@@ -1233,7 +1259,7 @@ li > p:last-of-type {
MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.
The JSON format includes the overall structure along with the semantic associated for each
respective key. The format is described to support other implementations which reuse the
-format and ensuring an interoperability with existing MISP [MISP-P] software and other Threat Intelligence Platforms.¶
+format and ensuring an interoperability with existing MISP [MISP-P] software and other Threat Intelligence Platforms.¶
@@ -1254,7 +1280,7 @@ format and ensuring an interoperability with existing MISP [¶
- This Internet-Draft will expire on 26 June 2024.¶
+ This Internet-Draft will expire on 31 December 2024.¶
@@ -1263,7 +1289,7 @@ format and ensuring an interoperability with existing MISP [Copyright Notice
- Copyright (c) 2023 IETF Trust and the persons identified as the
+ Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal
@@ -1281,171 +1307,190 @@ format and ensuring an interoperability with existing MISP [
+document are to be interpreted as described in RFC 2119 [RFC2119].¶
@@ -1483,7 +1528,7 @@ document are to be interpreted as described in RFC 2119 [2.1. Overview
-
The MISP core format is in the JSON [RFC8259] format. In MISP, an event is composed of a single JSON object.¶
+
The MISP core format is in the JSON [RFC8259] format. In MISP, an event is composed of a single JSON object.¶
A capitalized key (like Event, Org) represent a data model and a non-capitalised key is just an attribute. This nomenclature
can support an implementation to represent the MISP format in another data structure.¶
@@ -1506,7 +1551,7 @@ analysis. The meaning of an event only depends of the information embedded in th
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the event. The uuid MUST be preserved
+
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the event. The uuid MUST be preserved
for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.¶
uuid is represented as a JSON string. uuid MUST be present.¶
extends_uuid represents which event is extended by this event. The extends_uuid is described as a Universally Unique IDentifier (UUID) [RFC4122] with the UUID of the extended event.¶
+
extends_uuid represents which event is extended by this event. The extends_uuid is described as a Universally Unique IDentifier (UUID) [RFC4122] with the UUID of the extended event.¶
extends_uuid is represented as a JSON string. extends_uuid SHOULD be present.¶
@@ -1712,7 +1757,7 @@ represented as an unsigned integer.2.2.2.1. Org
An Org object is composed of an uuid, name and id.¶
-
The uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the organisation.
+
The uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the organisation.
The organisation UUID is globally assigned to an organisation and SHALL be kept overtime.¶
The name is a readable description of the organisation and SHOULD be present.
The id is a human-readable identifier generated by the instance and used as reference in the event.
@@ -1729,6 +1774,7 @@ A human-readable identifier MUST be represented as an
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
}
+
¶
@@ -1786,6 +1832,7 @@ where the category and type give meaning and context to the value. Through the v
"first_seen": "2019-06-02T22:14:28.711954+00:00",
"last_seen": null
}
+
¶
@@ -1800,7 +1847,7 @@ where the category and type give meaning and context to the value. Through the v
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the event. The uuid MUST be preserved
+
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the event. The uuid MUST be preserved
for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.¶
uuid is represented as a JSON string. uuid MUST be present.¶
@@ -2086,6 +2133,7 @@ which can be accepted or discarded by the event creator. If accepted, the origin
"first_seen": "2019-06-02T22:14:28.711954+00:00",
"last_seen": null
}
+
¶
@@ -2100,7 +2148,7 @@ which can be accepted or discarded by the event creator. If accepted, the origin
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the event. The uuid MUST be preserved
+
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the event. The uuid MUST be preserved
for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.¶
uuid is represented as a JSON string. uuid MUST be present.¶
@@ -2325,7 +2373,7 @@ the sample MUST be encrypted using a password protect
2.4.3.1. Org
An Org object is composed of an uuid, name and id.¶
-
The uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the organization.
+
The uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the organization.
The organization UUID is globally assigned to an organization and SHALL be kept overtime.¶
The name is a readable description of the organization and SHOULD be present.
The id is a human-readable identifier generated by the instance and used as reference in the event.
@@ -2342,6 +2390,7 @@ A human-readable identifier MUST be represented as an
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
}
+
¶
@@ -2408,6 +2457,7 @@ Each object is created using an Object Template and carries the meta-data of the
"last_seen": null
]
}
+
¶
@@ -2423,7 +2473,7 @@ Each object is created using an Object Template and carries the meta-data of the
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object. The uuid MUST be preserved
+
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object. The uuid MUST be preserved
for any updates or transfer of the same object. UUID version 4 is RECOMMENDED when assigning it to a new object.¶
@@ -2470,7 +2520,7 @@ tied to a fixed list of options but can be created on the fly.2.5.2.6. template_uuid
-
template_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the template used to create the object. The uuid MUST be preserved
+
template_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the template used to create the object. The uuid MUST be preserved
to preserve the object's association with the correct template used for creation. UUID version 4 is RECOMMENDED when assigning it to a new object.¶
template_uuid is represented as a JSON string. template_uuid MUST be present.¶
Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary.¶
-
The relationship_type is recommended to be taken from the MISP object relationship list [[MISP-R]] is RECOMMENDED to ensure a coherent naming of the tags¶
+
The relationship_type is recommended to be taken from the MISP object relationship list [[MISP-R]] is RECOMMENDED to ensure a coherent naming of the tags¶
All Object References MUST contain an object_uuid, a referenced_uuid and a relationship type.¶
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object reference. The uuid MUST be preserved
+
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object reference. The uuid MUST be preserved
for any updates or transfer of the same object reference. UUID version 4 is RECOMMENDED when assigning it to a new object reference.¶
@@ -2727,7 +2778,7 @@ represented as an unsigned integer.
object_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object that the given object reference belongs to. The object_uuid MUST be preserved
+
object_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object that the given object reference belongs to. The object_uuid MUST be preserved
to preserve the object reference's association with the object.¶
@@ -2736,7 +2787,7 @@ to preserve the object reference's association with the object.2.6.2.12. referenced_uuid
-
referenced_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object or attribute that is being referenced by the object reference. The referenced_uuid MUST be preserved
+
referenced_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the object or attribute that is being referenced by the object reference. The referenced_uuid MUST be preserved
to preserve the object reference's association with the object or attribute.¶
@@ -2766,7 +2817,7 @@ represented as an unsigned integer.¶
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the EventReport. The uuid MUST be preserved for any updates or transfer of the same EventReport. UUID version 4 is RECOMMENDED when assigning it to a new EventReport.¶
+
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the EventReport. The uuid MUST be preserved for any updates or transfer of the same EventReport. UUID version 4 is RECOMMENDED when assigning it to a new EventReport.¶
uuid is represented as a JSON string. uuid MUST be present.¶
@@ -2869,7 +2920,7 @@ of the report. name SHOULD NOT be bigger than 256 cha
A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. When an event is distributed outside an organisation, the use of MISP taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array SHALL be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.¶
+
A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. When an event is distributed outside an organisation, the use of MISP taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array SHALL be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.¶
exportable represents a setting if the tag is kept local or exportable to other MISP instances. exportable is represented by a JSON boolean. id is a human-readable identifier that references the tag on the local instance. colour represents an RGB value of the tag.¶
name MUST be present. colour, id and exportable SHALL be present.¶
@@ -2883,6 +2934,7 @@ of the report. name SHOULD NOT be bigger than 256 cha
"colour": "#ffffff",
"name": "tlp:white",
"id": "2" }]
+
¶
@@ -2972,6 +3024,7 @@ attribute_id represents the human-readable identifier of the attribute reference
}
}
]
+
¶
@@ -3034,12 +3087,675 @@ attribute_id represents the human-readable identifier of the attribute reference
]
}
]
+
¶
+
Analyst Data are objects that can take different forms within the MISP format, including objects, attributes, events, or detached formats from the MISP core. They can express an Opinion, Note, or a Relationship from an analyst. These three types define the key components of analyst data and can be applied at various levels within the data structure. Analyst data can also be nested to provide additional complementary analysis on itself.¶
id represents the human-readable identifier associated to the opinion for a specific MISP instance. A human-readable identifier MUST be
+represented as an unsigned integer.¶
+
id is represented as a JSON string. id SHALL be present.¶
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the opinion. The uuid MUST be preserved
+for any updates or transfer of the same Opinion object. UUID version 4 is RECOMMENDED when assigning it to a new Opinion.¶
+
uuid is represented as a JSON string. uuid MUST be present.¶
org_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Org object of the organisation which owns the opinion on a MISP instance.¶
+
The org_uuid object MUST be updated for any updates or transfer to another MISP instance.¶
+
org_uuid is represented as a JSON string. org_uuid MUST be present.¶
orgc_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Orgc object of the organisation which created the opinion.¶
+
The orgc_uuid object MUST be preserved for any updates or transfer of the same opinion.¶
+
orgc_uuid is represented as a JSON string. orgc_uuid MUST be present.¶
