From e44742c06c2e7fcd8131fe2e80bedaf86037deaf Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 9 Feb 2018 14:22:39 +0100 Subject: [PATCH] Internet-Draft updated --- misp-core-format/raw.md.txt | 632 +++++++++++++++++++++++------------- 1 file changed, 400 insertions(+), 232 deletions(-) mode change 100644 => 100755 misp-core-format/raw.md.txt diff --git a/misp-core-format/raw.md.txt b/misp-core-format/raw.md.txt old mode 100644 new mode 100755 index c3cca20..0579ad9 --- a/misp-core-format/raw.md.txt +++ b/misp-core-format/raw.md.txt @@ -5,7 +5,7 @@ Network Working Group A. Dulaunoy Internet-Draft A. Iklody Intended status: Informational CIRCL -Expires: March 24, 2018 September 20, 2017 +Expires: August 13, 2018 February 9, 2018 MISP core format @@ -37,11 +37,11 @@ Status of This Memo time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on March 24, 2018. + This Internet-Draft will expire on August 13, 2018. Copyright Notice - Copyright (c) 2017 IETF Trust and the persons identified as the + Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal @@ -53,9 +53,9 @@ Copyright Notice -Dulaunoy & Iklody Expires March 24, 2018 [Page 1] +Dulaunoy & Iklody Expires August 13, 2018 [Page 1] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 include Simplified BSD License text as described in Section 4.e of @@ -80,38 +80,38 @@ Table of Contents 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 14 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 15 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 20 - 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 20 + 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.6.1. Sample Object object . . . . . . . . . . . . . . . . 21 - 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 21 - 2.7. Object References . . . . . . . . . . . . . . . . . . . . 24 - 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 24 - 2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 25 - 2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 - 2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 27 - 2.9. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 27 - 2.9.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . . 28 - 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 29 - 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 38 - 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 38 - 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 39 - 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 41 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 41 - 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 41 - 8. Sample MISP file . . . . . . . . . . . . . . . . . . . . . . 41 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 - 9.1. Normative References . . . . . . . . . . . . . . . . . . 41 - 9.2. Informative References . . . . . . . . . . . . . . . . . 42 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42 + 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 22 + 2.7. Object References . . . . . . . . . . . . . . . . . . . . 25 + 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 25 + 2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 26 + 2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 + 2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 28 + 2.9. Sighting . . . . . . . . . . . . . . . . . . . . . . . . 28 + 2.9.1. Sample Sighting . . . . . . . . . . . . . . . . . . . 30 + 2.10. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 30 + 2.10.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 30 + 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 32 + 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 41 + 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 41 + 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 42 + 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 44 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 44 + 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 44 + 8. Sample MISP file . . . . . . . . . . . . . . . . . . . . . . 44 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 44 + 9.2. Informative References . . . . . . . . . . . . . . . . . 45 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 2] +Dulaunoy & Iklody Expires August 13, 2018 [Page 2] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 1. Introduction @@ -140,7 +140,7 @@ Internet-Draft MISP core format September 2017 event is composed of a single JSON object. A capitalized key (like Event, Org) represent a data model and a non- - capitalized key is just an attribute. This nomenclature can support + capitalised key is just an attribute. This nomenclature can support an implementation to represent the MISP format in another data structure. @@ -165,9 +165,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 3] +Dulaunoy & Iklody Expires August 13, 2018 [Page 3] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 2.2.1.2. id @@ -221,9 +221,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 4] +Dulaunoy & Iklody Expires August 13, 2018 [Page 4] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 2.2.1.6. analysis @@ -277,15 +277,15 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 5] +Dulaunoy & Iklody Expires August 13, 2018 [Page 5] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 2.2.1.10. org_id org_id represents a human-readable identifier referencing an Org - object of the organization which generated the event. + object of the organisation which generated the event. The org_id MUST be updated when the event is generated by a new instance. @@ -295,7 +295,7 @@ Internet-Draft MISP core format September 2017 2.2.1.11. orgc_id orgc_id represents a human-readable identifier referencing an Orgc - object of the organization which created the event. + object of the organisation which created the event. The orgc_id and Orc object MUST be preserved for any updates or transfer of the same event. @@ -333,9 +333,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 6] +Dulaunoy & Iklody Expires August 13, 2018 [Page 6] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 4 @@ -358,10 +358,10 @@ Internet-Draft MISP core format September 2017 An Org object is composed of an uuid, name and id. The uuid represents the Universally Unique IDentifier (UUID) - [RFC4122] of the organization. The organization UUID is globally - assigned to an organization and SHALL be kept overtime. + [RFC4122] of the organisation. The organisation UUID is globally + assigned to an organisation and SHALL be kept overtime. - The name is a readable description of the organization and SHOULD be + The name is a readable description of the organisation and SHOULD be present. The id is a human-readable identifier generated by the instance and used as reference in the event. @@ -382,19 +382,19 @@ Internet-Draft MISP core format September 2017 The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new - event. The organization UUID is globally assigned to an organization + event. The organisation UUID is globally assigned to an organisation and SHALL be kept overtime. -Dulaunoy & Iklody Expires March 24, 2018 [Page 7] +Dulaunoy & Iklody Expires August 13, 2018 [Page 7] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 - The name is a readable description of the organization and SHOULD be + The name is a readable description of the organisation and SHOULD be present. The id is a human-readable identifier generated by the instance and used as reference in the event. @@ -445,9 +445,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 8] +Dulaunoy & Iklody Expires August 13, 2018 [Page 8] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 2.4.2.2. id @@ -487,31 +487,33 @@ Internet-Draft MISP core format September 2017 filename|pehash, ip-src, ip-dst, hostname, domain, email-src, email-dst, email-subject, email-attachment, url, user-agent, AS, pattern-in-file, pattern-in-traffic, yara, attachment, malware- - sample, link, malware-type, comment, text, vulnerability, x509- - fingerprint-sha1, other, ip-dst|port, ip-src|port, hostname|port, - email-dst-display-name, email-src-display-name, email-header, - email-reply-to, email-x-mailer, email-mime-boundary, email-thread- - index, email-message-id, mobile-application-id + sample, link, malware-type, mime-type, comment, text, + vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip- + src|port, hostname|port, email-dst-display-name, email-src- + display-name, email-header, email-reply-to, email-x-mailer, email- + mime-boundary, email-thread-index, email-message-id, mobile- + application-id Artifacts dropped md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, - filename|sha512, filename|sha512/224, filename|sha512/256, -Dulaunoy & Iklody Expires March 24, 2018 [Page 9] +Dulaunoy & Iklody Expires August 13, 2018 [Page 9] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 + filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, - sigma, attachment, malware-sample, named pipe, mutex, windows- - scheduled-task, windows-service-name, windows-service-displayname, - comment, text, hex, x509-fingerprint-sha1, other + sigma, stix2-pattern, gene, attachment, malware-sample, mime-type, + named pipe, mutex, windows-scheduled-task, windows-service-name, + windows-service-displayname, comment, text, hex, x509-fingerprint- + sha1, other Payload installation md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, @@ -520,9 +522,10 @@ Internet-Draft MISP core format September 2017 filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|pehash, pattern-in-file, - pattern-in-traffic, pattern-in-memory, yara, vulnerability, - attachment, malware-sample, malware-type, comment, text, hex, - x509-fingerprint-sha1, mobile-application-id, other + mime-type, pattern-in-traffic, pattern-in-memory, yara, + stix2-pattern, vulnerability, attachment, malware-sample, malware- + type, comment, text, hex, x509-fingerprint-sha1, mobile- + application-id, other Persistence mechanism filename, regkey, regkey|value, comment, text, other, text @@ -530,8 +533,8 @@ Internet-Draft MISP core format September 2017 Network activity ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, pattern-in- - traffic, attachment, comment, text, x509-fingerprint-sha1, other, - hex, cookie + traffic, stix2-pattern, attachment, comment, text, x509- + fingerprint-sha1, other, hex, cookie Payload type comment, text, other @@ -550,18 +553,19 @@ Internet-Draft MISP core format September 2017 github-repository, other Financial fraud + + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 10] + +Internet-Draft MISP core format February 2018 + + btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex Support tool - - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 10] - -Internet-Draft MISP core format September 2017 - - attachment, link, comment, text, other, hex Social network @@ -576,7 +580,7 @@ Internet-Draft MISP core format September 2017 frequent-flyer-number, travel-details, payment-details, place- port-of-original-embarkation, place-port-of-clearance, place-port- of-onward-foreign-destination, passenger-name-record-locator- - number, comment, text, other, phone-number + number, comment, text, other, phone-number, identity-card-number Other comment, text, other, size-in-bytes, counter, datetime, cpe, port, @@ -605,19 +609,20 @@ Internet-Draft MISP core format September 2017 to_ids is represented as a JSON boolean. to_ids MUST be present. + + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 11] + +Internet-Draft MISP core format February 2018 + + 2.4.2.6. event_id event_id represents a human-readable identifier referencing the Event object that the attribute belongs to. - - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 11] - -Internet-Draft MISP core format September 2017 - - The event_id SHOULD be updated when the event is imported to reflect the newly created event's id on the instance. @@ -658,22 +663,23 @@ Internet-Draft MISP core format September 2017 timestamp is represented as a JSON string. timestamp MUST be present. + + + + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 12] + +Internet-Draft MISP core format February 2018 + + 2.4.2.9. comment comment is a contextual comment field. comment is represented by a JSON string. comment MAY be present. - - - - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 12] - -Internet-Draft MISP core format September 2017 - - 2.4.2.10. sharing_group_id sharing_group_id represents a human-readable identifier referencing a @@ -713,6 +719,17 @@ Internet-Draft MISP core format September 2017 RelatedAttribute MAY be present. + + + + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 13] + +Internet-Draft MISP core format February 2018 + + 2.4.2.14. ShadowAttribute ShadowAttribute is an array of shadow attributes that serve as @@ -722,14 +739,6 @@ Internet-Draft MISP core format September 2017 accepted, the original attribute containing the shadow attribute is removed and the shadow attribute is converted into an attribute. - - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 13] - -Internet-Draft MISP core format September 2017 - - Each shadow attribute that references an attribute MUST contain the containing attribute's ID in the old_id field and the event's ID in the event_id field. @@ -755,6 +764,28 @@ Internet-Draft MISP core format September 2017 2.5.1. Sample Attribute Object + + + + + + + + + + + + + + + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 14] + +Internet-Draft MISP core format February 2018 + + "ShadowAttribute": { "id": "8", "type": "ip-src", @@ -776,16 +807,6 @@ Internet-Draft MISP core format September 2017 } } - - - - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 14] - -Internet-Draft MISP core format September 2017 - - 2.5.2. ShadowAttribute Attributes 2.5.2.1. uuid @@ -814,6 +835,13 @@ Internet-Draft MISP core format September 2017 MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows: + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 15] + +Internet-Draft MISP core format February 2018 + + Internal reference text, link, comment, other, hex @@ -834,19 +862,12 @@ Internet-Draft MISP core format September 2017 filename|pehash, ip-src, ip-dst, hostname, domain, email-src, email-dst, email-subject, email-attachment, url, user-agent, AS, pattern-in-file, pattern-in-traffic, yara, attachment, malware- - - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 