From e2e78f5fc29d858897d04743568c157ee4f5049f Mon Sep 17 00:00:00 2001 From: mokaddem Date: Thu, 20 Jun 2019 09:36:37 +0200 Subject: [PATCH 1/4] chg: Added first_seen/last_seen sections --- misp-core-format/raw.md | 52 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 48 insertions(+), 4 deletions(-) diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md index c2efc68..975e8cb 100755 --- a/misp-core-format/raw.md +++ b/misp-core-format/raw.md @@ -279,7 +279,9 @@ A MISP document **MUST** at least includes category-type-value triplet described "value": "Hello world", "SharingGroup": [], "ShadowAttribute": [], - "RelatedAttribute": [] + "RelatedAttribute": [], + "first_seen": null, + "last_seen": null } ~~~~ @@ -450,6 +452,18 @@ value represents the payload of an attribute. The format of the value is depende value is represented by a JSON string. value **MUST** be present. +#### first_seen + +first_seen represents a reference time when the attribute was first seen. first_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. + +first_seen is represented as a JSON string. first_seen **SHALL** be present. + +#### last_seen + +last_seen represents a reference time when the attribute was last seen. last_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. + +last_seen is represented as a JSON string. last_seen **SHALL** be present. + ## ShadowAttribute ShadowAttributes are 3rd party created attributes that either propose to add new information to an event or modify existing information. They are not meant to be actionable until the event creator accepts them - at which point they will be converted into attributes or modify an existing attribute. @@ -477,7 +491,9 @@ They are similar in structure to Attributes but additionally carry a reference t "id": "1", "name": "MISP", "uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869" - } + }, + "first_seen": null, + "last_seen": null } ~~~~ @@ -620,6 +636,18 @@ the sample **MUST** be encrypted using a password protected zip archive, with th data is represented by a JSON string in base64 encoding. data **MUST** be set for shadow attributes of type malware-sample and attachment. +#### first_seen + +first_seen represents a reference time when the attribute was first seen. first_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. + +first_seen is represented as a JSON string. first_seen **SHALL** be present. + +#### last_seen + +last_seen represents a reference time when the attribute was last seen. last_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. + +last_seen is represented as a JSON string. last_seen **SHALL** be present. + ### Org An Org object is composed of an uuid, name and id. @@ -693,8 +721,12 @@ A MISP document containing an Object **MUST** contain a name, a meta-category, a "object_id": "588", "object_relation": "filename", "value": "StarCraft.exe", - "ShadowAttribute": [] - } + "ShadowAttribute": [], + "first_seen": null, + "last_seen": null + }, + "first_seen": null, + "last_seen": null ] } ~~~~~ @@ -802,6 +834,18 @@ Attribute is an array of attributes that describe the object with data. Each attribute in an object **MUST** contain the parent event's ID in the event_id field and the parent object's ID in the object_id field. +#### first_seen + +first_seen represents a reference time when the object was first seen. first_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. + +first_seen is represented as a JSON string. first_seen **SHALL** be present. + +#### last_seen + +last_seen represents a reference time when the object was last seen. last_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. + +last_seen is represented as a JSON string. last_seen **SHALL** be present. + ## Object References Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary. From cd6174e3acd4263f579187395bda2ab0243f292e Mon Sep 17 00:00:00 2001 From: mokaddem Date: Mon, 24 Jun 2019 10:42:19 +0200 Subject: [PATCH 2/4] chg: precision and example about the ISO 8601 datetime for fs/ls --- misp-core-format/raw.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md index 975e8cb..6c2afb3 100755 --- a/misp-core-format/raw.md +++ b/misp-core-format/raw.md @@ -280,7 +280,7 @@ A MISP document **MUST** at least includes category-type-value triplet described "SharingGroup": [], "ShadowAttribute": [], "RelatedAttribute": [], - "first_seen": null, + "first_seen": "2019-06-02T22:14:28.711954+00:00", "last_seen": null } ~~~~ @@ -454,13 +454,13 @@ value is represented by a JSON string. value **MUST** be present. #### first_seen -first_seen represents a reference time when the attribute was first seen. first_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. +first_seen represents a reference time when the attribute was first seen. first_seen is expressed as an ISO 8601 datetime up to the micro-second and supporting time zone. first_seen is represented as a JSON string. first_seen **SHALL** be present. #### last_seen -last_seen represents a reference time when the attribute was last seen. last_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. +last_seen represents a reference time when the attribute was last seen. last_seen is expressed as an ISO 8601 datetime up to the micro-second and supporting time zone. last_seen is represented as a JSON string. last_seen **SHALL** be present. @@ -492,7 +492,7 @@ They are similar in structure to Attributes but additionally carry a reference t "name": "MISP", "uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869" }, - "first_seen": null, + "first_seen": "2019-06-02T22:14:28.711954+00:00", "last_seen": null } ~~~~ @@ -638,13 +638,13 @@ data is represented by a JSON string in base64 encoding. data **MUST** be set fo #### first_seen -first_seen represents a reference time when the attribute was first seen. first_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. +first_seen represents a reference time when the attribute was first seen. first_seen as an ISO 8601 datetime up to