diff --git a/rfc/misp-standard-core.html b/rfc/misp-standard-core.html index 6a8b3fe..33c49a8 100644 --- a/rfc/misp-standard-core.html +++ b/rfc/misp-standard-core.html @@ -396,12 +396,22 @@ - - - - - - + + + + + + + + + + + + + + + + @@ -421,7 +431,7 @@ - + @@ -441,12 +451,12 @@
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
-This Internet-Draft will expire on November 27, 2020.
+This Internet-Draft will expire on April 24, 2021.
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
@@ -516,17 +526,37 @@referenced_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object or attribute that is being referenced by the object reference. The referenced_uuid MUST be preserved to preserve the object reference's association with the object or attribute.
A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. When an event is distributed outside an organisation, the use of MISP taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array SHALL be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.
-exportable represents a setting if the tag is kept local or exportable to other MISP instances. exportable is represented by a JSON boolean. id is a human-readable identifier that references the tag on the local instance. colour represents an RGB value of the tag.
-name MUST be present. colour, id and exportable SHALL be present.
+EventReport are used to complement an event with one or more report in Markdown format. The EventReport contains unstructured information which can be linked to Attributes, Objects, Tags or Galaxy with an extension to the Markdown marking language.
id represents the human-readable identifier associated to the EventReport for a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.
+id is represented as a JSON string. id SHALL be present.
+uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the EventReport. The uuid MUST be preserved for any updates or transfer of the same EventReport. UUID version 4 is RECOMMENDED when assigning it to a new EventReport.
+uuid is represented as a JSON string. uuid MUST be present.
+event_id represents the human-readable identifier associating the EventReport to an event on a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.
+event_id is represented as a JSON string. event_id MUST be present.
+name represents the information field of the EventReport. name is a free-text value to provide a human-readable summary of the report. name SHOULD NOT be bigger than 256 characters and SHOULD NOT include new-lines.
+name is represented as a JSON string. name MUST be present.
+content includes the raw EventReport in Markdown format with or without the specific MISP Markdown markup extension.
+The markdown extension for MISP is composed with a symbol as prefix then between square bracket the scope (attribute, object, tag or galaxymatrix) followed by the UUID in parenthesis.
+content is represented as a JSON string. content MUST be present.
+distribution represents the basic distribution rules of the EventReport. The system must adhere to the distribution setting for access control and for dissemination of the EventReport.
+distribution is represented by a JSON string. distribution MUST be present and be one of the following options:
+ + ++
sharing_group_id represents the local id to the MISP local instance of the Sharing Group associated for the distribution.
+sharing_group_id is represented by a JSON string. sharing_group_id MUST be present and set to "0" if not used.
+timestamp represents a reference time when the EventReport was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
+timestamp is represented as a JSON string. timestamp MUST be present.
+deleted represents a setting that allows EventReport to be revoked. Revoked EventReport are not actionable and exist merely to inform other instances of a revocation.
+deleted is represented by a JSON boolean. deleted MUST be present.
+A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. When an event is distributed outside an organisation, the use of MISP taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array SHALL be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.
+exportable represents a setting if the tag is kept local or exportable to other MISP instances. exportable is represented by a JSON boolean. id is a human-readable identifier that references the tag on the local instance. colour represents an RGB value of the tag.
+name MUST be present. colour, id and exportable SHALL be present.
+"Tag": [{ "exportable": true, @@ -1376,11 +1480,11 @@ "name": "tlp:white", "id": "2" }]-
A sighting is an ascertainment which describes whether an attribute has been seen under a given set of conditions. The sighting can include the organisation who sighted the attribute or can be anonymised. Sighting is composed of a JSON array in which each element describes one singular instance of a sighting. A sighting element is a JSON object composed of the following values:
-type MUST be present. type describes the type of a sighting. MISP allows 3 default types:
+A sighting is an ascertainment which describes whether an attribute has been seen under a given set of conditions. The sighting can include the organisation who sighted the attribute or can be anonymised. Sighting is composed of a JSON array in which each element describes one singular instance of a sighting. A sighting element is a JSON object composed of the following values:
+type MUST be present. type describes the type of a sighting. MISP allows 3 default types:
Sighting type | @@ -1401,16 +1505,16 @@
---|
uuid MUST be present. uuid references the uuid of the sighted attribute.
-datesighting MUST be present. datesighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.
-source MAY be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.
-id, eventid and attributeid MAY be present.
-id represents the human-readable identifier of the sighting reference which belongs to a specific MISP instance. eventid represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance. attributeid represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.
-orgid MAY be present along the JSON object describing the organisation. If the orgid is not present, the sighting is considered as anonymised.
-org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.
-A human-readable identifier MUST be represented as an unsigned integer.
-uuid MUST be present. uuid references the uuid of the sighted attribute.
+datesighting MUST be present. datesighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.
+source MAY be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.
+id, eventid and attributeid MAY be present.
+id represents the human-readable identifier of the sighting reference which belongs to a specific MISP instance. eventid represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance. attributeid represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.
+orgid MAY be present along the JSON object describing the organisation. If the orgid is not present, the sighting is considered as anonymised.