15] - -Internet-Draft MISP core format September 2017 - - - sample, link, malware-type, comment, text, vulnerability, x509- - fingerprint-sha1, other, ip-dst|port, ip-src|port, hostname|port, - email-dst-display-name, email-src-display-name, email-header, - email-reply-to, email-x-mailer, email-mime-boundary, email-thread- - index, email-message-id, mobile-application-id + sample, link, malware-type, mime-type, comment, text, + vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip- + src|port, hostname|port, email-dst-display-name, email-src- + display-name, email-header, email-reply-to, email-x-mailer, email- + mime-boundary, email-thread-index, email-message-id, mobile- + application-id Artifacts dropped md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, @@ -856,9 +877,10 @@ Internet-Draft MISP core format September 2017 filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, - sigma, attachment, malware-sample, named pipe, mutex, windows- - scheduled-task, windows-service-name, windows-service-displayname, - comment, text, hex, x509-fingerprint-sha1, other + sigma, gene, stix2-pattern, attachment, malware-sample, mime-type, + named pipe, mutex, windows-scheduled-task, windows-service-name, + windows-service-displayname, comment, text, hex, x509-fingerprint- + sha1, other Payload installation md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, @@ -866,10 +888,19 @@ Internet-Draft MISP core format September 2017 filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, - filename|tlsh, filename|imphash, filename|pehash, pattern-in-file, - pattern-in-traffic, pattern-in-memory, yara, vulnerability, - attachment, malware-sample, malware-type, comment, text, hex, - x509-fingerprint-sha1, mobile-application-id, other + filename|tlsh, filename|imphash, filename|pehash, mime-type, + pattern-in-file, pattern-in-traffic, pattern-in-memory, yara, + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 16] + +Internet-Draft MISP core format February 2018 + + + stix2-pattern, vulnerability, attachment, malware-sample, malware- + type, comment, text, hex, x509-fingerprint-sha1, mobile- + application-id, other Persistence mechanism filename, regkey, regkey|value, comment, text, other, text @@ -877,27 +908,19 @@ Internet-Draft MISP core format September 2017 Network activity ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, pattern-in- - traffic, attachment, comment, text, x509-fingerprint-sha1, other, - hex, cookie + traffic, stix2-pattern, attachment, comment, text, x509- + fingerprint-sha1, other, hex, cookie Payload type comment, text, other Attribution threat-actor, campaign-name, campaign-id, whois-registrant-phone, - whois-registrant-email, whois-registrant-name, whois-registrar, - whois-creation-date, comment, text, x509-fingerprint-sha1, other + whois-registrant-email, whois-registrant-name, whois-registrant- + org, whois-registrar, whois-creation-date, comment, text, x509- + fingerprint-sha1, other External analysis - - - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 16] - -Internet-Draft MISP core format September 2017 - - md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, pattern-in-file, @@ -923,8 +946,16 @@ Internet-Draft MISP core format September 2017 primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place- port-of-original-embarkation, place-port-of-clearance, place-port- + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 17] + +Internet-Draft MISP core format February 2018 + + of-onward-foreign-destination, passenger-name-record-locator- - number, comment, text, other, phone-number + number, comment, text, other, phone-number, identity-card-number Other comment, text, other, size-in-bytes, counter, datetime, cpe, port, @@ -944,16 +975,6 @@ Internet-Draft MISP core format September 2017 and it MUST be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above. - - - - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 17] - -Internet-Draft MISP core format September 2017 - - 2.5.2.5. to_ids to_ids represents whether the Attribute to be created if the @@ -980,6 +1001,15 @@ Internet-Draft MISP core format September 2017 Attribute object that the ShadowAttribute belongs to. A ShadowAttribute can this way target an existing Attribute, implying that it is a proposal to modify an existing Attribute, or + + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 18] + +Internet-Draft MISP core format February 2018 + + alternatively it can be a proposal to create a new Attribute for the containing Event. @@ -998,18 +1028,6 @@ Internet-Draft MISP core format September 2017 timestamp is represented as a JSON string. timestamp MUST be present. - - - - - - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 18] - -Internet-Draft MISP core format September 2017 - - 2.5.2.9. comment comment is a