe the
+ related values in this galaxy cluster or to other galaxy clusters.
+ The JSON object contains three fields, dest-uuid, type and tags. The
+ dest-uuid represents the target UUID which encompasses a relation of
+ some type. The dest-uuid is represented as a string and MUST be
@@ -170,6 +170,44 @@ Dulaunoy, et al. Expires October 3, 2018 [Page 3]
Internet-Draft MISP galaxy format April 2018
+ present. The type is represented as a string and MUST be present and
+ SHOULD be selected from the relationship types available in MISP
+ objects [MISP-R]. The tags is a list of string which labels the
+ related relationship such as the level of similarities, level of
+ certainty, trust or confidence in the relationship, false-positive.
+ A tag is represented in machine tag format which is a string an
+ SHOULD be present.
+
+"related": [ {
+ "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
+ "type": "similar",
+ "tags": ["estimative-language:likelihood-probability=\"very-likely\""]
+} ]
+
+2.4. meta
+
+ Meta contains a list of custom defined JSON key value pairs. Users
+ SHOULD reuse commonly used keys such as properties, complexity,
+ effectiveness, country, possible_issues, colour, motive, impact,
+ refs, synonyms, status, date, encryption, extensions, ransomnotes,
+ cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-
+ incident, cfr-target-category wherever applicable.
+
+ properties is used to provide clusters with additional properties.
+ Properties are represented as an array containing one or more strings
+ ans MAY be present.
+
+ date, status MAY be used to give time information about an cluster.
+ date is represented as a string describing a time or period and SHALL
+ be present. status is represented as a string describing the current
+ status of the clusters. It MAY also describe a time or period and
+ SHALL be present.
+
+ colour fields MAY be used at predicates or values level to set a
+ specify colour that MAY be used by the implementation. The colour
+ field is described as an RGB colour fill in hexadecimal
+ representation.
+
complexity, effectiveness, impact, possible_issues MAY be used to
give further information in preventive-measure galaxy. complexity is
represented by an enumerated value from a fixed vocabulary and SHALL
@@ -178,46 +216,8 @@ Internet-Draft MISP galaxy format April 2018
enumerated value from a fixed vocabulary and SHALL be present.
possible_issues is represented as a string and SHOULD be present.
- country, motive MAY be used to give further information in threat-
- actor galaxy. country is represented as a string and SHOULD be
- present. motive is represented as a string and SHOULD be present.
-
- colour fields MAY be used at predicates or values level to set a
- specify colour that MAY be used by the implementation. The colour
- field is described as an RGB colour fill in hexadecimal
- representation.
-
- encryption, extensions, ransomnotes MAY be used to give further
- information in ransomware galaxy. encryption is represented as a
- string and SHALL be present. extensions is represented as an array
- containing one or more strings and SHALL be present. ransomnotes is
- represented as an array containing one or more strings ans SHALL be
- present.
-
- date, status MAY be used to give time information about an cluster.
- date is represented as a string describing a time or period and SHALL
- be present. status is represented as a string describing the current
- status of the clusters. It MAY also describe a time or period and
- SHALL be present.
-
- derivated_from, refs, synonyms SHALL be used to give further
- informations. refs is represented as an containing one or ore string
- and SHALL be present. synonyms is represented as an containing one or
- ore string and SHALL be present. derivated_from is represented as an
- containing one or ore string and SHALL be present.
-
-3. Acknowledgements
-
- The authors wish to thank all the MISP community who are supporting
- the creation of open standards in threat intelligence sharing.
-
-4. References
-
-4.1. Normative References
-
-
-
-
+ Example use of the complexity, effectiveness, impact, possible_issues
+ fields in the preventive-measure galaxy:
@@ -226,28 +226,408 @@ Dulaunoy, et al. Expires October 3, 2018 [Page 4]
Internet-Draft MISP galaxy format April 2018
+{
+ "meta": {
+ "refs": [
+ "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
+ ],
+ "complexity": "Low",
+ "effectiveness": "Medium",
+ "impact": "Medium",
+ "type": [
+ "GPO"
+ ],
+ "possible_issues": "Administrative VBS scripts on Workstations"
+ },
+ "value": "Disable WSH",
+ "description": "Disable Windows Script Host",
+ "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
+}
+
+ country, motive MAY be used to give further information in threat-
+ actor galaxy. country is represented as a string and SHOULD be
+ present. motive is represented as a string and SHOULD be present.
