diff --git a/rfc/misp-standard-core.html b/rfc/misp-standard-core.html index 2e7ef11..b02183e 100644 --- a/rfc/misp-standard-core.html +++ b/rfc/misp-standard-core.html @@ -14,26 +14,24 @@ The JSON format includes the overall structure along with the semantic associate respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms. " name="description"> - + @@ -45,7 +43,7 @@ format and ensuring an interoperability with existing MISP software and other this can be consolidated so that style settings occur only in one place, but for now the contents of this file consists first of the initial CSS work as provided to the RFC Formatter (xml2rfc) work, followed by itemized and - commented changes found necssary during the development of the v3 + commented changes found necessary during the development of the v3 formatters. */ @@ -55,9 +53,14 @@ format and ensuring an interoperability with existing MISP software and other @import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */ @import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */ +:root { + --font-sans: 'Noto Sans', Arial, Helvetica, sans-serif; + --font-serif: 'Noto Serif', 'Times', 'Times New Roman', serif; + --font-mono: 'Roboto Mono', Courier, 'Courier New', monospace; +} + @viewport { zoom: 1.0; - width: extend-to-zoom; } @-ms-viewport { width: extend-to-zoom; @@ -72,9 +75,10 @@ body { color: #222; background-color: #fff; font-size: 14px; - font-family: 'Noto Sans', Arial, Helvetica, sans-serif; + font-family: var(--font-sans); line-height: 1.6; scroll-behavior: smooth; + overflow-wrap: break-word; } .ears { display: none; @@ -161,6 +165,15 @@ div { svg { display: block; } +svg[font-family~="serif" i], svg [font-family~="serif" i] { + font-family: var(--font-serif); +} +svg[font-family~="sans-serif" i], svg [font-family~="sans-serif" i] { + font-family: var(--font-sans); +} +svg[font-family~="monospace" i], svg [font-family~="monospace" i] { + font-family: var(--font-mono); +} .alignCenter.art-text { background-color: #f9f9f9; border: 1px solid #eee; @@ -175,11 +188,8 @@ svg { margin: 1em 0; } .alignCenter > *:first-child { - border: none; - /* this isn't optimal, but it's an existence proof. PrinceXML doesn't - support flexbox yet. - */ display: table; + border: none; margin: 0 auto; } @@ -257,9 +267,9 @@ a.selfRef:hover { } */ /* Figures */ -tt, code, pre, code { +tt, code, pre { background-color: #f9f9f9; - font-family: 'Roboto Mono', monospace; + font-family: var(--font-mono); } pre { border: 1px solid #eee; @@ -299,11 +309,17 @@ blockquote { border-radius: 3px; margin: 1em 0; } +blockquote > *:last-child { + margin-bottom: 0; +} cite { display: block; text-align: right; font-style: italic; } +.xref { + overflow-wrap: normal; +} /* tables */ table { @@ -448,6 +464,10 @@ nav.toc li { margin-bottom: 1.25em; } +.refSubseries { + margin-bottom: 1.25em; +} + .references .ascii { margin-bottom: 0.25em; } @@ -496,7 +516,7 @@ address.vcard .nameRole { margin-left: 0; } address.vcard .label { - font-family: "Noto Sans",Arial,Helvetica,sans-serif; + font-family: var(--font-sans); margin: 0.5em 0; } address.vcard .type { @@ -636,7 +656,6 @@ hr.addr { /* pagination */ @media print { body { - width: 100%; } p { @@ -659,6 +678,9 @@ hr.addr { figure { overflow: scroll; } + .breakable pre { + break-inside: auto; + } h1, h2, h3, h4, h5, h6 { page-break-after: avoid; } @@ -726,7 +748,7 @@ hr.addr { size: A4; margin-bottom: 45mm; padding-top: 20px; - /* The follwing is commented out here, but set appropriately by in code, as + /* The following is commented out here, but set appropriately by in code, as the content depends on the document */ /* @top-left { @@ -826,12 +848,12 @@ section { } /* prevent monospace from becoming overly large */ -tt, code, pre, code { +tt, code, pre { font-size: 95%; } /* Fix the height/width aspect for ascii art*/ -pre.sourcecode, +.sourcecode pre, .art-text pre { line-height: 1.12; } @@ -867,7 +889,7 @@ table th.text-right { text-align: right; } -/* Make the alternative author contact informatio look less like just another +/* Make the alternative author contact information look less like just another author, and group it closer with the primary author contact information */ .alternative-contact { margin: 0.5em 0 0.25em 0; @@ -1049,6 +1071,7 @@ aside > p { /* Sourcecode margin in print, when there's no pilcrow */ @media print { .artwork, + .artwork > pre, .sourcecode { margin-bottom: 1em; } @@ -1063,13 +1086,16 @@ ol.type-A { list-style-type: upper-alpha; } ol.type-i { list-style-type: lower-roman; } ol.type-I { list-style-type: lower-roman; } /* Apply the print table and row borders in general, on request from the RPC, -and increase the contrast between border and odd row background sligthtly */ +and increase the contrast between border and odd row background slightly */ table { border: 1px solid #ddd; } td { border-top: 1px solid #ddd; } +tr { + break-inside: avoid; +} tr:nth-child(2n+1) > td { background-color: #f8f8f8; } @@ -1120,7 +1146,7 @@ span.break, dd.break { break-before: auto; } } -/* Text in compact