mirror of https://github.com/MISP/misp-rfc
Compare commits
10 Commits
fc4a005632
...
051e33b671
Author | SHA1 | Date |
---|---|---|
Alexandre Dulaunoy | 051e33b671 | |
Alexandre Dulaunoy | b48ed9dc9c | |
Alexandre Dulaunoy | 695b25ab7c | |
Alexandre Dulaunoy | 590c412284 | |
Alexandre Dulaunoy | 7dbfe7a979 | |
Alexandre Dulaunoy | 4ff1534786 | |
Alexandre Dulaunoy | 2015fa059d | |
Alexandre Dulaunoy | 444d46fc02 | |
Maxime THIEBAUT | e53e962a6e | |
Maxime Thiebaut | e8caee04ed |
|
@ -1,4 +1,4 @@
|
|||
MMARK:=mmark -xml2 -page
|
||||
MMARK:=mmark
|
||||
|
||||
docs = $(wildcard *.md)
|
||||
|
||||
|
|
|
@ -5,8 +5,13 @@ category = "info"
|
|||
docName = "draft-dulaunoy-misp-core-format"
|
||||
ipr= "trust200902"
|
||||
area = "Security"
|
||||
submissiontype = "independent"
|
||||
|
||||
date = 2020-10-21T00:00:00Z
|
||||
[seriesInfo]
|
||||
name = "Internet-Draft"
|
||||
value = "draft-00"
|
||||
stream = "independent"
|
||||
status = "informational"
|
||||
|
||||
[[author]]
|
||||
initials="A."
|
||||
|
@ -218,9 +223,9 @@ extends\_uuid represents which event is extended by this event. The extends\_uui
|
|||
|
||||
extends\_uuid is represented as a JSON string. extends\_uuid **SHOULD** be present.
|
||||
|
||||
## Objects
|
||||
### Event Objects
|
||||
|
||||
### Org
|
||||
#### Org
|
||||
|
||||
An Org object is composed of an uuid, name and id.
|
||||
|
||||
|
@ -233,7 +238,7 @@ A human-readable identifier **MUST** be represented as an unsigned integer.
|
|||
|
||||
uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present.
|
||||
|
||||
#### Sample Org Object
|
||||
##### Sample Org Object
|
||||
|
||||
~~~~
|
||||
"Org": {
|
||||
|
@ -243,7 +248,7 @@ uuid, name and id are represented as a JSON string. uuid, name and id **MUST** b
|
|||
}
|
||||
~~~~
|
||||
|
||||
### Orgc
|
||||
#### Orgc
|
||||
|
||||
An Orgc object is composed of an uuid, name and id.
|
||||
|
||||
|
@ -328,7 +333,7 @@ Internal reference
|
|||
: text, link, comment, other, hex, anonymised, git-commit-id
|
||||
|
||||
Network activity
|
||||
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject, favicon-mmh3, dkim, dkim-signature
|
||||
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject, favicon-mmh3, dkim, dkim-signature, ssh-fingerprint
|
||||
|
||||
Other
|
||||
: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key
|
||||
|
@ -538,7 +543,7 @@ Internal reference
|
|||
: text, link, comment, other, hex, anonymised, git-commit-id
|
||||
|
||||
Network activity
|
||||
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject, favicon-mmh3, dkim, dkim-signature
|
||||
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject, favicon-mmh3, dkim, dkim-signature, ssh-fingerprint
|
||||
|
||||
Other
|
||||
: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key
|
||||
|
@ -650,7 +655,15 @@ last_seen represents a reference time when the attribute was last seen. last_see
|
|||
|
||||
last_seen is represented as a JSON string. last_seen **MAY** be present.
|
||||
|
||||
### Org
|
||||
#### value
|
||||
|
||||
value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.
|
||||
|
||||
value is represented by a JSON string. value **MUST** be present.
|
||||
|
||||
### ShadowAttribute Objects
|
||||
|
||||
#### Org
|
||||
|
||||
An Org object is composed of an uuid, name and id.
|
||||
|
||||
|
@ -663,7 +676,7 @@ A human-readable identifier **MUST** be represented as an unsigned integer.
|
|||
|
||||
uuid, name and id are represented as a JSON string. uuid, name and id **MUST** be present.
|
||||
|
||||
#### Sample Org Object
|
||||
##### Sample Org Object
|
||||
|
||||
~~~~
|
||||
"Org": {
|
||||
|
@ -673,12 +686,6 @@ uuid, name and id are represented as a JSON string. uuid, name and id **MUST** b
|
|||
}
|
||||
~~~~
|
||||
|
||||
#### value
|
||||
|
||||
value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.
|
||||
|
||||
value is represented by a JSON string. value **MUST** be present.
|
||||
|
||||
## Object
|
||||
|
||||
Objects serve as a contextual bond between a list of attributes within an event. Their main purpose is to describe more complex structures than can be described by a single attribute
|
||||
|
@ -1071,7 +1078,7 @@ date_sighting **MUST** be present. date_sighting is expressed in seconds (decima
|
|||
|
||||
source **MAY** be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.
|
||||
|
||||
id, event_id and attribute_id **MAY** be present.
|
||||
id, event_id and attribute_id are represented as a JSON string and **MAY** be present.
|
||||
|
||||
id represents the human-readable identifier of the sighting reference which belongs to a specific MISP instance.
|
||||
event_id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance.
|
||||
|
@ -1081,7 +1088,7 @@ org_id **MAY** be present along the JSON object describing the organisation. If
|
|||
|
||||
org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.
|
||||
|
||||
A human-readable identifier **MUST** be represented as an unsigned integer.
|
||||
A human-readable identifier **MUST** be considered as an unsigned integer.
|
||||
|
||||
### Sample Sighting
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue