MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [core] updated to the latest version of mmark format

pull/28/head
Alexandre Dulaunoy 2019-07-16 07:27:48 +02:00
parent 515467efa2
commit c7db81bf63
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 94 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

185
misp-core-format/raw.md
View File

@ -1,40 +1,42 @@
% Title = "MISP core format"
% abbrev = "MISP core format"
% category = "info"
% docName = "draft-dulaunoy-misp-core-format"
% ipr= "trust200902"
% area = "Security"
%
% date = 2018-08-08T00:00:00Z
%
% [[author]]
% initials="A."
% surname="Dulaunoy"
% fullname="Alexandre Dulaunoy"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "alexandre.dulaunoy@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = "16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1160"
% country = "Luxembourg"
% [[author]]
% initials="A."
% surname="Iklody"
% fullname="Andras Iklody"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "andras.iklody@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = "16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1160"
% country = "Luxembourg"
%%%
Title = "MISP core format"
abbrev = "MISP core format"
category = "info"
docName = "draft-dulaunoy-misp-core-format"
ipr= "trust200902"
area = "Security"
date = 2018-08-08T00:00:00Z
[[author]]
initials="A."
surname="Dulaunoy"
fullname="Alexandre Dulaunoy"
abbrev="CIRCL"
organization = "Computer Incident Response Center Luxembourg"
[author.address]
email = "alexandre.dulaunoy@circl.lu"
phone = "+352 247 88444"
[author.address.postal]
street = "16, bd d'Avranches"
city = "Luxembourg"
code = "L-1160"
country = "Luxembourg"
[[author]]
initials="A."
surname="Iklody"
fullname="Andras Iklody"
abbrev="CIRCL"
organization = "Computer Incident Response Center Luxembourg"
[author.address]
email = "andras.iklody@circl.lu"
phone = "+352 247 88444"
[author.address.postal]
street = "16, bd d'Avranches"
city = "Luxembourg"
code = "L-1160"
country = "Luxembourg"
%%%
.# Abstract
@ -105,7 +107,7 @@ of the event. info **SHOULD** NOT be bigger than 256 characters and **SHOULD** N
info is represented as a JSON string. info **MUST** be present.
#### threat_level_id
#### threat\_level\_id
threat_level_id represents the threat level.
@ -154,13 +156,13 @@ timestamp represents a reference time when the event, or one of the attributes w
timestamp is represented as a JSON string. timestamp **MUST** be present.
#### publish_timestamp
#### publish\_timestamp
publish_timestamp represents a reference time when the event was published on the instance. published_timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). At each publication of an event, publish_timestamp **MUST** be updated. The time zone **MUST** be UTC. If the published_timestamp is present and the published flag is set to false, the publish_timestamp represents the previous publication timestamp. If the event was never published, the published_timestamp **MUST** be set to 0.
publish_timestamp is represented as a JSON string. publish_timestamp **MUST** be present.
#### org_id
#### org\_id
org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event. A human-readable identifier **MUST** be
represented as an unsigned integer.
@ -169,7 +171,7 @@ The org_id **MUST** be updated when the event is generated by a new instance.
org_id is represented as a JSON string. org_id **MUST** be present.
#### orgc_id
#### orgc\_id
orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event.
@ -177,7 +179,7 @@ The orgc_id and Org object **MUST** be preserved for any updates or transfer of
orgc_id is represented as a JSON string. orgc_id **MUST** be present.
#### attribute_count
#### attribute\_count
attribute_count represents the number of attributes in the event. attribute_count is expressed in decimal.
@ -204,7 +206,7 @@ distribution is represented by a JSON string. distribution **MUST** be present a
4
: Sharing Group
#### sharing_group_id
#### sharing\_group\_id
sharing\_group\_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the event, if distribution level "4" is set. A human-readable identifier **MUST** be represented as an unsigned integer.
@ -307,52 +309,52 @@ type represents the means through which an attribute tries to describe the inten
type is represented as a JSON string. type **MUST** be present and it **MUST** be a valid selection for the chosen category. The list of valid category-type combinations is as follows:
**Antivirus detection**
Antivirus detection
: link, comment, text, hex, attachment, other, anonymised
**Artifacts dropped**
Artifacts dropped
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised
**Attribution**
Attribution
: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised
**External analysis**
External analysis
: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised
**Financial fraud**
Financial fraud
: btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised
**Internal reference**
Internal reference
: text, link, comment, other, hex, anonymised
**Network activity**
Network activity
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised
**Other**
Other
: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised
**Payload delivery**
Payload delivery
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised
**Payload installation**
Payload installation
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised
**Payload type**
Payload type
: comment, text, other, anonymised
**Persistence mechanism**
Persistence mechanism
: filename, regkey, regkey|value, comment, text, other, hex, anonymised
**Person**
Person
: first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised
**Social network**
Social network
: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised
**Support Tool**
Support Tool
: link, text, attachment, comment, other, hex, anonymised
**Targeting data**
Targeting data
: target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised
Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.
@ -414,7 +416,7 @@ comment is a contextual comment field.
comment is represented by a JSON string. comment **MAY** be present.
#### sharing_group_id
#### sharing\_group\_id
sharing\_group\_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the attribute, if distribution level "4" is set. A human-readable identifier **MUST** be represented as an unsigned integer.