contextual comment field. @@ -1039,6 +1057,15 @@ Internet-Draft MISP core format September 2017 proposal_to_delete is a JSON boolean and it MUST be present. If proposal_to_delete is set to true, old_id MUST NOT be 0. + + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 19] + +Internet-Draft MISP core format February 2018 + + 2.5.2.12. deleted deleted represents a setting that allows shadow attributes to be @@ -1057,15 +1084,6 @@ Internet-Draft MISP core format September 2017 data is represented by a JSON string in base64 encoding. data MUST be set for shadow attributes of type malware-sample and attachment. - - - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 19] - -Internet-Draft MISP core format September 2017 - - 2.5.3. Org An Org object is composed of an uuid, name and id. @@ -1096,6 +1114,14 @@ Internet-Draft MISP core format September 2017 value is represented by a JSON string. value MUST be present. + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 20] + +Internet-Draft MISP core format February 2018 + + 2.6. Object Objects serve as a contextual bond between a list of attributes @@ -1112,18 +1138,46 @@ Internet-Draft MISP core format September 2017 category, a description, a template_uuid and a template_version as described in the "Object Attributes" section. - - - - - -Dulaunoy & Iklody Expires March 24, 2018 [Page 20] - -Internet-Draft MISP core format September 2017 - - 2.6.1. Sample Object object + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 21] + +Internet-Draft MISP core format February 2018 + + "Object": { "id": "588", "name": "file", @@ -1173,9 +1227,11 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 21] + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 22] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 2.6.2.2. id @@ -1229,9 +1285,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 22] +Dulaunoy & Iklody Expires August 13, 2018 [Page 23] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 2.6.2.8. event_id @@ -1285,9 +1341,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 23] +Dulaunoy & Iklody Expires August 13, 2018 [Page 24] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 2.6.2.12. comment @@ -1341,9 +1397,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 24] +Dulaunoy & Iklody Expires August 13, 2018 [Page 25] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 "ObjectReference": { @@ -1397,9 +1453,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 25] +Dulaunoy & Iklody Expires August 13, 2018 [Page 26] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 2.7.2.5. event_id @@ -1453,9 +1509,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 26] +Dulaunoy & Iklody Expires August 13, 2018 [Page 27] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 2.7.2.11. object_uuid @@ -1499,23 +1555,133 @@ Internet-Draft MISP core format September 2017 "name": "tlp:white", "id": "2" }] -2.9. Galaxy +2.9. Sighting + + A sighting is an ascertainment which describes whether an attribute + has been seen under a given set of conditions. The sighting can + include the organisation who sighted the attribute or can be + anonymised. Sighting is composed of a JSON array in which each + + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 28] + +Internet-Draft MISP core format February 2018 + + + element describes one singular instance of a sighting. A sighting + element is a JSON object composed of the following values: + + type MUST be present. type describes the type of a sighting. MISP + allows 3 default types: + + +------------+------------------------------------------------------+ + | Sighting | Description | + | type | | + +------------+------------------------------------------------------+ + | 0 | denotes an attribute which has been seen | + | 1 | denotes an attribute which has been seen and | + | | confirmed as false-positive | + | 2 | denotes an attribute which will be expired at the | + | | time of the sighting | + +------------+------------------------------------------------------+ + + uuid MUST be present. uuid references the uuid of the sighted + attribute. + + date_sighting MUST be present. date_sighting is expressed in seconds + (decimal) elapsed since 1st of January 1970 (Unix timestamp). + date_sighting represents when the referenced attribute, designated by + its uuid, is sighted. + + source MAY be present. source is represented as a JSON string and + represents the human-readable version of the sighting source, which + can be a given piece of software (e.g. SIEM), device or a specific + analytical process. + + id, event_id and attribute_id MAY be present. + + id represents the human-readable identifier of the sighting reference + which belongs to a specific MISP instance. event_id represents the + human-readable identifier of the event