MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

Some minor corrections

pull/8/head
Andras Iklody 2018-02-09 14:04:36 +01:00 committed by GitHub
parent adfab9e436
commit fd55d7dea7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
misp-core-format/raw.md
View File

@ -66,7 +66,7 @@ document are to be interpreted as described in RFC 2119 [@!RFC2119].
The MISP core format is in the JSON [@!RFC4627] format. In MISP, an event is composed of a single JSON object.
A capitalized key (like Event, Org) represent a data model and a non-capitalized key is just an attribute. This nomenclature
A capitalized key (like Event, Org) represent a data model and a non-capitalised key is just an attribute. This nomenclature
can support an implementation to represent the MISP format in another data structure.
## Event
@ -161,7 +161,7 @@ publish_timestamp is represented as a JSON string. publish_timestamp **MUST** be
#### org_id
org_id represents a human-readable identifier referencing an Org object of the organization which generated the event.
org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event.
The org_id **MUST** be updated when the event is generated by a new instance.
@ -169,7 +169,7 @@ org_id is represented as a JSON string. org_id **MUST** be present.
#### orgc_id
orgc_id represents a human-readable identifier referencing an Orgc object of the organization which created the event.
orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event.
The orgc_id and Orc object **MUST** be preserved for any updates or transfer of the same event.
@ -215,10 +215,10 @@ sharing\_group\_id is represented by a JSON string and **SHOULD** be present. If
An Org object is composed of an uuid, name and id.
The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the organization.
The organization UUID is globally assigned to an organization and **SHALL** be kept overtime.
The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the organisation.
The organisation UUID is globally assigned to an organisation and **SHALL** be kept overtime.
The name is a readable description of the organization and **SHOULD** be present.
The name is a readable description of the organisation and **SHOULD** be present.
The id is a human-readable identifier generated by the instance and used as reference in the event.
uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present.
@ -238,9 +238,9 @@ uuid, name and id are represented as a JSON string. uuid, name and id **MUST** b
An Orgc object is composed of an uuid, name and id.
The uuid **MUST** be preserved for any updates or transfer of the same event. UUID version 4 is **RECOMMENDED** when assigning it to a new event.
The organization UUID is globally assigned to an organization and **SHALL** be kept overtime.
The organisation UUID is globally assigned to an organisation and **SHALL** be kept overtime.
The name is a readable description of the organization and **SHOULD** be present.
The name is a readable description of the organisation and **SHOULD** be present.
The id is a human-readable identifier generated by the instance and used as reference in the event.
uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present.
@ -905,23 +905,22 @@ name **MUST** be present. colour, id and exportable **SHALL** be present.
## Sighting
A sighting is an ascertainment which describes if an attribute has been seen under a specific set of conditions. The sighting can include the organisation who sighted the attribute or can
be anonymized without revealing the organisation. Sighting is composed of a JSON array where each element describes one sighting. A sighting element is a JSON object composed of the following values.
A sighting is an ascertainment which describes whether an attribute has been seen under a given set of conditions. The sighting can include the organisation who sighted the attribute or can
be anonymised. Sighting is composed of a JSON array in which each element describes one singular instance of a sighting. A sighting element is a JSON object composed of the following values:
type **MUST** be present. type describes the type of a sighting. MISP allows 3 default types:
type **MUST** be present. type describes the type of sighting. MISP allows 3 default types:
| Sighting type | Description |
|---------------|:-------------------------------------------------------------------------:|
| 0 | denotes an attribute which has been seen |
| 1 | denotes an attribute which has been seen and confirmed as false-positive |
| 2 | denotes an attribute which will be expired at the time of the sighting |
| Sighting type | Description |
|---------------|:----------------------------------------------------------------------:|
| 0 | denotes an attribute which has been seen |
| 1 | denotes an attribute which has been seen as false-positive |
| 2 | denotes an attribute which will be expired at the time of the sighting |
uuid **MUST** be present. uuid references the uuid of the sighted attribute.
uuid **MUST** be present. uuid references the attribute uuid sighted.
date_sighting **MUST** be present. date_sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.
date_sighting **MUST** be present. date_sighting is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). date_sighting represents when the reference attribute uuid is sighted.
source **MAY** be present. source is represented as a JSON string. source represents the human-readable of the sighting source which can be a software (e.g. SIEM), tool or even a specific analyst process.
source **MAY** be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.
id, event_id and attribute_id **MAY** be present.
@ -929,7 +928,7 @@ id represents the human-readable identifier of the sighting reference which belo
event_id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance.
attribute_id represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.
org_id **MAY** be present along the JSON object describing the organisation. If the org_id is not present, the sighted is considered as anonymized.
org_id **MAY** be present along the JSON object describing the organisation. If the org_id is not present, the sighting is considered as anonymised.
org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.