MISP query format

Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. MISP started as an open source project in late 2011 and the MISP format started to be widely used as an exchange format within the community in the past years. The core format is described in an Internet-Draft as misp-core-format and contain the standard MISP JSON format used for threat intelligence. The aim of this document is to describe the specification of the MISP query format and how the query can be perform against a REST interface.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 .

The MISP query format is in the JSON format.

returnFormat MUST be present. returnFormat sets the type of output format. MISP allows multiple format (depending of the configuration): value Description jsonMISP JSON core format as described in xmlMISP XML format openiocOpenIOC format suricataSuricata NIDS format snortSnort NIDS format csvCSV format rpzResponse policy zone format textRaw value list format

limit MAY be present. If present, the page parameter MUST also be supplied. limit sets the number of returned elements when paginating, depending on the scope of the request (x number of attributes or x number of events) as converted into the output format.

page MAY be present. If present, the page parameter MUST also be supplied. page generates the offset for the pagination and will return a result set consisting of a slice of the query results starting with offset (limit * page) + 1 and ending with (limit * (page+1)).

value MAY be present. If set, the returned data set will be filtered on the attribute value field. value MAY be a string or a sub-string, the latter of which start with, ends with or is encapsulated in wildcard (\%) characters.

type MAY be present. If set, the returned data set will be filtered on the attribute type field. type MAY be a string or a sub-string, the latter of which start with, ends with or is encapsulated in wildcard (\%) characters. The list of valid attribute types is described in the MISP core format in the attribute type section.

category MAY be present. If set, the returned data set will be filtered on the attribute category field. category MAY be a string or a sub-string, the latter of which start with, ends with or is encapsulated in wildcard (\%) characters. The list of valid categories is described in the MISP core format in the attribute type section. A sample query to lookup for the last 30 days of indicators in the Financial fraud category and output in CSV format:

{ "returnFormat": "csv", "last": "30d", "category": "Financial fraud" }

MISP threat intelligence instances might contain sensitive or confidential information. Adequate access control and encryption measures shall be implemented to ensure the confidentiality of the threat intelligence. Adversaries might include malicious content in MISP queries. Implementation MUST consider the input of malicious inputs beside the standard threat information that might already include malicious intended inputs.

The authors wish to thank all the MISP community who are supporting the creation of open standards in threat intelligence sharing. A special thank to all the committees which triggered us to come with better and flexible format.