lists should not get extra bottim margin space, +/* Text in compact lists should not get extra bottom margin space, since that would makes the list not compact */ ul.compact p, .ulCompact p, ol.compact p, .olCompact p { @@ -1145,7 +1171,7 @@ p tt, p code, li tt, li code { pre { margin-top: 0.5px; } -/* Tweak the comact list text */ +/* Tweak the compact list text */ ul.compact, .ulCompact, ol.compact, .olCompact, dl.compact, .dlCompact { @@ -1163,7 +1189,7 @@ dd > div.artwork:first-child, dd > aside:first-child, dd > figure:first-child, dd > ol:first-child, -dd > div:first-child > pre.sourcecode, +dd > div.sourcecode:first-child, dd > table:first-child, dd > ul:first-child { clear: left; @@ -1177,24 +1203,24 @@ li > p { margin-bottom: 0.5em } /* Don't let p margin spill out from inside list items */ -li > p:last-of-type { +li > p:last-of-type:only-child { margin-bottom: 0; } -
+Internet-Draft | MISP core format | -December 2023 | +June 2024 |
Dulaunoy & Iklody | -Expires 26 June 2024 | +Expires 31 December 2024 | [Page] |
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the event. The uuid MUST be preserved +
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the event. The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.¶
uuid is represented as a JSON string. uuid MUST be present.¶
@@ -2086,6 +2133,7 @@ which can be accepted or discarded by the event creator. If accepted, the origin "first_seen": "2019-06-02T22:14:28.711954+00:00", "last_seen": null } + ¶ @@ -2100,7 +2148,7 @@ which can be accepted or discarded by the event creator. If accepted, the originuuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the event. The uuid MUST be preserved +
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the event. The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.¶
uuid is represented as a JSON string. uuid MUST be present.¶
@@ -2325,7 +2373,7 @@ the sample MUST be encrypted using a password protect 2.4.3.1. OrgAn Org object is composed of an uuid, name and id.¶
-The uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the organization. +
The uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the organization. The organization UUID is globally assigned to an organization and SHALL be kept overtime.¶
The name is a readable description of the organization and SHOULD be present. The id is a human-readable identifier generated by the instance and used as reference in the event. @@ -2342,6 +2390,7 @@ A human-readable identifier MUST be represented as an "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" } + ¶ @@ -2408,6 +2457,7 @@ Each object is created using an Object Template and carries the meta-data of the "last_seen": null ] } + ¶ @@ -2423,7 +2473,7 @@ Each object is created using an Object Template and carries the meta-data of the
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object. The uuid MUST be preserved +
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object. The uuid MUST be preserved for any updates or transfer of the same object. UUID version 4 is RECOMMENDED when assigning it to a new object.¶
@@ -2470,7 +2520,7 @@ tied to a fixed list of options but can be created on the fly. 2.5.2.6. template_uuid -template_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the template used to create the object. The uuid MUST be preserved +
template_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the template used to create the object. The uuid MUST be preserved to preserve the object's association with the correct template used for creation. UUID version 4 is RECOMMENDED when assigning it to a new object.¶
template_uuid is represented as a JSON string. template_uuid MUST be present.¶
@@ -2599,7 +2649,7 @@ represented as an unsigned integer. 2.6. Object ReferencesObject References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary.¶
-The relationship_type is recommended to be taken from the MISP object relationship list [[MISP-R]] is RECOMMENDED to ensure a coherent naming of the tags¶
+The relationship_type is recommended to be taken from the MISP object relationship list [[MISP-R]] is RECOMMENDED to ensure a coherent naming of the tags¶
All Object References MUST contain an object_uuid, a referenced_uuid and a relationship type.¶
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object reference. The uuid MUST be preserved +
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object reference. The uuid MUST be preserved for any updates or transfer of the same object reference. UUID version 4 is RECOMMENDED when assigning it to a new object reference.¶
@@ -2727,7 +2778,7 @@ represented as an unsigned integer.object_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object that the given object reference belongs to. The object_uuid MUST be preserved +
object_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object that the given object reference belongs to. The object_uuid MUST be preserved to preserve the object reference's association with the object.¶