created represents a reference time when the element was created. created is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+
created is represented as a JSON string. created MAY be present.¶
modified represents a reference time when the element was modified. modified is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+
modified is represented as a JSON string. modified MAY be present.¶
distribution represents the basic distribution rules of the opinion. The system must adhere to the distribution setting for access control and for dissemination of the opinion.¶
+
distribution is represented by a JSON string. distribution SHALL be present and be one of the following options:¶
id represents the human-readable identifier associated to the note for a specific MISP instance. A human-readable identifier MUST be
+represented as an unsigned integer.¶
+
id is represented as a JSON string. id SHALL be present.¶
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the note. The uuid MUST be preserved
+for any updates or transfer of the same Note object. UUID version 4 is RECOMMENDED when assigning it to a new Note.¶
+
uuid is represented as a JSON string. uuid MUST be present.¶
org_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Org object of the organisation which owns the note on a MISP instance.¶
+
The org_uuid object MUST be updated for any updates or transfer to another MISP instance.¶
+
org_uuid is represented as a JSON string. org_uuid MUST be present.¶
orgc_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Orgc object of the organisation which created the note.¶
+
The orgc_uuid object MUST be preserved for any updates or transfer of the same note.¶
+
orgc_uuid is represented as a JSON string. orgc_uuid MUST be present.¶
created represents a reference time when the element was created. created is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+
created is represented as a JSON string. created MAY be present.¶
modified represents a reference time when the element was modified. modified is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+
modified is represented as a JSON string. modified MAY be present.¶
distribution represents the basic distribution rules of the opinion. The system must adhere to the distribution setting for access control and for dissemination of the opinion.¶
+
distribution is represented by a JSON string. distribution SHALL be present and be one of the following options:¶
id represents the human-readable identifier associated to the relationship for a specific MISP instance. A human-readable identifier MUST be
+represented as an unsigned integer.¶
+
id is represented as a JSON string. id SHALL be present.¶
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of the relationship. The uuid MUST be preserved
+for any updates or transfer of the same Relationship object. UUID version 4 is RECOMMENDED when assigning it to a new Relationship.¶
+
uuid is represented as a JSON string. uuid MUST be present.¶
org_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Org object of the organisation which owns the relationship on a MISP instance.¶
+
The org_uuid object MUST updated for any updates or transfer to another MISP instance.¶
+
org_uuid is represented as a JSON string. org_uuid MUST be present.¶
orgc_uuid represents the Universally Unique IDentifier (UUID) [RFC4122] identifier referencing an Orgc object of the organisation which created the relationship.¶
+
The orgc_uuid object MUST be preserved for any updates or transfer of the same relationship.¶
+
orgc_uuid is represented as a JSON string. orgc_uuid MUST be present.¶
created represents a reference time when the element was created. created is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+
created is represented as a JSON string. created MAY be present.¶
modified represents a reference time when the element was modified. modified is expressed as an ISO 8601 datetime up to the micro-second with time zone support.¶
+
modified is represented as a JSON string. modified MAY be present.¶
distribution represents the basic distribution rules of the opinion. The system must adhere to the distribution setting for access control and for dissemination of the opinion.¶
+
distribution is represented by a JSON string. distribution SHALL be present and be one of the following options:¶
The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP core format
+
The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP core format
as literally described before. The JSON Schema is used to validate MISP events at creation time
or parsing.¶
integrity:sha256 represents the SHA256 value in hexadecimal representation of the associated MISP event file to ensure integrity of the file. (SHOULD)¶
-
integrity:pgp represents a detached PGP signature [RFC4880] of the associated MISP event file to ensure integrity of the file. (SHOULD)¶
+
integrity:pgp represents a detached PGP signature [RFC4880] of the associated MISP event file to ensure integrity of the file. (SHOULD)¶
If a detached PGP signature is used for each MISP event, a detached PGP signature is a MUST to ensure integrity of the manifest file.
@@ -3825,6 +4542,7 @@ A detached PGP signature for a manifest file is a manifest.json.asc file contain
"threat_level_id": "3"
}
}
+
¶
@@ -3839,7 +4557,7 @@ A detached PGP signature for a manifest file is a manifest.json.asc file contain
5. Implementation
MISP format is implemented by different software including the MISP threat sharing
-platform and libraries like PyMISP [MISP-P]. Implementations use the format
+platform and libraries like PyMISP [MISP-P]. Implementations use the format
as an export/import mechanism, staging transport format or synchronisation format
as used in the MISP core platform. MISP format doesn't impose any restriction on
the data representation of the format in data-structure of other implementations.¶
@@ -3876,51 +4594,56 @@ for the review of the JSON Schema.¶<
-
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC4122]
-
+
Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, , <https://www.rfc-editor.org/info/rfc4122>.
[RFC4880]
-
+
Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, DOI 10.17487/RFC4880, , <https://www.rfc-editor.org/info/rfc4880>.
[RFC8259]
-
+
Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, , <https://www.rfc-editor.org/info/rfc8259>.
+2.11.1.13. comment +
+comment describes the opinion.¶
+comment is represented as a JSON string. comment MUST be present.¶
+