From 55f6d63494f62c17e8b2a2616bf428c0f71ac01e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 30 Dec 2019 11:52:34 +0100 Subject: [PATCH] chg: [misp-standards] updated to the latest version --- rfc/misp-standard-core.html | 12 ++--- rfc/misp-standard-core.txt | 76 ++++++++++++++-------------- rfc/misp-standard-galaxy-format.html | 6 +-- rfc/misp-standard-galaxy-format.txt | 36 ++++++------- 4 files changed, 65 insertions(+), 65 deletions(-) diff --git a/rfc/misp-standard-core.html b/rfc/misp-standard-core.html index 98e0cbf..254cad9 100644 --- a/rfc/misp-standard-core.html +++ b/rfc/misp-standard-core.html @@ -792,7 +792,7 @@
link, comment, text, hex, attachment, other, anonymised
Artifacts dropped
-
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised
+
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised
Attribution

threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised
@@ -807,7 +807,7 @@
text, link, comment, other, hex, anonymised
Network activity
-
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject
+
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject
Other

comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised
@@ -828,7 +828,7 @@
first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised
Social network
-
github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised
+
github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised
Support Tool

link, text, attachment, comment, other, hex, anonymised
@@ -990,7 +990,7 @@
link, comment, text, hex, attachment, other, anonymised
Artifacts dropped
-
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised
+
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised
Attribution

threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised
@@ -1005,7 +1005,7 @@
text, link, comment, other, hex, anonymised
Network activity
-
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject
+
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject
Other

comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised
@@ -1026,7 +1026,7 @@
first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised
Social network
-
github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised
+
github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised
Support Tool

link, text, attachment, comment, other, hex, anonymised
diff --git a/rfc/misp-standard-core.txt b/rfc/misp-standard-core.txt index 53fa2ed..7369ccb 100644 --- a/rfc/misp-standard-core.txt +++ b/rfc/misp-standard-core.txt @@ -521,7 +521,7 @@ Internet-Draft MISP core format August 2018 sample, named pipe, mutex, windows-scheduled-task, windows- service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- - sha256, other, cookie, gene, mime-type, anonymised + sha256, other, cookie, gene, kusto-query, mime-type, anonymised Attribution threat-actor, campaign-name, campaign-id, whois-registrant-phone, @@ -550,10 +550,10 @@ Internet-Draft MISP core format August 2018 Network activity ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, - domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user- - agent, http-method, AS, snort, pattern-in-file, stix2-pattern, - pattern-in-traffic, attachment, comment, text, x509-fingerprint- - md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3- + domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, + url, uri, user-agent, http-method, AS, snort, pattern-in-file, + stix2-pattern, pattern-in-traffic, attachment, comment, text, + x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint- @@ -562,8 +562,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 10] Internet-Draft MISP core format August 2018 - fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, - hostname|port, bro, zeek, anonymised, community-id, email-subject + sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, + hex, cookie, hostname|port, bro, zeek, anonymised, community-id, + email-subject Other comment, text, other, size-in-bytes, counter, datetime, cpe, port, @@ -612,7 +613,6 @@ Internet-Draft MISP core format August 2018 - Dulaunoy & Iklody Expires February 9, 2019 [Page 11] Internet-Draft MISP core format August 2018 @@ -631,8 +631,8 @@ Internet-Draft MISP core format August 2018 Social network github-username, github-repository, github-organisation, jabber- - id, twitter-id, email-src, email-dst, comment, text, other, whois- - registrant-email, anonymised + id, twitter-id, email-src, email-dst, eppn, comment, text, other, + whois-registrant-email, anonymised Support Tool link, text, attachment, comment, other, hex, anonymised @@ -917,7 +917,7 @@ Internet-Draft MISP core format August 2018 sample, named pipe, mutex, windows-scheduled-task, windows- service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- - sha256, other, cookie, gene, mime-type, anonymised + sha256, other, cookie, gene, kusto-query, mime-type, anonymised Attribution threat-actor, campaign-name, campaign-id, whois-registrant-phone, @@ -955,12 +955,13 @@ Internet-Draft MISP core format August 2018 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, - domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user- - agent, http-method, AS, snort, pattern-in-file, stix2-pattern, - pattern-in-traffic, attachment, comment, text, x509-fingerprint- - md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3- - fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, - hostname|port, bro, zeek, anonymised, community-id, email-subject + domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, + url, uri, user-agent, http-method, AS, snort, pattern-in-file, + stix2-pattern, pattern-in-traffic, attachment, comment, text, + x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint- + sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, + hex, cookie, hostname|port, bro, zeek, anonymised, community-id, + email-subject Other comment, text, other, size-in-bytes, counter, datetime, cpe, port, @@ -1001,7 +1002,6 @@ Internet-Draft MISP core format August 2018 anonymised Payload type - comment, text, other, anonymised @@ -1010,6 +1010,8 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 18] Internet-Draft MISP core format August 2018 + comment, text, other, anonymised + Persistence mechanism filename, regkey, regkey|value, comment, text, other, hex, anonymised @@ -1027,8 +1029,8 @@ Internet-Draft MISP core format August 2018 Social network github-username, github-repository, github-organisation, jabber- - id, twitter-id, email-src, email-dst, comment, text, other, whois- - registrant-email, anonymised + id, twitter-id, email-src, email-dst, eppn, comment, text, other, + whois-registrant-email, anonymised Support Tool link, text, attachment, comment, other, hex, anonymised @@ -1056,8 +1058,6 @@ Internet-Draft MISP core format August 2018 to_ids represents whether the Attribute to be created if the ShadowAttribute is accepted is meant to be actionable. Actionable defined attributes that can be used in automated processes as a - pattern for detection in Local or Network Intrusion Detection System, - log analysis tools or even filtering mechanisms. @@ -1066,6 +1066,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 19] Internet-Draft MISP core format August 2018 + pattern for detection in Local or Network Intrusion Detection System, + log analysis tools or even filtering mechanisms. + to_ids is represented as a JSON boolean. to_ids MUST be present. 2.5.2.6. event_id @@ -1108,11 +1111,8 @@ Internet-Draft MISP core format August 2018 comment is represented by a JSON string. comment MAY be present. -2.5.2.10. org_id - org_id represents a human-readable identifier referencing the - proposal creator's Organisation object. A human-readable identifier - MUST be represented as an unsigned integer. + @@ -1122,6 +1122,12 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 20] Internet-Draft MISP core format August 2018 +2.5.2.10. org_id + + org_id represents a human-readable identifier referencing the + proposal creator's Organisation object. A human-readable identifier + MUST be represented as an unsigned integer. + Whilst attributes can only be created by the event creator organisation, shadow attributes can be created by third parties. org_id tracks the creator organisation. @@ -1164,12 +1170,6 @@ Internet-Draft MISP core format August 2018 seen. first_seen as an ISO 8601 datetime up to the micro-second with time zone support. - first_seen is represented as a JSON string. first_seen MAY be - present. - - - - @@ -1178,6 +1178,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 21] Internet-Draft MISP core format August 2018 + first_seen is represented as a JSON string. first_seen MAY be + present. + 2.5.2.15. last_seen last_seen represents a reference time when the attribute was last @@ -1223,9 +1226,6 @@ Internet-Draft MISP core format August 2018 within an event. Their main purpose is to describe more complex structures than can be described by a single attribute Each object is created using an Object Template and carries the meta-data of the - template used for its creation within. Objects belong to a meta- - category and are defined by a name. - @@ -1234,6 +1234,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 22] Internet-Draft MISP core format August 2018 + template used for its creation within. Objects belong to a meta- + category and are defined by a name. + The schema used is described by the template_uuid and template_version fields. @@ -1262,9 +1265,6 @@ Internet-Draft MISP core format August 2018 - - - diff --git a/rfc/misp-standard-galaxy-format.html b/rfc/misp-standard-galaxy-format.html index 5666e4e..8fb0831 100644 --- a/rfc/misp-standard-galaxy-format.html +++ b/rfc/misp-standard-galaxy-format.html @@ -522,8 +522,8 @@