@ -517,52 +519,52 @@ type represents the means through which an attribute tries to describe the inten
type is represented as a JSON string. type **MUST** be present and it **MUST** be a valid selection for the chosen category. The list of valid category-type combinations is as follows:
**Antivirus detection**
Antivirus detection
: link, comment, text, hex, attachment, other, anonymised
**Artifacts dropped**
Artifacts dropped
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised
**Attribution**
Attribution
: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised
**External analysis**
External analysis
: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised
**Financial fraud**
Financial fraud
: btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised
**Internal reference**
Internal reference
: text, link, comment, other, hex, anonymised
**Network activity**
Network activity
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised
**Other**
Other
: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised
**Payload delivery**
Payload delivery
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised
**Payload installation**
Payload installation
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised
**Payload type**
Payload type
: comment, text, other, anonymised
**Persistence mechanism**
Persistence mechanism
: filename, regkey, regkey|value, comment, text, other, hex, anonymised
**Person**
Person
: first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised
**Social network**
Social network
: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised
**Support Tool**
Support Tool
: link, text, attachment, comment, other, hex, anonymised
**Targeting data**
Targeting data
: target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised
Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.
@ -686,9 +688,10 @@ The schema used is described by the template_uuid and template_version fields.
A MISP document containing an Object **MUST** contain a name, a meta-category, a description, a template_uuid and a template_version as described in the "Object Attributes" section.
### Sample Object object
### Sample Object
~~~~~
{#fig-sample-object}
~~~
"Object": {
"id": "588",
"name": "file",
@ -729,7 +732,7 @@ A MISP document containing an Object **MUST** contain a name, a meta-category, a
"last_seen": null
]
}
~~~~~
~~~
### Object Attributes
@ -764,19 +767,19 @@ description is a human-readable description of the given object type, as derived
description is represented as a JSON string. id **SHALL** be present.
#### template_uuid
#### template\_uuid
uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the template used to create the object. The uuid **MUST** be preserved
to preserve the object's association with the correct template used for creation. UUID version 4 is **RECOMMENDED** when assigning it to a new object.
#### template_version
#### template\_version
template_version represents a numeric incrementing version of the template used to create the object. It is used to associate the object to the
correct version of the template and together with the template_uuid forms an association to the correct template type and version.
version is represented as a JSON string. version **MUST** be present.
#### event_id
#### event\_id
event_id represents the human-readable identifier of the event that the object belongs to on a specific MISP instance. A human-readable identifier **MUST** be
represented as an unsigned integer.
@ -810,7 +813,7 @@ distribution is represented by a JSON string. distribution **MUST** be present a
4
: Sharing Group
#### sharing_group_id
#### sharing\_group\_id
sharing\_group\_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the object, if distribution level "4" is set. A human-readable identifier **MUST** be represented as an unsigned integer.
@ -834,13 +837,13 @@ Attribute is an array of attributes that describe the object with data.
Each attribute in an object **MUST** contain the parent event's ID in the event_id field and the parent object's ID in the object_id field.
#### first_seen
#### first\_seen
first_seen represents a reference time when the object was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support.
first_seen is represented as a JSON string. first_seen **MAY** be present.
#### last_seen
#### last\_seen
last_seen represents a reference time when the object was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support.
@ -850,9 +853,9 @@ last_seen is represented as a JSON string. last_seen **MAY** be present.
Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary.
The relationship_type is recommended to be taken from the MISP object relationship list [[@?MISP-R]] is **RECOMMENDED** to ensure a coherent naming of the tags
The relationship\_type is recommended to be taken from the MISP object relationship list [[@?MISP-R]] is **RECOMMENDED** to ensure a coherent naming of the tags
All Object References **MUST** contain an object_uuid, a referenced_uuid and a relationship type.
All Object References **MUST** contain an object\_uuid, a referenced\_uuid and a relationship type.
### Sample ObjectReference object
@ -936,14 +939,14 @@ deleted represents a setting that allows object references to be revoked. Revoke
deleted is represented by a JSON boolean. deleted **MUST** be present.
#### object_uuid
#### object\_uuid
object_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object that the given object reference belongs to. The object_uuid **MUST** be preserved
object\_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object that the given object reference belongs to. The object\_uuid **MUST** be preserved
to preserve the object reference's association with the object.
#### referenced_uuid
#### referenced\_uuid
referenced_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object or attribute that is being referenced by the object reference. The referenced_uuid **MUST** be preserved
referenced\_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object or attribute that is being referenced by the object reference. The referenced\_uuid **MUST** be preserved
to preserve the object reference's association with the object or attribute.
## Tag