+org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.
+A human-readable identifier MUST be represented as an unsigned integer.
+"Sighting": [ { @@ -1445,12 +1549,12 @@ } ]-
A galaxy is a simple method to express a large object called cluster that can be attached to MISP events. A cluster can be composed of one or more elements. Elements are expressed as key-values.
-A galaxy is a simple method to express a large object called cluster that can be attached to MISP events. A cluster can be composed of one or more elements. Elements are expressed as key-values.
+"Galaxy": [ { "id": "18", diff --git a/rfc/misp-standard-core.txt b/rfc/misp-standard-core.txt index c45c571..6dbbdc6 100644 --- a/rfc/misp-standard-core.txt +++ b/rfc/misp-standard-core.txt @@ -4,8 +4,8 @@ Network Working Group A. Dulaunoy Internet-Draft A. Iklody -Expires: November 27, 2020 CIRCL - May 26, 2020 +Expires: April 24, 2021 CIRCL + October 21, 2020 MISP core format @@ -36,7 +36,7 @@ Status of This Memo time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on November 27, 2020. + This Internet-Draft will expire on April 24, 2021. Copyright Notice @@ -53,9 +53,9 @@ Copyright Notice -Dulaunoy & Iklody Expires November 27, 2020 [Page 1] +Dulaunoy & Iklody Expires April 24, 2021 [Page 1] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 the Trust Legal Provisions and are provided without warranty as @@ -68,52 +68,60 @@ Table of Contents 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3 + 2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 4 2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 8 2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8 - 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8 + 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 9 2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9 - 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 15 + 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 16 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 16 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 16 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 22 - 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 22 + 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.6.1. Sample Object . . . . . . . . . . . . . . . . . . . . 23 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 24 2.7. Object References . . . . . . . . . . . . . . . . . . . . 28 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 28 2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 28 - 2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 - 2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 31 - 2.9. Sighting . . . . . . . . . . . . . . . . . . . . . . . . 31 - 2.9.1. Sample Sighting . . . . . . . . . . . . . . . . . . . 32 - 2.10. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 33 - 2.10.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 33 - 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 49 - 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 49 - 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 50 - 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 51 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 51 - 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 51 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 - 9.1. Normative References . . . . . . . . . . . . . . . . . . 52 - 9.2. Informative References . . . . . . . . . . . . . . . . . 52 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52 + 2.8. EventReport . . . . . . . . . . . . . . . . . . . . . . . 30 + 2.8.1. id . . . . . . . . . . . . . . . . . . . . . . . . . 31 + 2.8.2. UUID . . . . . . . . . . . . . . . . . . . . . . . . 31 + 2.8.3. event_id . . . . . . . . . . . . . . . . . . . . . . 31 + 2.8.4. name . . . . . . . . . . . . . . . . . . . . . . . . 31 + 2.8.5. content . . . . . . . . . . . . . . . . . . . . . . . 31 + 2.8.6. distribution . . . . . . . . . . . . . . . . . . . . 32 + 2.8.7. sharing_group_id . . . . . . . . . . . . . . . . . . 32 + 2.8.8. timestamp . . . . . . . . . . . . . . . . . . . . . . 32 + 2.8.9. deleted . . . . . . . . . . . . . . . . . . . . . . . 33 + 2.9. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 + 2.9.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 33 + 2.10. Sighting . . . . . . . . . . . . . . . . . . . . . . . . 33 + 2.10.1. Sample Sighting . . . . . . . . . . . . . . . . . . 34 + 2.11. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 35 + 2.11.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 35 + 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 37 + 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 51 + 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 51 + 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 52 + 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 53 - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 2] +Dulaunoy & Iklody Expires April 24, 2021 [Page 2] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 53 + 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 53 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 54 + 9.2. Informative References . . . . . . . . . . . . . . . . . 54 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54 + 1. Introduction Sharing threat information became a fundamental requirements in the @@ -152,6 +160,16 @@ Internet-Draft MISP core format May 2020 specific threat actor analysis. The meaning of an event only depends of the information embedded in the event. + + + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 3] + +Internet-Draft MISP core format October 2020 + + 2.2.1. Event Attributes 2.2.1.1. uuid @@ -163,13 +181,6 @@ Internet-Draft MISP core format May 2020 uuid is represented as a JSON string. uuid MUST be present. - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 3] - -Internet-Draft MISP core format May 2020 - - 2.2.1.2. id id represents the human-readable identifier associated to the event @@ -207,6 +218,14 @@ Internet-Draft MISP core format May 2020 Low 2: + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 4] + +Internet-Draft MISP core format October 2020 + + Medium 1: @@ -218,14 +237,6 @@ Internet-Draft MISP core format May 2020 threat_level_id is represented as a JSON string. threat_level_id SHALL be present. - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 4] - -Internet-Draft MISP core format May 2020 - - 2.2.1.6. analysis analysis represents the analysis