@@ -2736,7 +2787,7 @@ to preserve the object reference's association with the object. 2.6.2.12. referenced_uuid -referenced_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object or attribute that is being referenced by the object reference. The referenced_uuid MUST be preserved +
referenced_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object or attribute that is being referenced by the object reference. The referenced_uuid MUST be preserved to preserve the object reference's association with the object or attribute.¶
@@ -2766,7 +2817,7 @@ represented as an unsigned integer.¶uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the EventReport. The uuid MUST be preserved for any updates or transfer of the same EventReport. UUID version 4 is RECOMMENDED when assigning it to a new EventReport.¶
+uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the EventReport. The uuid MUST be preserved for any updates or transfer of the same EventReport. UUID version 4 is RECOMMENDED when assigning it to a new EventReport.¶
uuid is represented as a JSON string. uuid MUST be present.¶
@@ -2869,7 +2920,7 @@ of the report. name SHOULD NOT be bigger than 256 chaA tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. When an event is distributed outside an organisation, the use of MISP taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array SHALL be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.¶
+A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. When an event is distributed outside an organisation, the use of MISP taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array SHALL be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.¶
exportable represents a setting if the tag is kept local or exportable to other MISP instances. exportable is represented by a JSON boolean. id is a human-readable identifier that references the tag on the local instance. colour represents an RGB value of the tag.¶
name MUST be present. colour, id and exportable SHALL be present.¶
Analyst Data are objects that can take different forms within the MISP format, including objects, attributes, events, or detached formats from the MISP core. They can express an Opinion, Note, or a Relationship from an analyst. These three types define the key components of analyst data and can be applied at various levels within the data structure. Analyst data can also be nested to provide additional complementary analysis on itself.¶
+"Opinion": [ + { + "id": "13", + "uuid": "238b1e74-e378-4bde-a463-cbb8fc496989", + "object_uuid": "ae4396d9-3deb-49c9-b13e-b01f3a0736c3", + "object_type": "Attribute", + "authors": "alexandre.dulaunoy@circl.lu", + "org_uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "orgc_uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "created": "2024-06-25 04:40:01", + "modified": "2024-06-25 04:40:01", + "distribution": "3", + "sharing_group_id": null, + "opinion": "0", + "comment": "Incorrect selector", + "note_type_name": "Opinion", + "Orgc": { + "id": "2", + "name": "CIRCL", + "date_created": "2016-06-29 08:47:35", + "date_modified": "2017-11-24 12:51:22", + "description": "CIRCL is the CERT (Computer Emergency Response Team/Computer Security Incident Response Team) for the private sector, communes and non-governmental entities in Luxembourg.", + "type": "", + "nationality": "Luxembourg", + "sector": "", + "created_by": "218", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "contacts": "", + "local": true, + "landingpage": "", + "restricted_to_domain": null + }, + "Org": { + "id": "2", + "name": "CIRCL", + "date_created": "2016-06-29 08:47:35", + "date_modified": "2017-11-24 12:51:22", + "description": "CIRCL is the CERT (Computer Emergency Response Team/Computer Security Incident Response Team) for the private sector, communes and non-governmental entities in Luxembourg.", + "type": "", + "nationality": "Luxembourg", + "sector": "", + "created_by": "218", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "contacts": "", + "local": true, + "landingpage": "", + "restricted_to_domain": null + } + } + ] + +¶ +
id represents the human-readable identifier associated to the opinion for a specific MISP instance. A human-readable identifier MUST be +represented as an unsigned integer.¶
+id is represented as a JSON string. id SHALL be present.¶
+uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the opinion. The uuid MUST be preserved
+for any updates or transfer of the same Opinion
object. UUID version 4 is RECOMMENDED when assigning it to a new Opinion
.¶
uuid is represented as a JSON string. uuid MUST be present.¶
+object_uuid represents the target UUID element with an opinion.¶
+object_uuid MUST be present.¶
+object_type represents the type of element targeted in object_uuid.¶
+object_type is represented as a JSON string.¶
+org_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Org object of the organisation which owns the opinion on a MISP instance.¶
+The org_uuid object MUST be updated for any updates or transfer to another MISP instance.¶
+org_uuid is represented as a JSON string. org_uuid MUST be present.¶
