From 4f4880e7bff963ed01816d10baba61b507ac13c5 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 10 Sep 2018 13:01:52 +0200
Subject: [PATCH 1/4] Fix galaxy rfc

---
 misp-galaxy-format/raw.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/misp-galaxy-format/raw.md b/misp-galaxy-format/raw.md
index 2cf9307..be68991 100644
--- a/misp-galaxy-format/raw.md
+++ b/misp-galaxy-format/raw.md
@@ -94,9 +94,7 @@ The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the
 
 Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** reuse commonly used keys such as properties, complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, derivated_from, status, date, encryption, extensions, ransomnotes, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category wherever applicable.
 
-properties is used to provide clusters with additional properties. Properties are represented as an array containing one or more strings ans **MAY** be present.
-
-derivated_from, refs, synonyms **SHALL** be used to give further informations. refs is represented as an array containing one or more strings and **SHALL** be present. synonyms is represented as an array containing one or more strings and **SHALL** be present. derivated_from is represented as an array containing one or more strings and **SHALL** be present.
+refs, synonyms **SHALL** be used to give further informations. refs is represented as an array containing one or more strings and **SHALL** be present. synonyms is represented as an array containing one or more strings and **SHALL** be present.
 
 date, status **MAY** be used to give time information about an cluster. date is represented as a string describing a time or period and **SHALL** be present. status is represented as a string describing the current status of the clusters. It **MAY** also describe a time or period and **SHALL** be present.
 

From 280c95569bf06a388db5dd80344f482c5eb3768c Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 10 Sep 2018 13:02:36 +0200
Subject: [PATCH 2/4] Fix galaxy rfc

---
 misp-galaxy-format/raw.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misp-galaxy-format/raw.md b/misp-galaxy-format/raw.md
index be68991..d666854 100644
--- a/misp-galaxy-format/raw.md
+++ b/misp-galaxy-format/raw.md
@@ -92,7 +92,7 @@ The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the
 
 ## meta
 
-Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** reuse commonly used keys such as properties, complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, derivated_from, status, date, encryption, extensions, ransomnotes, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category wherever applicable.
+Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category wherever applicable.
 
 refs, synonyms **SHALL** be used to give further informations. refs is represented as an array containing one or more strings and **SHALL** be present. synonyms is represented as an array containing one or more strings and **SHALL** be present.
 

From 8746fe294d7868ba28fbaf16b1610eddd0a42ab8 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 20 Sep 2018 15:10:24 +0200
Subject: [PATCH 3/4] update cfr-type-of-incident type

---
 misp-galaxy-format/raw.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misp-galaxy-format/raw.md b/misp-galaxy-format/raw.md
index 32a74a8..b193e20 100644
--- a/misp-galaxy-format/raw.md
+++ b/misp-galaxy-format/raw.md
@@ -203,7 +203,7 @@ Example use of the source-uuid, target-uuid fields in the mitre-enterprise-attac
 }
 ~~~~
 
-cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category **MAY** be used to report information gathered from CFR's (Council on Foreign Relations) [@?CFR] Cyber Operations Tracker.  cfr-suspected-victims is represented as an array containing one or more strings and **SHALL** be present. cfr-suspected-state-sponsor is represented as a string and **SHALL** be present. cfr-type-of-incident is represented as a string and **SHALL** be present. cfr-target-category is represented as an array containing one or more strings ans **SHALL** be present.
+cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category **MAY** be used to report information gathered from CFR's (Council on Foreign Relations) [@?CFR] Cyber Operations Tracker.  cfr-suspected-victims is represented as an array containing one or more strings and **SHALL** be present. cfr-suspected-state-sponsor is represented as a string and **SHALL** be present. cfr-type-of-incident is represented as a string or an array and **SHALL** be present. cfr-target-category is represented as an array containing one or more strings ans **SHALL** be present.
 
 Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category fields in the threat-actor galaxy:
 ~~~~

From fe0cb0e883660e9ec9216e33d7380deec8801317 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 21 Sep 2018 15:54:57 +0200
Subject: [PATCH 4/4] add possible values for some field in galaxies

---
 misp-galaxy-format/raw.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/misp-galaxy-format/raw.md b/misp-galaxy-format/raw.md
index b193e20..d19640a 100644
--- a/misp-galaxy-format/raw.md
+++ b/misp-galaxy-format/raw.md
@@ -203,9 +203,15 @@ Example use of the source-uuid, target-uuid fields in the mitre-enterprise-attac
 }
 ~~~~
 
-cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category **MAY** be used to report information gathered from CFR's (Council on Foreign Relations) [@?CFR] Cyber Operations Tracker.  cfr-suspected-victims is represented as an array containing one or more strings and **SHALL** be present. cfr-suspected-state-sponsor is represented as a string and **SHALL** be present. cfr-type-of-incident is represented as a string or an array and **SHALL** be present. cfr-target-category is represented as an array containing one or more strings ans **SHALL** be present.
+cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category **MAY** be used to report information gathered from CFR's (Council on Foreign Relations) [@?CFR] Cyber Operations Tracker.  cfr-suspected-victims is represented as an array containing one or more strings and **SHALL** be present. cfr-suspected-state-sponsor is represented as a string and **SHALL** be present. cfr-type-of-incident is represented as a string or an array and **SHALL** be present. **RECOMMENDED** but not exhaustive list of possible values for cfr-type-of-incident includes "Espionage", "Denial of service", "Sabotage". cfr-target-category is represented as an array containing one or more strings ans **SHALL** be present. **RECOMMENDED** but not exhaustive list of possible values for cfr-target-category includes "Private sector", "Government", "Civil society", "Military".
 
 Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category fields in the threat-actor galaxy:
+
+
+
+
+
+
 ~~~~
 {
   "meta": {