level. @@ -261,6 +272,16 @@ Internet-Draft MISP core format May 2020 timestamp is represented as a JSON string. timestamp MUST be present. + + + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 5] + +Internet-Draft MISP core format October 2020 + + 2.2.1.9. publish_timestamp publish_timestamp represents a reference time when the event was @@ -275,13 +296,6 @@ Internet-Draft MISP core format May 2020 publish_timestamp is represented as a JSON string. publish_timestamp MUST be present. - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 5] - -Internet-Draft MISP core format May 2020 - - 2.2.1.10. org_id org_id represents a human-readable identifier referencing an Org @@ -317,6 +331,13 @@ Internet-Draft MISP core format May 2020 The system must adhere to the distribution setting for access control and for dissemination of the event. + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 6] + +Internet-Draft MISP core format October 2020 + + distribution is represented by a JSON string. distribution MUST be present and be one of the following options: @@ -330,14 +351,6 @@ Internet-Draft MISP core format May 2020 Connected Communities 3 - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 6] - -Internet-Draft MISP core format May 2020 - - All Communities 4 @@ -373,6 +386,14 @@ Internet-Draft MISP core format May 2020 [RFC4122] of the organisation. The organisation UUID is globally assigned to an organisation and SHALL be kept overtime. + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 7] + +Internet-Draft MISP core format October 2020 + + The name is a readable description of the organisation and SHOULD be present. The id is a human-readable identifier generated by the instance and used as reference in the event. A human-readable @@ -383,17 +404,6 @@ Internet-Draft MISP core format May 2020 2.3.1.1. Sample Org Object - - - - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 7] - -Internet-Draft MISP core format May 2020 - - "Org": { "id": "2", "name": "CIRCL", @@ -428,7 +438,6 @@ Internet-Draft MISP core format May 2020 A MISP document MUST at least includes category-type-value triplet described in section "Attribute Attributes". -2.4.1. Sample Attribute Object @@ -436,20 +445,13 @@ Internet-Draft MISP core format May 2020 - - - - - - - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 8] +Dulaunoy & Iklody Expires April 24, 2021 [Page 8] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 +2.4.1. Sample Attribute Object + "Attribute": { "id": "346056", "type": "comment", @@ -495,114 +497,135 @@ Internet-Draft MISP core format May 2020 describe the intent of the attribute creator, using a list of pre- defined attribute types. + + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 9] + +Internet-Draft MISP core format October 2020 + + type is represented as a JSON string. type MUST be present and it MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows: - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 9] - -Internet-Draft MISP core format May 2020 - - Antivirus detection link, comment, text, hex, attachment, other, anonymised Artifacts dropped md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, - filename|md5, filename|sha1, filename|sha224, filename|sha256, - filename|sha384, filename|sha512, filename|sha512/224, - filename|sha512/256, filename|authentihash, filename|ssdeep, - filename|tlsh, filename|imphash, filename|impfuzzy, - filename|pehash, regkey, regkey|value, pattern-in-file, pattern- - in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware- - sample, named pipe, mutex, windows-scheduled-task, windows- - service-name, windows-service-displayname, comment, text, hex, - x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- - sha256, other, cookie, gene, kusto-query, mime-type, anonymised + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, + impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, + filename|sha1, filename|sha224, filename|sha256, filename|sha384, + filename|sha512, filename|sha512/224, filename|sha512/256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, filename|authentihash, filename|vhash, + filename|ssdeep, filename|tlsh, filename|imphash, + filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern- + in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, + yara, sigma, attachment, malware-sample, named pipe, mutex, + windows-scheduled-task, windows-service-name, windows-service- + displayname, comment, text, hex, x509-fingerprint-sha1, x509- + fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, + kusto-query, mime-type, anonymised, pgp-public-key, pgp-private- + key Attribution threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant- org, whois-registrar, whois-creation-date, comment, text, x509- fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, - other, dns-soa-email, anonymised + other, dns-soa-email, anonymised, email External analysis - md5, sha1, sha256, filename, filename|md5, filename|sha1, - filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- + md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, + filename, filename|md5, filename|sha1, filename|sha256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, - pattern-in-traffic, pattern-in-memory, vulnerability, weakness, - attachment, malware-sample, link, comment, text, x509-fingerprint- - sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3- - fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, - other, cortex, anonymised, community-id + pattern-in-traffic, pattern-in-memory, filename-pattern, + vulnerability, cpe, weakness, attachment, malware-sample, link, + comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509- + fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver- + md5, github-repository, other, cortex, anonymised, community-id Financial fraud btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc- number, prtn, phone-number, comment, text, other, hex, anonymised + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 10] + +Internet-Draft MISP core format October 2020 + + Internal reference text, link, comment, other, hex, anonymised, git-commit-id Network activity ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, - domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, - url, uri, user-agent, http-method, AS, snort, pattern-in-file, - stix2-pattern, pattern-in-traffic, attachment, comment, text, - x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint- - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 10] - -Internet-Draft MISP core format May 2020 - - - sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, - hex, cookie, hostname|port, bro, zeek, anonymised, community-id, - email-subject + domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, + eppn, url, uri, user-agent, http-method, AS, snort, pattern-in- + file, filename-pattern, stix2-pattern, pattern-in-traffic, + attachment, comment, text, x509-fingerprint-md5, x509-fingerprint- + sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, + hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, + anonymised, community-id, email-subject Other comment, text, other, size-in-bytes, counter, datetime, cpe, port, - float, hex, phone-number, boolean, anonymised + float, hex, phone-number, boolean, anonymised, pgp-public-key, + pgp-private-key Payload delivery md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, - filename, filename|md5, filename|sha1, filename|sha224, - filename|sha256, filename|sha384, filename|sha512, - filename|sha512/224, filename|sha512/256, filename|authentihash, - filename|ssdeep, filename|tlsh, filename|imphash, + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, + impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, + filename|md5, filename|sha1, filename|sha224, filename|sha256, + filename|sha384, filename|sha512, filename|sha512/224, + filename|sha512/256, filename|sha3-224, filename|sha3-256, + filename|sha3-384, filename|sha3-512, filename|authentihash, + filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- - src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email- - src, email-dst, email-subject, email-attachment, email-body, url, - user-agent, AS, pattern-in-file, pattern-in-traffic, - stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, - link, malware-type, comment, text, hex, vulnerability, weakness, - x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- - sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, - hostname|port, email-dst-display-name, email-src-display-name, - email-header, email-reply-to, email-x-mailer, email-mime-boundary, - email-thread-index, email-message-id, mobile-application-id, - chrome-extension-id, whois-registrant-email, anonymised + src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, + email-src, email-dst, email-subject, email-attachment, email-body, + url, user-agent, AS, pattern-in-file, pattern-in-traffic, + filename-pattern, stix2-pattern, yara, sigma, mime-type, + attachment, malware-sample, link, malware-type, comment, text, + hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509- + fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, + hassh-md5, hasshserver-md5, other, hostname|port, email-dst- + display-name, email-src-display-name, email-header, email-reply- + to, email-x-mailer, email-mime-boundary, email-thread-index, + email-message-id, mobile-application-id, chrome-extension-id, + whois-registrant-email, anonymised Payload installation md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, - filename, filename|md5, filename|sha1, filename|sha224, - filename|sha256, filename|sha384, filename|sha512, - filename|sha512/224, filename|sha512/256, filename|authentihash, - filename|ssdeep, filename|tlsh, filename|imphash, + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, + impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, + filename|md5, filename|sha1, filename|sha224, filename|sha256, + filename|sha384, filename|sha512, filename|sha512/224, + filename|sha512/256, filename|sha3-224, filename|sha3-256, + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 11] + +Internet-Draft MISP core format October 2020 + + + filename|sha3-384, filename|sha3-512, filename|authentihash, + filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- - traffic, pattern-in-memory, stix2-pattern, yara, sigma, - vulnerability, weakness, attachment, malware-sample, malware-type, - comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, - x509-fingerprint-sha256, mobile-application-id, chrome-extension- - id, other, mime-type, anonymised + traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, + sigma, vulnerability, cpe, weakness, attachment, malware-sample, + malware-type, comment, text, hex, x509-fingerprint-sha1, x509- + fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, + chrome-extension-id, other, mime-type, anonymised Payload type comment, text, other, anonymised @@ -611,13 +634,6 @@ Internet-Draft MISP core format May 2020 filename, regkey, regkey|value, comment, text, other, hex, anonymised - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 11] - -Internet-Draft MISP core format May 2020 - - Person first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, @@ -627,12 +643,13 @@ Internet-Draft MISP core format May 2020 port-of-original-embarkation, place-port-of-clearance, place-port- of-onward-foreign-destination, passenger-name-record-locator- number, comment, text, other, phone-number, identity-card-number, - anonymised + anonymised, email, pgp-public-key, pgp-private-key Social network github-username, github-repository, github-organisation, jabber- - id, twitter-id, email-src, email-dst, eppn, comment, text, other, - whois-registrant-email, anonymised + id, twitter-id, email, email-src, email-dst, eppn, comment, text, + other, whois-registrant-email, anonymised, pgp-public-key, pgp- + private-key Support Tool link, text, attachment, comment, other, hex, anonymised @@ -645,6 +662,18 @@ Internet-Draft MISP core format May 2020 Attributes can be extended on a regular basis and this reference document is updated accordingly. + + + + + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 12] + +Internet-Draft MISP core format October 2020 + + 2.4.2.4. category category represents the intent of what the attribute is describing as @@ -664,16 +693,6 @@ Internet-Draft MISP core format May 2020 to_ids is represented as a JSON boolean. to_ids MUST be present. - - - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 12] - -Internet-Draft MISP core format May 2020 - - 2.4.2.6. event_id event_id represents a human-readable identifier referencing the Event @@ -703,6 +722,14 @@ Internet-Draft MISP core format May 2020 2 Connected Communities + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 13] + +Internet-Draft MISP core format October 2020 + + 3 All Communities @@ -720,16 +747,6 @@ Internet-Draft MISP core format May 2020 timestamp is represented as a JSON string. timestamp MUST be present. - - - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 13] - -Internet-Draft MISP core format May 2020 - - 2.4.2.9. comment comment is a contextual comment field. @@ -762,6 +779,13 @@ Internet-Draft MISP core format May 2020 using a password protected zip archive, with the password being "infected". + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 14] + +Internet-Draft MISP core format October 2020 + + data is represented by a JSON string in base64 encoding. data MUST be set for attributes of type malware-sample and attachment. @@ -776,16 +800,6 @@ Internet-Draft MISP core format May 2020 RelatedAttribute MAY be present. - - - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 14] - -Internet-Draft MISP core format May 2020 - - 2.4.2.14. ShadowAttribute ShadowAttribute is an array of shadow attributes that serve as @@ -821,6 +835,13 @@ Internet-Draft MISP core format May 2020 seen. last_seen is expressed as an ISO 8601 datetime up to the micro- second with time zone support. + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 15] + +Internet-Draft MISP core format October 2020 + + last_seen is represented as a JSON string. last_seen MAY be present. 2.5. ShadowAttribute @@ -835,13 +856,6 @@ Internet-Draft MISP core format May 2020 reference to the creator of the ShadowAttribute as well as a revocation flag. - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 15] - -Internet-Draft MISP core format May 2020 - - 2.5.1. Sample Attribute Object "ShadowAttribute": { @@ -876,6 +890,14 @@ Internet-Draft MISP core format May 2020 the same event. UUID version 4 is RECOMMENDED when assigning it to a new event. + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 16] + +Internet-Draft MISP core format October 2020 + + uuid is represented as a JSON string. uuid MUST be present. 2.5.2.2. id @@ -891,13 +913,6 @@ Internet-Draft MISP core format May 2020 describe the intent of the attribute creator, using a list of pre- defined attribute types. - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 16] - -Internet-Draft MISP core format May 2020 - - type is represented as a JSON string. type MUST be present and it MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows: @@ -907,35 +922,49 @@ Internet-Draft MISP core format May 2020 Artifacts dropped md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, - filename|md5, filename|sha1, filename|sha224, filename|sha256, - filename|sha384, filename|sha512, filename|sha512/224, - filename|sha512/256, filename|authentihash, filename|ssdeep, - filename|tlsh, filename|imphash, filename|impfuzzy, - filename|pehash, regkey, regkey|value, pattern-in-file, pattern- - in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware- - sample, named pipe, mutex, windows-scheduled-task, windows- - service-name, windows-service-displayname, comment, text, hex, - x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- - sha256, other, cookie, gene, kusto-query, mime-type, anonymised + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, + impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, + filename|sha1, filename|sha224, filename|sha256, filename|sha384, + filename|sha512, filename|sha512/224, filename|sha512/256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, filename|authentihash, filename|vhash, + filename|ssdeep, filename|tlsh, filename|imphash, + filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern- + in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, + yara, sigma, attachment, malware-sample, named pipe, mutex, + windows-scheduled-task, windows-service-name, windows-service- + displayname, comment, text, hex, x509-fingerprint-sha1, x509- + fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, + kusto-query, mime-type, anonymised, pgp-public-key, pgp-private- + key Attribution threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant- org, whois-registrar, whois-creation-date, comment, text, x509- fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, - other, dns-soa-email, anonymised + other, dns-soa-email, anonymised, email External analysis - md5, sha1, sha256, filename, filename|md5, filename|sha1, - filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 17] + +Internet-Draft MISP core format October 2020 + + + md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, + filename, filename|md5, filename|sha1, filename|sha256, + filename|sha3-224, filename|sha3-256, filename|sha3-384, + filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, - pattern-in-traffic, pattern-in-memory, vulnerability, weakness, - attachment, malware-sample, link, comment, text, x509-fingerprint- - sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3- - fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, - other, cortex, anonymised, community-id + pattern-in-traffic, pattern-in-memory, filename-pattern, + vulnerability, cpe, weakness, attachment, malware-sample, link, + comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509- + fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver- + md5, github-repository, other, cortex, anonymised, community-id Financial fraud btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc- @@ -945,71 +974,68 @@ Internet-Draft MISP core format May 2020 text, link, comment, other, hex, anonymised, git-commit-id Network activity - - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 17] - -Internet-Draft MISP core format May 2020 - - ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, - domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, - url, uri, user-agent, http-method, AS, snort, pattern-in-file, - stix2-pattern, pattern-in-traffic, attachment, comment, text, - x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint- - sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, - hex, cookie, hostname|port, bro, zeek, anonymised, community-id, - email-subject + domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, + eppn, url, uri, user-agent, http-method, AS, snort, pattern-in- + file, filename-pattern, stix2-pattern, pattern-in-traffic, + attachment, comment, text, x509-fingerprint-md5, x509-fingerprint- + sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, + hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, + anonymised, community-id, email-subject Other comment, text, other, size-in-bytes, counter, datetime, cpe, port, - float, hex, phone-number, boolean, anonymised + float, hex, phone-number, boolean, anonymised, pgp-public-key, + pgp-private-key Payload delivery md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, - filename, filename|md5, filename|sha1, filename|sha224, - filename|sha256, filename|sha384, filename|sha512, - filename|sha512/224, filename|sha512/256, filename|authentihash, - filename|ssdeep, filename|tlsh, filename|imphash, + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, + impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, + filename|md5, filename|sha1, filename|sha224, filename|sha256, + filename|sha384, filename|sha512, filename|sha512/224, + filename|sha512/256, filename|sha3-224, filename|sha3-256, + filename|sha3-384, filename|sha3-512, filename|authentihash, + filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- - src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email- - src, email-dst, email-subject, email-attachment, email-body, url, - user-agent, AS, pattern-in-file, pattern-in-traffic, - stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, - link, malware-type, comment, text, hex, vulnerability, weakness, - x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- - sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, - hostname|port, email-dst-display-name, email-src-display-name, - email-header, email-reply-to, email-x-mailer, email-mime-boundary, - email-thread-index, email-message-id, mobile-application-id, - chrome-extension-id, whois-registrant-email, anonymised + src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, + email-src, email-dst, email-subject, email-attachment, email-body, + url, user-agent, AS, pattern-in-file, pattern-in-traffic, + filename-pattern, stix2-pattern, yara, sigma, mime-type, + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 18] + +Internet-Draft MISP core format October 2020 + + + attachment, malware-sample, link, malware-type, comment, text, + hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509- + fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, + hassh-md5, hasshserver-md5, other, hostname|port, email-dst- + display-name, email-src-display-name, email-header, email-reply- + to, email-x-mailer, email-mime-boundary, email-thread-index, + email-message-id, mobile-application-id, chrome-extension-id, + whois-registrant-email, anonymised Payload installation md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, - ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, - filename, filename|md5, filename|sha1, filename|sha224, - filename|sha256, filename|sha384, filename|sha512, - filename|sha512/224, filename|sha512/256, filename|authentihash, - filename|ssdeep, filename|tlsh, filename|imphash, + sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, + impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, + filename|md5, filename|sha1, filename|sha224, filename|sha256, + filename|sha384, filename|sha512, filename|sha512/224, + filename|sha512/256, filename|sha3-224, filename|sha3-256, + filename|sha3-384, filename|sha3-512, filename|authentihash, + filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- - traffic, pattern-in-memory, stix2-pattern, yara, sigma, - vulnerability, weakness, attachment, malware-sample, malware-type, - comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, - x509-fingerprint-sha256, mobile-application-id, chrome-extension- - id, other, mime-type, anonymised + traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, + sigma, vulnerability, cpe, weakness, attachment, malware-sample, + malware-type, comment, text, hex, x509-fingerprint-sha1, x509- + fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, + chrome-extension-id, other, mime-type, anonymised Payload type - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 18] - -Internet-Draft MISP core format May 2020 - - comment, text, other, anonymised Persistence mechanism @@ -1025,12 +1051,20 @@ Internet-Draft MISP core format May 2020 port-of-original-embarkation, place-port-of-clearance, place-port- of-onward-foreign-destination, passenger-name-record-locator- number, comment, text, other, phone-number, identity-card-number, - anonymised + anonymised, email, pgp-public-key, pgp-private-key Social network github-username, github-repository, github-organisation, jabber- - id, twitter-id, email-src, email-dst, eppn, comment, text, other, - whois-registrant-email, anonymised + id, twitter-id, email, email-src, email-dst, eppn, comment, text, + other, whois-registrant-email, anonymised, pgp-public-key, pgp- + private-key + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 19] + +Internet-Draft MISP core format October 2020 + Support Tool link, text, attachment, comment, other, hex, anonymised @@ -1058,14 +1092,6 @@ Internet-Draft MISP core format May 2020 to_ids represents whether the Attribute to be created if the ShadowAttribute is accepted is meant to be actionable. Actionable defined attributes that can be used in automated processes as a - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 19] - -Internet-Draft MISP core format May 2020 - - pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms. @@ -1087,6 +1113,15 @@ Internet-Draft MISP core format May 2020 Attribute object that the ShadowAttribute belongs to. A ShadowAttribute can this way target an existing Attribute, implying that it is a proposal to modify an existing Attribute, or + + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 20] + +Internet-Draft MISP core format October 2020 + + alternatively it can be a proposal to create a new Attribute for the containing Event. @@ -1111,17 +1146,6 @@ Internet-Draft MISP core format May 2020 comment is represented by a JSON string. comment MAY be present. - - - - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 20] - -Internet-Draft MISP core format May 2020 - - 2.5.2.10. org_id org_id represents a human-readable identifier referencing the @@ -1146,6 +1170,14 @@ Internet-Draft MISP core format May 2020 proposal_to_delete is a JSON boolean and it MUST be present. If proposal_to_delete is set to true, old_id MUST NOT be 0. + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 21] + +Internet-Draft MISP core format October 2020 + + 2.5.2.12. deleted deleted represents a setting that allows shadow attributes to be @@ -1170,14 +1202,6 @@ Internet-Draft MISP core format May 2020 seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support. - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 21] - -Internet-Draft MISP core format May 2020 - - first_seen is represented as a JSON string. first_seen MAY be present. @@ -1202,6 +1226,14 @@ Internet-Draft MISP core format May 2020 instance and used as reference in the event. A human-readable identifier MUST be represented as an unsigned integer. + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 22] + +Internet-Draft MISP core format October 2020 + + uuid, name and id are represented as a JSON string. uuid, name and id MUST be present. @@ -1226,14 +1258,6 @@ Internet-Draft MISP core format May 2020 within an event. Their main purpose is to describe more complex structures than can be described by a single attribute Each object is created using an Object Template and carries the meta-data of the - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 22] - -Internet-Draft MISP core format May 2020 - - template used for its creation within. Objects belong to a meta- category and are defined by a name. @@ -1261,33 +1285,9 @@ Internet-Draft MISP core format May 2020 - - - - - - - - - - - - - - - - - - - - - - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 23] +Dulaunoy & Iklody Expires April 24, 2021 [Page 23] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "Object": { @@ -1341,9 +1341,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 24] +Dulaunoy & Iklody Expires April 24, 2021 [Page 24] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 2.6.2.1. uuid @@ -1397,9 +1397,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 25] +Dulaunoy & Iklody Expires April 24, 2021 [Page 25] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 2.6.2.7. template_version @@ -1453,9 +1453,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 26] +Dulaunoy & Iklody Expires April 24, 2021 [Page 26] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 Sharing Group @@ -1509,9 +1509,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 27] +Dulaunoy & Iklody Expires April 24, 2021 [Page 27] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 2.6.2.16. last_seen @@ -1565,9 +1565,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 28] +Dulaunoy & Iklody Expires April 24, 2021 [Page 28] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 2.7.2.2. id @@ -1621,9 +1621,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 29] +Dulaunoy & Iklody Expires April 24, 2021 [Page 29] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 2.7.2.8. relationship_type @@ -1663,7 +1663,146 @@ Internet-Draft MISP core format May 2020 object reference. The referenced_uuid MUST be preserved to preserve the object reference's association with the object or attribute. -2.8. Tag +2.8. EventReport + + EventReport are used to complement an event with one or more report + in Markdown format. The EventReport contains unstructured + information which can be linked to Attributes, Objects, Tags or + Galaxy with an extension to the Markdown marking language. + + + + + + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 30] + +Internet-Draft MISP core format October 2020 + + +2.8.1. id + + id represents the human-readable identifier associated to the + EventReport for a specific MISP instance. A human-readable + identifier MUST be represented as an unsigned integer. + + id is represented as a JSON string. id SHALL be present. + +2.8.2. UUID + + uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of + the EventReport. The uuid MUST be preserved for any updates or + transfer of the same EventReport. UUID version 4 is RECOMMENDED when + assigning it to a new EventReport. + + uuid is represented as a JSON string. uuid MUST be present. + +2.8.3. event_id + + event_id represents the human-readable identifier associating the + EventReport to an event on a specific MISP instance. A human- + readable identifier MUST be represented as an unsigned integer. + + event_id is represented as a JSON string. event_id MUST be present. + +2.8.4. name + + name represents the information field of the EventReport. name is a + free-text value to provide a human-readable summary of the report. + name SHOULD NOT be bigger than 256 characters and SHOULD NOT include + new-lines. + + name is represented as a JSON string. name MUST be present. + +2.8.5. content + + content includes the raw EventReport in Markdown format with or + without the specific MISP Markdown markup extension. + + The markdown extension for MISP is composed with a symbol as prefix + then between square bracket the scope (attribute, object, tag or + galaxymatrix) followed by the UUID in parenthesis. + + content is represented as a JSON string. content MUST be present. + + + + + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 31] + +Internet-Draft MISP core format October 2020 + + +2.8.6. distribution + + distribution represents the basic distribution rules of the + EventReport. The system must adhere to the distribution setting for + access control and for dissemination of the EventReport. + + distribution is represented by a JSON string. distribution MUST be + present and be one of the following options: + + 0 + Your Organisation Only + + 1 + This Community Only + + 2 + Connected Communities + + 3 + All Communities + + 4 + Sharing Group + + 5 + Inherit Event + +2.8.7. sharing_group_id + + sharing_group_id represents the local id to the MISP local instance + of the Sharing Group associated for the distribution. + + sharing_group_id is represented by a JSON string. sharing_group_id + MUST be present and set to "0" if not used. + +2.8.8. timestamp + + timestamp represents a reference time when the EventReport was + created or last modified. timestamp is expressed in seconds (decimal) + since 1st of January 1970 (Unix timestamp). The time zone MUST be + UTC. + + timestamp is represented as a JSON string. timestamp MUST be present. + + + + + + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 32] + +Internet-Draft MISP core format October 2020 + + +2.8.9. deleted + + deleted represents a setting that allows EventReport to be revoked. + Revoked EventReport are not actionable and exist merely to inform + other instances of a revocation. + + deleted is represented by a JSON boolean. deleted MUST be present. + +2.9. Tag A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen @@ -1675,13 +1814,6 @@ Internet-Draft MISP core format May 2020 or attribute level. A tag element is described