+orgc_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Orgc object of the organisation which created the opinion.¶
+The orgc_uuid object MUST be preserved for any updates or transfer of the same opinion.¶
+orgc_uuid is represented as a JSON string. orgc_uuid MUST be present.¶
+created represents a reference time when the element was created. created is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+created is represented as a JSON string. created MAY be present.¶
+modified represents a reference time when the element was modified. modified is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+modified is represented as a JSON string. modified MAY be present.¶
+distribution represents the basic distribution rules of the opinion. The system must adhere to the distribution setting for access control and for dissemination of the opinion.¶
+distribution is represented by a JSON string. distribution SHALL be present and be one of the following options:¶
+ +opinion is a value between 0 to 100 to represent the level of confidence. 50 is an neutral opinion.¶
+opinion is represented as a JSON string. opinion MUST be present.¶
+note_type_name describe the type of the analyst data such as 'Opinion', 'Note' or 'Relationship'.¶
+An opinion is defined as Opinion
.¶
note_type_name is represented as a JSON string. note_type_name MUST be present.¶
+"Note": [ + { + "id": "6", + "uuid": "e4b54bda-1006-43f3-a269-2c271c1aaed0", + "object_uuid": "ac22932c-27dc-415d-bc7b-6fd1dbf8743d", + "object_type": "Event", + "authors": "alexandre.dulaunoy@circl.lu", + "org_uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "orgc_uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "created": "2024-06-25 04:37:03", + "modified": "2024-06-25 04:37:03", + "distribution": "3", + "sharing_group_id": null, + "note": "Note to an event", + "language": "en", + "note_type_name": "Note", + "Orgc": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "type": "", + "sector": "", + "nationality": "Luxembourg", + "local": true + }, + "Org": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "type": "", + "description": "CIRCL is the CERT (Computer Emergency Response Team/Computer Security Incident Response Team) for the private sector, communes and non-governmental entities in Luxembourg.", + "sector": "", + "nationality": "Luxembourg", + "local": true + } + +¶ +
id represents the human-readable identifier associated to the note for a specific MISP instance. A human-readable identifier MUST be +represented as an unsigned integer.¶
+id is represented as a JSON string. id SHALL be present.¶
+uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the note. The uuid MUST be preserved
+for any updates or transfer of the same Note
object. UUID version 4 is RECOMMENDED when assigning it to a new Note
.¶
uuid is represented as a JSON string. uuid MUST be present.¶
+object_uuid represents the target UUID element with an note.¶
+object_uuid MUST be present.¶
+object_type represents the type of element targeted in object_uuid.¶
+object_type is represented as a JSON string.¶
+org_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Org object of the organisation which owns the note on a MISP instance.¶
+The org_uuid object MUST be updated for any updates or transfer to another MISP instance.¶
+org_uuid is represented as a JSON string. org_uuid MUST be present.¶
+orgc_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Orgc object of the organisation which created the note.¶
+The orgc_uuid object MUST be preserved for any updates or transfer of the same note.¶
+orgc_uuid is represented as a JSON string. orgc_uuid MUST be present.¶
+created represents a reference time when the element was created. created is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+created is represented as a JSON string. created MAY be present.¶
+modified represents a reference time when the element was modified. modified is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+modified is represented as a JSON string. modified MAY be present.¶
+distribution represents the basic distribution rules of the opinion. The system must adhere to the distribution setting for access control and for dissemination of the opinion.¶
+distribution is represented by a JSON string. distribution SHALL be present and be one of the following options:¶
+ +note describes the note in text format.¶
+note is represented as a JSON string. MUST be present.¶
+note_type_name describe the type of the analyst data such as 'Opinion', 'Note' or 'Relationship'.¶
+A note is defined as Note
.¶
note_type_name is represented as a JSON string. note_type_name MUST be present.¶
+"Relationship": [ + { + "id": "2", + "uuid": "8f358641-4bdc-4261-8a9f-5a926fde2b0d", + "object_uuid": "ac22932c-27dc-415d-bc7b-6fd1dbf8743d", + "object_type": "Event", + "authors": "alexandre.dulaunoy@circl.lu", + "org_uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "orgc_uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "created": "2024-06-25 04:39:30", + "modified": "2024-06-25 04:39:30", + "distribution": "3", + "sharing_group_id": null, + "relationship_type": "relates", + "related_object_uuid": "f3290493-8f74-4220-aa04-b83408e37a0c", + "related_object_type": "Event", + "note_type": 2, + "note_type_name": "Relationship", + "Orgc": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "type": "", + "sector": "", + "nationality": "Luxembourg", + "local": true + }, + "Org": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "type": "", + "description": "CIRCL is the CERT (Computer Emergency Response Team/Computer Security Incident Response Team) for the private sector, communes and non-governmental entities in Luxembourg.", + "sector": "", + "nationality": "Luxembourg", + "local": true + }, + "related_object": { + "Event": { + "id": "205025", + "date": "2023-12-19", + "info": "Phishing targeting Luxembourg services (hosted and served on/from AWS)", + "user_id": "21", + "published": true, + "uuid": "f3290493-8f74-4220-aa04-b83408e37a0c", + "attribute_count": "446", + "analysis": "2", + "timestamp": "1719217388", + "distribution": "3", + "proposal_email_lock": false, + "locked": false, + "threat_level_id": "2", + "publish_timestamp": "1719217456", + "sighting_timestamp": "0", + "sharing_group_id": "0", + "org_id": "2", + "orgc_id": "2", + "disable_correlation": false, + "extends_uuid": "", + "protected": null + } + } + } + ] + +¶ +
id represents the human-readable identifier associated to the relationship for a specific MISP instance. A human-readable identifier MUST be +represented as an unsigned integer.¶
+id is represented as a JSON string. id SHALL be present.¶
+uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the relationship. The uuid MUST be preserved
+for any updates or transfer of the same Relationship
object. UUID version 4 is RECOMMENDED when assigning it to a new Relationship
.¶
uuid is represented as a JSON string. uuid MUST be present.¶
+object_uuid represents the target UUID element with a relationship.¶
+object_uuid MUST be present.¶
+object_type represents the type of element targeted in object_uuid.¶
+object_type is represented as a JSON string.¶
+org_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Org object of the organisation which owns the relationship on a MISP instance.¶
+The org_uuid object MUST updated for any updates or transfer to another MISP instance.¶
+org_uuid is represented as a JSON string. org_uuid MUST be present.¶
+orgc_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Orgc object of the organisation which created the relationship.¶
+The orgc_uuid object MUST be preserved for any updates or transfer of the same relationship.¶
+orgc_uuid is represented as a JSON string. orgc_uuid MUST be present.¶
+created represents a reference time when the element was created. created is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+created is represented as a JSON string. created MAY be present.¶
+modified represents a reference time when the element was modified. modified is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+modified is represented as a JSON string. modified MAY be present.¶
+distribution represents the basic distribution rules of the opinion. The system must adhere to the distribution setting for access control and for dissemination of the opinion.¶
+distribution is represented by a JSON string. distribution SHALL be present and be one of the following options:¶
+ +relationship_type represents the human readable relation from the Analyst Data towards the related_object_uuid.¶
+relationship_type SHALL use a relationship from the MISP object relationship types.¶
+relationship_type is represented as a JSON string. relationship_type MUST be present.¶
+note_type_name describe the type of the analyst data such as 'Opinion', 'Note' or 'Relationship'.¶
+A relationship is defined as Relationship
.¶
note_type_name is represented as a JSON string. note_type_name MUST be present.¶
+The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP core format +
The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP core format as literally described before. The JSON Schema is used to validate MISP events at creation time or parsing.¶
@@ -3765,7 +4482,7 @@ by the same uuid:¶If a detached PGP signature is used for each MISP event, a detached PGP signature is a MUST to ensure integrity of the manifest file. @@ -3825,6 +4542,7 @@ A detached PGP signature for a manifest file is a manifest.json.asc file contain "threat_level_id": "3" } } + ¶
MISP format is implemented by different software including the MISP threat sharing -platform and libraries like PyMISP [MISP-P]. Implementations use the format +platform and libraries like PyMISP [MISP-P]. Implementations use the format as an export/import mechanism, staging transport format or synchronisation format as used in the MISP core platform. MISP format doesn't impose any restriction on the data representation of the format in data-structure of other implementations.¶
@@ -3876,51 +4594,56 @@ for the review of the JSON Schema.¶<
+2.11.1.13. comment +
+comment describes the opinion.¶
+comment is represented as a JSON string. comment MUST be present.¶
+