Some minor corrections

pull/8/head
Andras Iklody 2018-02-09 14:04:36 +01:00 committed by GitHub
parent adfab9e436
commit fd55d7dea7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 21 deletions

View File

@ -66,7 +66,7 @@ document are to be interpreted as described in RFC 2119 [@!RFC2119].
The MISP core format is in the JSON [@!RFC4627] format. In MISP, an event is composed of a single JSON object. The MISP core format is in the JSON [@!RFC4627] format. In MISP, an event is composed of a single JSON object.
A capitalized key (like Event, Org) represent a data model and a non-capitalized key is just an attribute. This nomenclature A capitalized key (like Event, Org) represent a data model and a non-capitalised key is just an attribute. This nomenclature
can support an implementation to represent the MISP format in another data structure. can support an implementation to represent the MISP format in another data structure.
## Event ## Event
@ -161,7 +161,7 @@ publish_timestamp is represented as a JSON string. publish_timestamp **MUST** be
#### org_id #### org_id
org_id represents a human-readable identifier referencing an Org object of the organization which generated the event. org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event.
The org_id **MUST** be updated when the event is generated by a new instance. The org_id **MUST** be updated when the event is generated by a new instance.
@ -169,7 +169,7 @@ org_id is represented as a JSON string. org_id **MUST** be present.
#### orgc_id #### orgc_id
orgc_id represents a human-readable identifier referencing an Orgc object of the organization which created the event. orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event.
The orgc_id and Orc object **MUST** be preserved for any updates or transfer of the same event. The orgc_id and Orc object **MUST** be preserved for any updates or transfer of the same event.
@ -215,10 +215,10 @@ sharing\_group\_id is represented by a JSON string and **SHOULD** be present. If
An Org object is composed of an uuid, name and id. An Org object is composed of an uuid, name and id.
The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the organization. The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the organisation.
The organization UUID is globally assigned to an organization and **SHALL** be kept overtime. The organisation UUID is globally assigned to an organisation and **SHALL** be kept overtime.
The name is a readable description of the organization and **SHOULD** be present. The name is a readable description of the organisation and **SHOULD** be present.
The id is a human-readable identifier generated by the instance and used as reference in the event. The id is a human-readable identifier generated by the instance and used as reference in the event.
uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present. uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present.
@ -238,9 +238,9 @@ uuid, name and id are represented as a JSON string. uuid, name and id **MUST** b
An Orgc object is composed of an uuid, name and id. An Orgc object is composed of an uuid, name and id.
The uuid **MUST** be preserved for any updates or transfer of the same event. UUID version 4 is **RECOMMENDED** when assigning it to a new event. The uuid **MUST** be preserved for any updates or transfer of the same event. UUID version 4 is **RECOMMENDED** when assigning it to a new event.
The organization UUID is globally assigned to an organization and **SHALL** be kept overtime. The organisation UUID is globally assigned to an organisation and **SHALL** be kept overtime.
The name is a readable description of the organization and **SHOULD** be present. The name is a readable description of the organisation and **SHOULD** be present.
The id is a human-readable identifier generated by the instance and used as reference in the event. The id is a human-readable identifier generated by the instance and used as reference in the event.
uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present. uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present.
@ -905,23 +905,22 @@ name **MUST** be present. colour, id and exportable **SHALL** be present.
## Sighting ## Sighting
A sighting is an ascertainment which describes if an attribute has been seen under a specific set of conditions. The sighting can include the organisation who sighted the attribute or can A sighting is an ascertainment which describes whether an attribute has been seen under a given set of conditions. The sighting can include the organisation who sighted the attribute or can
be anonymized without revealing the organisation. Sighting is composed of a JSON array where each element describes one sighting. A sighting element is a JSON object composed of the following values. be anonymised. Sighting is composed of a JSON array in which each element describes one singular instance of a sighting. A sighting element is a JSON object composed of the following values:
type **MUST** be present. type describes the type of a sighting. MISP allows 3 default types:
type **MUST** be present. type describes the type of sighting. MISP allows 3 default types: | Sighting type | Description |
|---------------|:-------------------------------------------------------------------------:|
| 0 | denotes an attribute which has been seen |
| 1 | denotes an attribute which has been seen and confirmed as false-positive |
| 2 | denotes an attribute which will be expired at the time of the sighting |
| Sighting type | Description | uuid **MUST** be present. uuid references the uuid of the sighted attribute.
|---------------|:----------------------------------------------------------------------:|
| 0 | denotes an attribute which has been seen |
| 1 | denotes an attribute which has been seen as false-positive |
| 2 | denotes an attribute which will be expired at the time of the sighting |
uuid **MUST** be present. uuid references the attribute uuid sighted. date_sighting **MUST** be present. date_sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.
date_sighting **MUST** be present. date_sighting is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). date_sighting represents when the reference attribute uuid is sighted. source **MAY** be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.
source **MAY** be present. source is represented as a JSON string. source represents the human-readable of the sighting source which can be a software (e.g. SIEM), tool or even a specific analyst process.
id, event_id and attribute_id **MAY** be present. id, event_id and attribute_id **MAY** be present.
@ -929,7 +928,7 @@ id represents the human-readable identifier of the sighting reference which belo
event_id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance. event_id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance.
attribute_id represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance. attribute_id represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.
org_id **MAY** be present along the JSON object describing the organisation. If the org_id is not present, the sighted is considered as anonymized. org_id **MAY** be present along the JSON object describing the organisation. If the org_id is not present, the sighting is considered as anonymised.
org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance. org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.