diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md index 629dee7..6011021 100755 --- a/misp-core-format/raw.md +++ b/misp-core-format/raw.md @@ -1,40 +1,42 @@ -% Title = "MISP core format" -% abbrev = "MISP core format" -% category = "info" -% docName = "draft-dulaunoy-misp-core-format" -% ipr= "trust200902" -% area = "Security" -% -% date = 2018-08-08T00:00:00Z -% -% [[author]] -% initials="A." -% surname="Dulaunoy" -% fullname="Alexandre Dulaunoy" -% abbrev="CIRCL" -% organization = "Computer Incident Response Center Luxembourg" -% [author.address] -% email = "alexandre.dulaunoy@circl.lu" -% phone = "+352 247 88444" -% [author.address.postal] -% street = "16, bd d'Avranches" -% city = "Luxembourg" -% code = "L-1160" -% country = "Luxembourg" -% [[author]] -% initials="A." -% surname="Iklody" -% fullname="Andras Iklody" -% abbrev="CIRCL" -% organization = "Computer Incident Response Center Luxembourg" -% [author.address] -% email = "andras.iklody@circl.lu" -% phone = "+352 247 88444" -% [author.address.postal] -% street = "16, bd d'Avranches" -% city = "Luxembourg" -% code = "L-1160" -% country = "Luxembourg" +%%% +Title = "MISP core format" +abbrev = "MISP core format" +category = "info" +docName = "draft-dulaunoy-misp-core-format" +ipr= "trust200902" +area = "Security" + +date = 2018-08-08T00:00:00Z + +[[author]] +initials="A." +surname="Dulaunoy" +fullname="Alexandre Dulaunoy" +abbrev="CIRCL" +organization = "Computer Incident Response Center Luxembourg" + [author.address] + email = "alexandre.dulaunoy@circl.lu" + phone = "+352 247 88444" + [author.address.postal] + street = "16, bd d'Avranches" + city = "Luxembourg" + code = "L-1160" + country = "Luxembourg" +[[author]] +initials="A." +surname="Iklody" +fullname="Andras Iklody" +abbrev="CIRCL" +organization = "Computer Incident Response Center Luxembourg" + [author.address] + email = "andras.iklody@circl.lu" + phone = "+352 247 88444" + [author.address.postal] + street = "16, bd d'Avranches" + city = "Luxembourg" + code = "L-1160" + country = "Luxembourg" +%%% .# Abstract @@ -105,7 +107,7 @@ of the event. info **SHOULD** NOT be bigger than 256 characters and **SHOULD** N info is represented as a JSON string. info **MUST** be present. -#### threat_level_id +#### threat\_level\_id threat_level_id represents the threat level. @@ -154,13 +156,13 @@ timestamp represents a reference time when the event, or one of the attributes w timestamp is represented as a JSON string. timestamp **MUST** be present. -#### publish_timestamp +#### publish\_timestamp publish_timestamp represents a reference time when the event was published on the instance. published_timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). At each publication of an event, publish_timestamp **MUST** be updated. The time zone **MUST** be UTC. If the published_timestamp is present and the published flag is set to false, the publish_timestamp represents the previous publication timestamp. If the event was never published, the published_timestamp **MUST** be set to 0. publish_timestamp is represented as a JSON string. publish_timestamp **MUST** be present. -#### org_id +#### org\_id org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event. A human-readable identifier **MUST** be represented as an unsigned integer. @@ -169,7 +171,7 @@ The org_id **MUST** be updated when the event is generated by a new instance. org_id is represented as a JSON string. org_id **MUST** be present. -#### orgc_id +#### orgc\_id orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event. @@ -177,7 +179,7 @@ The orgc_id and Org object **MUST** be preserved for any updates or transfer of orgc_id is represented as a JSON string. orgc_id **MUST** be present. -#### attribute_count +#### attribute\_count attribute_count represents the number of attributes in the event. attribute_count is expressed in decimal. @@ -204,7 +206,7 @@ distribution is represented by a JSON string. distribution **MUST** be present a 4 : Sharing Group -#### sharing_group_id +#### sharing\_group\_id sharing\_group\_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the event, if distribution level "4" is set. A human-readable identifier **MUST** be represented as an unsigned integer. @@ -307,52 +309,52 @@ type represents the means through which an attribute tries to describe the inten type is represented as a JSON string. type **MUST** be present and it **MUST** be a valid selection for the chosen category. The list of valid category-type combinations is as follows: -**Antivirus detection** +Antivirus detection : link, comment, text, hex, attachment, other, anonymised -**Artifacts dropped** +Artifacts dropped : md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised -**Attribution** +Attribution : threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised -**External analysis** +External analysis : md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised -**Financial fraud** +Financial fraud : btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised -**Internal reference** +Internal reference : text, link, comment, other, hex, anonymised -**Network activity** +Network activity : ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised -**Other** +Other : comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised -**Payload delivery** +Payload delivery : md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised -**Payload installation** +Payload installation : md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised -**Payload type** +Payload type : comment, text, other, anonymised -**Persistence mechanism** +Persistence mechanism : filename, regkey, regkey|value, comment, text, other, hex, anonymised -**Person** +Person : first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised -**Social network** +Social network : github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised -**Support Tool** +Support Tool : link, text, attachment, comment, other, hex, anonymised -**Targeting data** +Targeting data : target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly. @@ -414,7 +416,7 @@ comment is a contextual comment field. comment is represented by a JSON string. comment **MAY** be present. -#### sharing_group_id +#### sharing\_group\_id sharing\_group\_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the attribute, if distribution