referenced by the sighting and + belongs to a specific MISP instance. attribute_id represents the + human-readable identifier of the attribute referenced by the sighting + and belongs to a specific MISP instance. + + org_id MAY be present along the JSON object describing the + organisation. If the org_id is not present, the sighting is + considered as anonymised. + + org_id represents the human-readable identifier of the organisation + which did the sighting and belongs to a specific MISP instance. + + + + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 29] + +Internet-Draft MISP core format February 2018 + + +2.9.1. Sample Sighting + +"Sighting": [ + { + "id": "13599", + "attribute_id": "1201615", + "event_id": "10164", + "org_id": "2", + "date_sighting": "1517581400", + "uuid": "5a747459-41b4-4826-9b29-42dd950d210f", + "source": "M2M-CIRCL", + "type": "0", + "Organisation": { + "id": "2", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "name": "CIRCL" + } + }, + { + "id": "13601", + "attribute_id": "1201615", + "event_id": "10164", + "org_id": "2", + "date_sighting": "1517581401", + "uuid": "5a74745a-a190-4d04-b719-4916950d210f", + "source": "M2M-CIRCL", + "type": "0", + "Organisation": { + "id": "2", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "name": "CIRCL" + } + } + ] + +2.10. Galaxy A galaxy is a simple method to express a large object called cluster that can be attached to MISP events. A cluster can be composed of one or more elements. Elements are expressed as key-values. +2.10.1. Sample Galaxy -Dulaunoy & Iklody Expires March 24, 2018 [Page 27] + + + + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 30] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 -2.9.1. Sample Galaxy - "Galaxy": [ { "id": "18", "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3", @@ -1565,9 +1731,11 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 28] + + +Dulaunoy & Iklody Expires August 13, 2018 [Page 31] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 3. JSON Schema @@ -1621,9 +1789,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 29] +Dulaunoy & Iklody Expires August 13, 2018 [Page 32] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 "type": "object", @@ -1677,9 +1845,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 30] +Dulaunoy & Iklody Expires August 13, 2018 [Page 33] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 "items": { @@ -1733,9 +1901,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 31] +Dulaunoy & Iklody Expires August 13, 2018 [Page 34] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 "type": "string" @@ -1789,9 +1957,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 32] +Dulaunoy & Iklody Expires August 13, 2018 [Page 35] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 "type": "string" @@ -1845,9 +2013,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 33] +Dulaunoy & Iklody Expires August 13, 2018 [Page 36] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 "properties": { @@ -1901,9 +2069,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 34] +Dulaunoy & Iklody Expires August 13, 2018 [Page 37] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 }, @@ -1957,9 +2125,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 35] +Dulaunoy & Iklody Expires August 13, 2018 [Page 38] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 } @@ -2013,9 +2181,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 36] +Dulaunoy & Iklody Expires August 13, 2018 [Page 39] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 "description": { @@ -2069,9 +2237,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 37] +Dulaunoy & Iklody Expires August 13, 2018 [Page 40] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 } @@ -2125,9 +2293,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 38] +Dulaunoy & Iklody Expires August 13, 2018 [Page 41] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 o timestamp (MUST) @@ -2181,9 +2349,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 39] +Dulaunoy & Iklody Expires August 13, 2018 [Page 42] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 { @@ -2237,9 +2405,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 40] +Dulaunoy & Iklody Expires August 13, 2018 [Page 43] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 5. Implementation @@ -2293,9 +2461,9 @@ Internet-Draft MISP core format September 2017 -Dulaunoy & Iklody Expires March 24, 2018 [Page 41] +Dulaunoy & Iklody Expires August 13, 2018 [Page 44] -Internet-Draft MISP core format September 2017 +Internet-Draft MISP core format February 2018 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. @@ -2349,4 +2517,4 @@ Authors' Addresses -Dulaunoy & Iklody Expires March 24, 2018 [Page 42] +Dulaunoy & Iklody Expires August 13, 2018 [Page 45]