diff --git a/misp-taxonomy-format/raw.md b/misp-taxonomy-format/raw.md index 99d45a6..f421b57 100644 --- a/misp-taxonomy-format/raw.md +++ b/misp-taxonomy-format/raw.md @@ -50,7 +50,7 @@ Sharing threat information became a fundamental requirements in the Internet, se information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. While sharing such indicators or information, classification plays an important role to ensure adequate distribution, understanding, validation or action of the shared information. MISP taxonomies is a public repository -of public and known vocabularies that can be used in threat information sharing. +of known vocabularies that can be used in threat information sharing. ## Conventions and Terminology @@ -64,6 +64,251 @@ document are to be interpreted as described in RFC 2119 [@!RFC2119]. The MISP taxonomy format is in the JSON [@!RFC4627] format. +# Directory + +The MISP taxonomies directory is publicly available [@?MISP-T] in a git repository. The repository +contains a directory per namespace then a file machinetag.json which contains the taxonomy as +described in the format above. In the root of the repository, a MANIFEST.json exists containing +a list of all the taxonomies. + +The MANIFEST.json file is composed of an JSON object with metadata like version, license, description, url and path. +A taxonomies array describes the taxonomy available with the description, name and version field. + +## Sample Manifest +~~~~ +{ + "version": "20161009", + "license": "CC-0", + "description": "Manifest file of MISP taxonomies available.", + "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", + "path": "machinetag.json", + "taxonomies": [ + { + "description": "The Admiralty Scale (also called the NATO System) + is used to rank the reliability of a source and + the credibility of an information.", + "name": "admiralty-scale", + "version": 1 + }, + { + "description": "Open Source Intelligence - Classification.", + "name": "osint", + "version": 2 + }] +} +~~~~ + +# Sample + +## Admiralty Scale Taxonomy + +~~~~ + "namespace": "admiralty-scale", + "description": "The Admiralty Scale (also called the NATO System) + is used to rank the reliability of a source and + the credibility of an information.", + "version": 1, + "predicates": [ + { + "value": "source-reliability", + "expanded": "Source Reliability" + }, + { + "value": "information-credibility", + "expanded": "Information Credibility" + } + ], + "values": [ + { + "predicate": "source-reliability", + "entry": [ + { + "value": "a", + "expanded": "Completely reliable" + }, + { + "value": "b", + "expanded": "Usually reliable" + }, + { + "value": "c", + "expanded": "Fairly reliable" + }, + { + "value": "d", + "expanded": "Not usually reliable" + }, + { + "value": "e", + "expanded": "Unreliable" + }, + { + "value": "f", + "expanded": "Reliability cannot be judged" + } + ] + }, + { + "predicate": "information-credibility", + "entry": [ + { + "value": "1", + "expanded": "Confirmed by other sources" + }, + { + "value": "2", + "expanded": "Probably true" + }, + { + "value": "3", + "expanded": "Possibly true" + }, + { + "value": "4", + "expanded": "Doubtful" + }, + { + "value": "5", + "expanded": "Improbable" + }, + { + "value": "6", + "expanded": "Truth cannot be judged" + } + ] + } + ] +} +~~~~ + +## Open Source Intelligence - Classification + +~~~~ +{ + "values": [ + { + "entry": [ + { + "expanded": "Blog post", + "value": "blog-post" + }, + { + "expanded": "Technical or analysis report", + "value": "technical-report" + }, + { + "expanded": "News report", + "value": "news-report" + }, + { + "expanded": "Pastie-like website", + "value": "pastie-website" + }, + { + "expanded": "Electronic forum", + "value": "electronic-forum" + }, + { + "expanded": "Mailing-list", + "value": "mailing-list" + }, + { + "expanded": "Block or Filter List", + "value": "block-or-filter-list" + }, + { + "expanded": "Expansion", + "value": "expansion" + } + ], + "predicate": "source-type" + }, + { + "predicate": "lifetime", + "entry": [ + { + "value": "perpetual", + "expanded": "Perpetual", + "description": "Information available publicly on long-term" + }, + { + "value": "ephemeral", + "expanded": "Ephemeral", + "description": "Information available publicly on short-term" + } + ] + }, + { + "predicate": "certainty", + "entry": [ + { + "numerical_value": 100, + "value": "100", + "expanded": "100% Certainty", + "description": "100% Certainty" + }, + { + "numerical_value": 93, + "value": "93", + "expanded": "93% Almost certain", + "description": "93% Almost certain" + }, + { + "numerical_value": 75, + "value": "75", + "expanded": "75% Probable", + "description": "75% Probable" + }, + { + "numerical_value": 50, + "value": "50", + "expanded": "50% Chances about even", + "description": "50% Chances about even" + }, + { + "numerical_value": 30, + "value": "30", + "expanded": "30% Probably not", + "description": "30% Probably not" + }, + { + "numerical_value": 7, + "value": "7", + "expanded": "7% Almost certainly not", + "description": "7% Almost certainly not" + }, + { + "numerical_value": 0, + "value": "0", + "expanded": "0% Impossibility", + "description": "0% Impossibility" + } + ] + } + ], + "namespace": "osint", + "description": "Open Source Intelligence - Classification", + "version": 3, + "predicates": [ + { + "value": "source-type", + "expanded": "Source Type" + }, + { + "value": "lifetime", + "expanded": "Lifetime of the information + as Open Source Intelligence" + }, + { + "value": "certainty", + "expanded": "Certainty of the elements mentioned + in this Open Source Intelligence" + } + ] +} + +~~~~ + # Acknowledgements The authors wish to thank all the MISP community to support the creation