mirror of https://github.com/MISP/misp-rfc
Some minor corrections
parent
adfab9e436
commit
fd55d7dea7
|
@ -66,7 +66,7 @@ document are to be interpreted as described in RFC 2119 [@!RFC2119].
|
||||||
|
|
||||||
The MISP core format is in the JSON [@!RFC4627] format. In MISP, an event is composed of a single JSON object.
|
The MISP core format is in the JSON [@!RFC4627] format. In MISP, an event is composed of a single JSON object.
|
||||||
|
|
||||||
A capitalized key (like Event, Org) represent a data model and a non-capitalized key is just an attribute. This nomenclature
|
A capitalized key (like Event, Org) represent a data model and a non-capitalised key is just an attribute. This nomenclature
|
||||||
can support an implementation to represent the MISP format in another data structure.
|
can support an implementation to represent the MISP format in another data structure.
|
||||||
|
|
||||||
## Event
|
## Event
|
||||||
|
@ -161,7 +161,7 @@ publish_timestamp is represented as a JSON string. publish_timestamp **MUST** be
|
||||||
|
|
||||||
#### org_id
|
#### org_id
|
||||||
|
|
||||||
org_id represents a human-readable identifier referencing an Org object of the organization which generated the event.
|
org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event.
|
||||||
|
|
||||||
The org_id **MUST** be updated when the event is generated by a new instance.
|
The org_id **MUST** be updated when the event is generated by a new instance.
|
||||||
|
|
||||||
|
@ -169,7 +169,7 @@ org_id is represented as a JSON string. org_id **MUST** be present.
|
||||||
|
|
||||||
#### orgc_id
|
#### orgc_id
|
||||||
|
|
||||||
orgc_id represents a human-readable identifier referencing an Orgc object of the organization which created the event.
|
orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event.
|
||||||
|
|
||||||
The orgc_id and Orc object **MUST** be preserved for any updates or transfer of the same event.
|
The orgc_id and Orc object **MUST** be preserved for any updates or transfer of the same event.
|
||||||
|
|
||||||
|
@ -215,10 +215,10 @@ sharing\_group\_id is represented by a JSON string and **SHOULD** be present. If
|
||||||
|
|
||||||
An Org object is composed of an uuid, name and id.
|
An Org object is composed of an uuid, name and id.
|
||||||
|
|
||||||
The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the organization.
|
The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the organisation.
|
||||||
The organization UUID is globally assigned to an organization and **SHALL** be kept overtime.
|
The organisation UUID is globally assigned to an organisation and **SHALL** be kept overtime.
|
||||||
|
|
||||||
The name is a readable description of the organization and **SHOULD** be present.
|
The name is a readable description of the organisation and **SHOULD** be present.
|
||||||
The id is a human-readable identifier generated by the instance and used as reference in the event.
|
The id is a human-readable identifier generated by the instance and used as reference in the event.
|
||||||
|
|
||||||
uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present.
|
uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present.
|
||||||
|
@ -238,9 +238,9 @@ uuid, name and id are represented as a JSON string. uuid, name and id **MUST** b
|
||||||
An Orgc object is composed of an uuid, name and id.
|
An Orgc object is composed of an uuid, name and id.
|
||||||
|
|
||||||
The uuid **MUST** be preserved for any updates or transfer of the same event. UUID version 4 is **RECOMMENDED** when assigning it to a new event.
|
The uuid **MUST** be preserved for any updates or transfer of the same event. UUID version 4 is **RECOMMENDED** when assigning it to a new event.
|
||||||
The organization UUID is globally assigned to an organization and **SHALL** be kept overtime.
|
The organisation UUID is globally assigned to an organisation and **SHALL** be kept overtime.
|
||||||
|
|
||||||
The name is a readable description of the organization and **SHOULD** be present.
|
The name is a readable description of the organisation and **SHOULD** be present.
|
||||||
The id is a human-readable identifier generated by the instance and used as reference in the event.
|
The id is a human-readable identifier generated by the instance and used as reference in the event.
|
||||||
|
|
||||||
uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present.
|
uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present.
|
||||||
|
@ -905,23 +905,22 @@ name **MUST** be present. colour, id and exportable **SHALL** be present.
|
||||||
|
|
||||||
## Sighting
|
## Sighting
|
||||||
|
|
||||||
A sighting is an ascertainment which describes if an attribute has been seen under a specific set of conditions. The sighting can include the organisation who sighted the attribute or can
|
A sighting is an ascertainment which describes whether an attribute has been seen under a given set of conditions. The sighting can include the organisation who sighted the attribute or can
|
||||||
be anonymized without revealing the organisation. Sighting is composed of a JSON array where each element describes one sighting. A sighting element is a JSON object composed of the following values.
|
be anonymised. Sighting is composed of a JSON array in which each element describes one singular instance of a sighting. A sighting element is a JSON object composed of the following values:
|
||||||
|
|
||||||
|
type **MUST** be present. type describes the type of a sighting. MISP allows 3 default types:
|
||||||
type **MUST** be present. type describes the type of sighting. MISP allows 3 default types:
|
|
||||||
|
|
||||||
| Sighting type | Description |
|
| Sighting type | Description |
|
||||||
|---------------|:----------------------------------------------------------------------:|
|
|---------------|:-------------------------------------------------------------------------:|
|
||||||
| 0 | denotes an attribute which has been seen |
|
| 0 | denotes an attribute which has been seen |
|
||||||
| 1 | denotes an attribute which has been seen as false-positive |
|
| 1 | denotes an attribute which has been seen and confirmed as false-positive |
|
||||||
| 2 | denotes an attribute which will be expired at the time of the sighting |
|
| 2 | denotes an attribute which will be expired at the time of the sighting |
|
||||||
|
|
||||||
uuid **MUST** be present. uuid references the attribute uuid sighted.
|
uuid **MUST** be present. uuid references the uuid of the sighted attribute.
|
||||||
|
|
||||||
date_sighting **MUST** be present. date_sighting is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). date_sighting represents when the reference attribute uuid is sighted.
|
date_sighting **MUST** be present. date_sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.
|
||||||
|
|
||||||
source **MAY** be present. source is represented as a JSON string. source represents the human-readable of the sighting source which can be a software (e.g. SIEM), tool or even a specific analyst process.
|
source **MAY** be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.
|
||||||
|
|
||||||
id, event_id and attribute_id **MAY** be present.
|
id, event_id and attribute_id **MAY** be present.
|
||||||
|
|
||||||
|
@ -929,7 +928,7 @@ id represents the human-readable identifier of the sighting reference which belo
|
||||||
event_id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance.
|
event_id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance.
|
||||||
attribute_id represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.
|
attribute_id represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.
|
||||||
|
|
||||||
org_id **MAY** be present along the JSON object describing the organisation. If the org_id is not present, the sighted is considered as anonymized.
|
org_id **MAY** be present along the JSON object describing the organisation. If the org_id is not present, the sighting is considered as anonymised.
|
||||||
|
|
||||||
org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.
|
org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue