mirror of https://github.com/MISP/misp-rfc
chg: Added first_seen/last_seen sections
parent
0d37c82b42
commit
e2e78f5fc2
|
@ -279,7 +279,9 @@ A MISP document **MUST** at least includes category-type-value triplet described
|
|||
"value": "Hello world",
|
||||
"SharingGroup": [],
|
||||
"ShadowAttribute": [],
|
||||
"RelatedAttribute": []
|
||||
"RelatedAttribute": [],
|
||||
"first_seen": null,
|
||||
"last_seen": null
|
||||
}
|
||||
~~~~
|
||||
|
||||
|
@ -450,6 +452,18 @@ value represents the payload of an attribute. The format of the value is depende
|
|||
|
||||
value is represented by a JSON string. value **MUST** be present.
|
||||
|
||||
#### first_seen
|
||||
|
||||
first_seen represents a reference time when the attribute was first seen. first_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC.
|
||||
|
||||
first_seen is represented as a JSON string. first_seen **SHALL** be present.
|
||||
|
||||
#### last_seen
|
||||
|
||||
last_seen represents a reference time when the attribute was last seen. last_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC.
|
||||
|
||||
last_seen is represented as a JSON string. last_seen **SHALL** be present.
|
||||
|
||||
## ShadowAttribute
|
||||
|
||||
ShadowAttributes are 3rd party created attributes that either propose to add new information to an event or modify existing information. They are not meant to be actionable until the event creator accepts them - at which point they will be converted into attributes or modify an existing attribute.
|
||||
|
@ -477,7 +491,9 @@ They are similar in structure to Attributes but additionally carry a reference t
|
|||
"id": "1",
|
||||
"name": "MISP",
|
||||
"uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869"
|
||||
}
|
||||
},
|
||||
"first_seen": null,
|
||||
"last_seen": null
|
||||
}
|
||||
~~~~
|
||||
|
||||
|
@ -620,6 +636,18 @@ the sample **MUST** be encrypted using a password protected zip archive, with th
|
|||
|
||||
data is represented by a JSON string in base64 encoding. data **MUST** be set for shadow attributes of type malware-sample and attachment.
|
||||
|
||||
#### first_seen
|
||||
|
||||
first_seen represents a reference time when the attribute was first seen. first_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC.
|
||||
|
||||
first_seen is represented as a JSON string. first_seen **SHALL** be present.
|
||||
|
||||
#### last_seen
|
||||
|
||||
last_seen represents a reference time when the attribute was last seen. last_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC.
|
||||
|
||||
last_seen is represented as a JSON string. last_seen **SHALL** be present.
|
||||
|
||||
### Org
|
||||
|
||||
An Org object is composed of an uuid, name and id.
|
||||
|
@ -693,8 +721,12 @@ A MISP document containing an Object **MUST** contain a name, a meta-category, a
|
|||
"object_id": "588",
|
||||
"object_relation": "filename",
|
||||
"value": "StarCraft.exe",
|
||||
"ShadowAttribute": []
|
||||
}
|
||||
"ShadowAttribute": [],
|
||||
"first_seen": null,
|
||||
"last_seen": null
|
||||
},
|
||||
"first_seen": null,
|
||||
"last_seen": null
|
||||
]
|
||||
}
|
||||
~~~~~
|
||||
|
@ -802,6 +834,18 @@ Attribute is an array of attributes that describe the object with data.
|
|||
|
||||
Each attribute in an object **MUST** contain the parent event's ID in the event_id field and the parent object's ID in the object_id field.
|
||||
|
||||
#### first_seen
|
||||
|
||||
first_seen represents a reference time when the object was first seen. first_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC.
|
||||
|
||||
first_seen is represented as a JSON string. first_seen **SHALL** be present.
|
||||
|
||||
#### last_seen
|
||||
|
||||
last_seen represents a reference time when the object was last seen. last_seen is expressed in micro-seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC.
|
||||
|
||||
last_seen is represented as a JSON string. last_seen **SHALL** be present.
|
||||
|
||||
## Object References
|
||||
|
||||
Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary.
|
||||
|
|
Loading…
Reference in New Issue