the micro-second and supporting time zone. first_seen is represented as a JSON string. first_seen **SHALL** be present. #### last_seen -last_seen represents a reference time when the attribute was last seen. last_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. +last_seen represents a reference time when the attribute was last seen. last_seen as an ISO 8601 datetime up to the micro-second and supporting time zone. last_seen is represented as a JSON string. last_seen **SHALL** be present. @@ -725,7 +725,7 @@ A MISP document containing an Object **MUST** contain a name, a meta-category, a "first_seen": null, "last_seen": null }, - "first_seen": null, + "first_seen": "2019-06-02T22:14:28.711954+00:00", "last_seen": null ] } @@ -836,13 +836,13 @@ Each attribute in an object **MUST** contain the parent event's ID in the event_ #### first_seen -first_seen represents a reference time when the object was first seen. first_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. +first_seen represents a reference time when the object was first seen. first_seen as an ISO 8601 datetime up to the micro-second and supporting time zone. first_seen is represented as a JSON string. first_seen **SHALL** be present. #### last_seen -last_seen represents a reference time when the object was last seen. last_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC. +last_seen represents a reference time when the object was last seen. last_seen as an ISO 8601 datetime up to the micro-second and supporting time zone. last_seen is represented as a JSON string. last_seen **SHALL** be present. From b46942e0a23ad6387f97e4f95f92329cd4f01d98 Mon Sep 17 00:00:00 2001 From: mokaddem Date: Mon, 24 Jun 2019 16:05:11 +0200 Subject: [PATCH 3/4] chg: *-seen rephrasing --- misp-core-format/raw.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md index 6c2afb3..42bee80 100755 --- a/misp-core-format/raw.md +++ b/misp-core-format/raw.md @@ -454,15 +454,15 @@ value is represented by a JSON string. value **MUST** be present. #### first_seen -first_seen represents a reference time when the attribute was first seen. first_seen is expressed as an ISO 8601 datetime up to the micro-second and supporting time zone. +first_seen represents a reference time when the attribute was first seen. first_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support. -first_seen is represented as a JSON string. first_seen **SHALL** be present. +first_seen is represented as a JSON string. first_seen **MAY** be present. #### last_seen -last_seen represents a reference time when the attribute was last seen. last_seen is expressed as an ISO 8601 datetime up to the micro-second and supporting time zone. +last_seen represents a reference time when the attribute was last seen. last_seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support. -last_seen is represented as a JSON string. last_seen **SHALL** be present. +last_seen is represented as a JSON string. last_seen **MAY** be present. ## ShadowAttribute @@ -638,15 +638,15 @@ data is represented by a JSON string in base64 encoding. data **MUST** be set fo #### first_seen -first_seen represents a reference time when the attribute was first seen. first_seen as an ISO 8601 datetime up to the micro-second and supporting time zone. +first_seen represents a reference time when the attribute was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support. -first_seen is represented as a JSON string. first_seen **SHALL** be present. +first_seen is represented as a JSON string. first_seen **MAY** be present. #### last_seen -last_seen represents a reference time when the attribute was last seen. last_seen as an ISO 8601 datetime up to the micro-second and supporting time zone. +last_seen represents a reference time when the attribute was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support. -last_seen is represented as a JSON string. last_seen **SHALL** be present. +last_seen is represented as a JSON string. last_seen **MAY** be present. ### Org @@ -838,13 +838,13 @@ Each attribute in an object **MUST** contain the parent event's ID in the event_ first_seen represents a reference time when the object was first seen. first_seen as an ISO 8601 datetime up to the micro-second and supporting time zone. -first_seen is represented as a JSON string. first_seen **SHALL** be present. +first_seen is represented as a JSON string. first_seen **MAY** be present. #### last_seen last_seen represents a reference time when the object was last seen. last_seen as an ISO 8601 datetime up to the micro-second and supporting time zone. -last_seen is represented as a JSON string. last_seen **SHALL** be present. +last_seen is represented as a JSON string. last_seen **MAY** be present. ## Object References From 60d1b1dad82c53d96be32c6ab220d10d8ae69649 Mon Sep 17 00:00:00 2001 From: mokaddem Date: Mon, 24 Jun 2019 16:06:39 +0200 Subject: [PATCH 4/4] chg: *-seen rephrasing 2 --- misp-core-format/raw.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md index 42bee80..6c4f268 100755 --- a/misp-core-format/raw.md +++ b/misp-core-format/raw.md @@ -836,13 +836,13 @@ Each attribute in an object **MUST** contain the parent event's ID in the event_ #### first_seen -first_seen represents a reference time when the object was first seen. first_seen as an ISO 8601 datetime up to the micro-second and supporting time zone. +first_seen represents a reference time when the object was first seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support. first_seen is represented as a JSON string. first_seen **MAY** be present. #### last_seen -last_seen represents a reference time when the object was last seen. last_seen as an ISO 8601 datetime up to the micro-second and supporting time zone. +last_seen represents a reference time when the object was last seen. last_seen as an ISO 8601 datetime up to the micro-second with time zone support. last_seen is represented as a JSON string. last_seen **MAY** be present.