+
+ Example use of the country, motive fields in the threat-actor galaxy:
+
+ {
+ "meta": {
+ "country": "CN",
+ "synonyms": [
+ "APT14",
+ "APT 14",
+ "QAZTeam",
+ "ALUMINUM"
+ ],
+ "refs": [
+ "http://www.crowdstrike.com/blog/whois-anchor-panda/"
+ ],
+ "motive": "Espionage"
+ },
+ "value": "Anchor Panda",
+ "description": "PLA Navy",
+ "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104"
+ }
+
+ encryption, extensions, ransomnotes MAY be used to give further
+ information in ransomware galaxy. encryption is represented as a
+ string and SHALL be present. extensions is represented as an array
+ containing one or more strings and SHALL be present. ransomnotes is
+
+
+
+
+Dulaunoy, et al. Expires October 3, 2018 [Page 5]
+�
+Internet-Draft MISP galaxy format April 2018
+
+
+ represented as an array containing one or more strings ans SHALL be
+ present.
+
+ Example use of the encryption, extensions, ransomnotes fields in the
+ ransomware galaxy:
+
+{
+ "meta": {
+ "refs": [
+ "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/",
+ "https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html"
+ ],
+ "ransomnotes": [
+ "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg",
+ "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.",
+ "# !!!HELP_FILE!!! #.txt"
+ ],
+ "encryption": "AES-256 + RSA-1024",
+ "extensions": [
+ ".REVENGE"
+ ],
+ "date": "March 2017"
+ },
+ "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant",
+ "value": "Revenge Ransomware",
+ "uuid": "987d36d5-6ba8-484d-9e0b-7324cc886b0e"
+}
+
+ source-uuid, target-uuid SHALL be used to describe relationships.
+ source-uuid and target-uuid represent the Universally Unique
+ IDentifier (UUID) [RFC4122] of the value reference. source-uuid and
+ target-uuid MUST be preserved.
+
+ Example use of the source-uuid, target-uuid fields in the mitre-
+ enterprise-attack-relationship galaxy:
+
+ {
+ "meta": {
+ "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
+ "target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78"
+ },
+ "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633",
+ "value": "menuPass (G0045) uses EvilGrab (S0152)"
+ }
+
+ cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-
+ incident and cfr-target-category MAY be used to report information
+ gathered from CFR's (Council on Foreign Relations) [CFR] Cyber
+
+
+
+Dulaunoy, et al. Expires October 3, 2018 [Page 6]
+�
+Internet-Draft MISP galaxy format April 2018
+
+
+ Operations Tracker. cfr-suspected-victims is represented as an array
+ containing one or more strings and SHALL be present. cfr-suspected-
+ state-sponsor is represented as a string and SHALL be present. cfr-
+ type-of-incident is represented as a string and SHALL be present.
+ cfr-target-category is represented as an array containing one or more
+ strings ans SHALL be present.
+
+ Example use of the cfr-suspected-victims, cfr-suspected-state-
+ sponsor, cfr-type-of-incident, cfr-target-category fields in the
+ threat-actor galaxy:
+
+{
+ "meta": {
+ "country": "CN",
+ "refs": [
+ "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html",
+ "https://www.cfr.org/interactive/cyber-operations/apt-16"
+ ],
+ "cfr-suspected-victims": [
+ "Japan",
+ "Taiwan"
+ ],
+ "cfr-suspected-state-sponsor": "China",
+ "cfr-type-of-incident": "Espionage",
+ "cfr-target-category": [
+ "Private sector"
+ ]
+ },
+ "value": "APT 16",
+ "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf"
+},
+
+3. JSON Schema
+
+ The JSON Schema [JSON-SCHEMA] below defines the overall MISP galaxy
+ formats. The main format is the MISP galaxy format used for the
+ clusters.
+
+3.1. MISP galaxy format - clusters
+
+{
+ "$schema": "http://json-schema.org/schema#",
+ "title": "Validator for misp-galaxies - Clusters",
+ "id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "description": {
+
+
+
+Dulaunoy, et al. Expires October 3, 2018 [Page 7]
+�
+Internet-Draft MISP galaxy format April 2018
+
+
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "version": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "uuid": {
+ "type": "string"
+ },
+ "source": {
+ "type": "string"
+ },
+ "values": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "description": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "uuid": {
+ "type": "string"
+ },
+ "related": {
+ "type": "array",
+ "additionalProperties": false,
+ "items": {
+ "type": "object"
+ },
+ "properties": {
+ "dest-uuid": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "array",
+
+
+
+Dulaunoy, et al. Expires October 3, 2018 [Page 8]
+�
+Internet-Draft MISP galaxy format April 2018
+
+
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "meta": {
+ "type": "object",
+ "additionalProperties": true,
+ "properties": {
+ "type": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ },
+ "complexity": {
+ "type": "string"
+ },
+ "effectiveness": {
+ "type": "string"
+ },
+ "country": {
+ "type": "string"
+ },
+ "possible_issues": {
+ "type": "string"
+ },
+ "colour": {
+ "type": "string"
+ },
+ "motive": {
+ "type": "string"
+ },
+ "impact": {
+ "type": "string"
+ },
+ "refs": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ },
+ "synonyms": {
+ "type": "array",
+
+
+
+Dulaunoy, et al. Expires October 3, 2018 [Page 9]
+�
+Internet-Draft MISP galaxy format April 2018
+
+
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ },
+ "status": {
+ "type": "string"
+ },
+ "date": {
+ "type": "string"
+ },
+ "encryption": {
+ "type": "string"
+ },
+ "extensions": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ },
+ "ransomnotes": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "required": [
+ "value"
+ ]
+ }
+ },
+ "authors": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ }
+ },
+ "required": [
+ "description",
+ "type",
+ "version",
+
+
+
+Dulaunoy, et al. Expires October 3, 2018 [Page 10]
+�
+Internet-Draft MISP galaxy format April 2018
+
+
+ "name",
+ "uuid",
+ "values",
+ "authors",
+ "source"
+ ]
+}
+
+4. Acknowledgements
+
+ The authors wish to thank all the MISP community who are supporting
+ the creation of open standards in threat intelligence sharing.
+
+5. References
+
+5.1. Normative References
+
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
- DOI 10.17487/RFC2119, March 1997, .
+ DOI 10.17487/RFC2119, March 1997,
+ .
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122,
- DOI 10.17487/RFC4122, July 2005, .
+ DOI 10.17487/RFC4122, July 2005,
+ .
[RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627,
- DOI 10.17487/RFC4627, July 2006, .
+ DOI 10.17487/RFC4627, July 2006,
+ .
-4.2. Informative References
+5.2. Informative References
- [MISP-G] MISP, , "MISP Galaxy -", .
+ [CFR] CFR, "Cyber Operations Tracker - Council on Foreign
+ Relations", 2018,
+ .
- [MISP-P] MISP, , "MISP Project - Malware Information Sharing
- Platform and Threat Sharing", .
+ [JSON-SCHEMA]
+ "JSON Schema: A Media Type for Describing JSON Documents",
+ 2016,
+ .
+
+ [MISP-G] MISP, "MISP Galaxy - Public Repository",
+ .
+
+
+
+
+
+
+Dulaunoy, et al. Expires October 3, 2018 [Page 11]
+�
+Internet-Draft MISP galaxy format April 2018
+
+
+ [MISP-G-DOC]
+ MISP, "MISP Galaxy - Documentation of the Public
+ Repository", .
+
+ [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform
+ and Threat Sharing", .
+
+ [MISP-R] MISP, "MISP Object Relationship Types - common vocabulary
+ of relationships", .
Authors' Addresses
@@ -271,17 +651,6 @@ Authors' Addresses
Email: andras.iklody@circl.lu
-
-
-
-
-
-
-Dulaunoy, et al. Expires October 3, 2018 [Page 5]
-�
-Internet-Draft MISP galaxy format April 2018
-
-
Deborah Servili
Computer Incident Response Center Luxembourg
16, bd d'Avranches
@@ -300,37 +669,4 @@ Internet-Draft MISP galaxy format April 2018
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Dulaunoy, et al. Expires October 3, 2018 [Page 6]
+Dulaunoy, et al. Expires October 3, 2018 [Page 12]
diff --git a/misp-object-template-format/raw.md b/misp-object-template-format/raw.md
index ca79e49..be05b5a 100755
--- a/misp-object-template-format/raw.md
+++ b/misp-object-template-format/raw.md
@@ -99,7 +99,7 @@ version is represented as a JSON string. version **MUST** be present.
meta-category represents the sub-category of objects that the given object template belongs to. meta-categories are not tied to a fixed list of options but can be created on the fly.
-meta-category is represented as a JSON string. meta-category **MUST** be present
+meta-category is represented as a JSON string. meta-category **MUST** be present.
#### name
diff --git a/misp-warninglist-format/raw.md b/misp-warninglist-format/raw.md
index fd03c17..9683398 100644
--- a/misp-warninglist-format/raw.md
+++ b/misp-warninglist-format/raw.md
@@ -1,5 +1,5 @@
-% Title = "MISP galaxy format"
-% abbrev = "MISP galaxy format"
+% Title = "MISP warning lists format"
+% abbrev = "MISP warning lists format"
% category = "info"
% docName = "draft-dulaunoy-misp-warninglists-format"
% ipr= "trust200902"