with a name, id, colour and exportable flag. - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 30] - -Internet-Draft MISP core format May 2020 - - exportable represents a setting if the tag is kept local or exportable to other MISP instances. exportable is represented by a JSON boolean. id is a human-readable identifier that references the @@ -1689,7 +1821,7 @@ Internet-Draft MISP core format May 2020 name MUST be present. colour, id and exportable SHALL be present. -2.8.1. Sample Tag +2.9.1. Sample Tag "Tag": [{ "exportable": true, @@ -1697,7 +1829,7 @@ Internet-Draft MISP core format May 2020 "name": "tlp:white", "id": "2" }] -2.9. Sighting +2.10. Sighting A sighting is an ascertainment which describes whether an attribute has been seen under a given set of conditions. The sighting can @@ -1709,6 +1841,15 @@ Internet-Draft MISP core format May 2020 type MUST be present. type describes the type of a sighting. MISP allows 3 default types: + + + + +Dulaunoy & Iklody Expires April 24, 2021 [Page 33] + +Internet-Draft MISP core format October 2020 + + +------------+------------------------------------------------------+ | Sighting | Description | | type | | @@ -1730,14 +1871,6 @@ Internet-Draft MISP core format May 2020 source MAY be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 31] - -Internet-Draft MISP core format May 2020 - - can be a given piece of software (e.g. SIEM), device or a specific analytical process. @@ -1760,7 +1893,7 @@ Internet-Draft MISP core format May 2020 A human-readable identifier MUST be represented as an unsigned integer. -2.9.1. Sample Sighting +2.10.1. Sample Sighting @@ -1768,30 +1901,9 @@ Internet-Draft MISP core format May 2020 - - - - - - - - - - - - - - - - - - - - - -Dulaunoy & Iklody Expires November 27, 2020 [Page 32] +Dulaunoy & Iklody Expires April 24, 2021 [Page 34] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "Sighting": [ @@ -1827,13 +1939,13 @@ Internet-Draft MISP core format May 2020 } ] -2.10. Galaxy +2.11. Galaxy A galaxy is a simple method to express a large object called cluster that can be attached to MISP events. A cluster can be composed of one or more elements. Elements are expressed as key-values. -2.10.1. Sample Galaxy +2.11.1. Sample Galaxy @@ -1845,9 +1957,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 33] +Dulaunoy & Iklody Expires April 24, 2021 [Page 35] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "Galaxy": [ { @@ -1901,9 +2013,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 34] +Dulaunoy & Iklody Expires April 24, 2021 [Page 36] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 3. JSON Schema @@ -1957,9 +2069,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 35] +Dulaunoy & Iklody Expires April 24, 2021 [Page 37] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "type": "object", @@ -2013,9 +2125,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 36] +Dulaunoy & Iklody Expires April 24, 2021 [Page 38] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "items": { @@ -2069,9 +2181,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 37] +Dulaunoy & Iklody Expires April 24, 2021 [Page 39] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "type": "string" @@ -2125,9 +2237,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 38] +Dulaunoy & Iklody Expires April 24, 2021 [Page 40] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "type": "string" @@ -2181,9 +2293,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 39] +Dulaunoy & Iklody Expires April 24, 2021 [Page 41] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "properties": { @@ -2237,9 +2349,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 40] +Dulaunoy & Iklody Expires April 24, 2021 [Page 42] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "properties": { @@ -2293,9 +2405,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 41] +Dulaunoy & Iklody Expires April 24, 2021 [Page 43] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "properties": { @@ -2349,9 +2461,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 42] +Dulaunoy & Iklody Expires April 24, 2021 [Page 44] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 }, @@ -2405,9 +2517,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 43] +Dulaunoy & Iklody Expires April 24, 2021 [Page 45] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 }, @@ -2461,9 +2573,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 44] +Dulaunoy & Iklody Expires April 24, 2021 [Page 46] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "type": "string" @@ -2517,9 +2629,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 45] +Dulaunoy & Iklody Expires April 24, 2021 [Page 47] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "uniqueItems": true, @@ -2573,9 +2685,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 46] +Dulaunoy & Iklody Expires April 24, 2021 [Page 48] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "type": "boolean" @@ -2629,9 +2741,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 47] +Dulaunoy & Iklody Expires April 24, 2021 [Page 49] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "type": "object", @@ -2685,9 +2797,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 48] +Dulaunoy & Iklody Expires April 24, 2021 [Page 50] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "Event": { @@ -2741,9 +2853,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 49] +Dulaunoy & Iklody Expires April 24, 2021 [Page 51] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 o integrity:pgp represents a detached PGP signature [RFC4880] of the @@ -2797,9 +2909,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 50] +Dulaunoy & Iklody Expires April 24, 2021 [Page 52] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 "name": "circl:incident-classification=\"malware\"" @@ -2853,9 +2965,9 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 51] +Dulaunoy & Iklody Expires April 24, 2021 [Page 53] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 9.1. Normative References @@ -2909,9 +3021,9 @@ Authors' Addresses -Dulaunoy & Iklody Expires November 27, 2020 [Page 52] +Dulaunoy & Iklody Expires April 24, 2021 [Page 54] -Internet-Draft MISP core format May 2020 +Internet-Draft MISP core format October 2020 Alexandre Dulaunoy @@ -2965,4 +3077,4 @@ Internet-Draft MISP core format May 2020 -Dulaunoy & Iklody Expires November 27, 2020 [Page 53] +Dulaunoy & Iklody Expires April 24, 2021 [Page 55]