level "4" is set. A human-readable identifier **MUST** be represented as an unsigned integer. @@ -517,52 +519,52 @@ type represents the means through which an attribute tries to describe the inten type is represented as a JSON string. type **MUST** be present and it **MUST** be a valid selection for the chosen category. The list of valid category-type combinations is as follows: -**Antivirus detection** +Antivirus detection : link, comment, text, hex, attachment, other, anonymised -**Artifacts dropped** +Artifacts dropped : md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised -**Attribution** +Attribution : threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised -**External analysis** +External analysis : md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised -**Financial fraud** +Financial fraud : btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised -**Internal reference** +Internal reference : text, link, comment, other, hex, anonymised -**Network activity** +Network activity : ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised -**Other** +Other : comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised -**Payload delivery** +Payload delivery : md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised -**Payload installation** +Payload installation : md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised -**Payload type** +Payload type : comment, text, other, anonymised -**Persistence mechanism** +Persistence mechanism : filename, regkey, regkey|value, comment, text, other, hex, anonymised -**Person** +Person : first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised -**Social network** +Social network : github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised -**Support Tool** +Support Tool : link, text, attachment, comment, other, hex, anonymised -**Targeting data** +Targeting data : target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly. @@ -686,9 +688,10 @@ The schema used is described by the template_uuid and template_version fields. A MISP document containing an Object **MUST** contain a name, a meta-category, a description, a template_uuid and a template_version as described in the "Object Attributes" section. -### Sample Object object +### Sample Object -~~~~~ +{#fig-sample-object} +~~~ "Object": { "id": "588", "name": "file", @@ -729,7 +732,7 @@ A MISP document containing an Object **MUST** contain a name, a meta-category, a "last_seen": null ] } -~~~~~ +~~~ ### Object Attributes @@ -764,19 +767,19 @@ description is a human-readable description of the given object type, as derived description is represented as a JSON string. id **SHALL** be present. -#### template_uuid +#### template\_uuid uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the template used to create the object. The uuid **MUST** be preserved to preserve the object's association with the correct template used for creation. UUID version 4 is **RECOMMENDED** when assigning it to a new object. -#### template_version +#### template\_version template_version represents a numeric incrementing version of the template used to create the object. It is used to associate the object to the correct version of the template and together with the template_uuid forms an association to the correct template type and version. version is represented as a JSON string. version **MUST** be present. -#### event_id +#### event\_id event_id represents the human-readable identifier of the event that the object belongs to on a specific MISP instance. A human-readable identifier **MUST** be represented as an unsigned integer. @@ -810,7 +813,7 @@ distribution is represented by a JSON string. distribution **MUST** be present a 4 : Sharing Group -#### sharing_group_id +#### sharing\_group\_id sharing\_group\_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the object, if distribution level "4" is set. A human-readable identifier **MUST** be represented as an unsigned integer. @@ -834,13 +837,13 @@ Attribute is an array of attributes that describe the object with data. Each attribute in an object **MUST** contain the parent event's ID in the event_id field and the parent object's ID in the object_id field. -#### first_seen +#### first\_seen first_seen represents a reference time when the object was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support. first_seen is represented as a JSON string. first_seen **MAY** be present. -#### last_seen +#### last\_seen last_seen represents a reference time when the object was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support. @@ -850,9 +853,9 @@ last_seen is represented as a JSON string. last_seen **MAY** be present. Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary. -The relationship_type is recommended to be taken from the MISP object relationship list [[@?MISP-R]] is **RECOMMENDED** to ensure a coherent naming of the tags +The relationship\_type is recommended to be taken from the MISP object relationship list [[@?MISP-R]] is **RECOMMENDED** to ensure a coherent naming of the tags -All Object References **MUST** contain an object_uuid, a referenced_uuid and a relationship type. +All Object References **MUST** contain an object\_uuid, a referenced\_uuid and a relationship type. ### Sample ObjectReference object @@ -936,14 +939,14 @@ deleted represents a setting that allows object references to be revoked. Revoke deleted is represented by a JSON boolean. deleted **MUST** be present. -#### object_uuid +#### object\_uuid -object_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object that the given object reference belongs to. The object_uuid **MUST** be preserved +object\_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object that the given object reference belongs to. The object\_uuid **MUST** be preserved to preserve the object reference's association with the object. -#### referenced_uuid +#### referenced\_uuid -referenced_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object or attribute that is being referenced by the object reference. The referenced_uuid **MUST** be preserved +referenced\_uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object or attribute that is being referenced by the object reference. The referenced\_uuid **MUST** be preserved to preserve the object reference's association with the object or attribute. ## Tag