2.4. meta

-

Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.

-

refs, synonyms SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present.

+

Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.

+

refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present. official-refs is represented as an array containing one or more strings and SHALL be present.

date, status MAY be used to give time information about an cluster. date is represented as a string describing a time or period and SHALL be present. status is represented as a string describing the current status of the clusters. It MAY also describe a time or period and SHALL be present.

colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.

complexity, effectiveness, impact, possibleissues MAY be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and SHALL be present. effectiveness is represented by an enumerated value from a fixed vocabulary and SHALL be present. impact is represented by an enumerated value from a fixed vocabulary and SHALL be present. possibleissues is represented as a string and SHOULD be present.

@@ -546,7 +546,7 @@ "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f" } -

country, motive MAY be used to give further information in threat-actor galaxy. country is represented as a string and SHOULD be present. motive is represented as a string and SHOULD be present.

+

country, motive, spoken-language MAY be used to give further information in threat-actor galaxy. country is represented as a string and SHOULD be present. motive is represented as a string and SHOULD be present. spoken-language is represented as an array containing one or more strings describing a language using ISO 639-2 code and SHALL be present.

Example use of the country, motive fields in the threat-actor galaxy:

{
   "meta": {
diff --git a/rfc/misp-standard-galaxy-format.txt b/rfc/misp-standard-galaxy-format.txt
index e6a75ed..5562262 100644
--- a/rfc/misp-standard-galaxy-format.txt
+++ b/rfc/misp-standard-galaxy-format.txt
@@ -195,14 +195,17 @@ Internet-Draft             MISP galaxy format               October 2019
    filenames, ransomnotes-refs, suspected-victims, suspected-state-
    sponsor, type-of-incident, target-category, cfr-suspected-victims,
    cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-
-   category, attribution-confidence, payment-method, price wherever
-   applicable.  Additional meta field MAY be added without the need to
-   be referenced or registered in advance.
+   category, attribution-confidence, payment-method, price, spoken-
+   language, official-refs wherever applicable.  Additional meta field
+   MAY be added without the need to be referenced or registered in
+   advance.
 
-   refs, synonyms SHALL be used to give further informations. refs is
+   refs, synonyms, official-refs SHALL be used to give further
+   informations. refs is represented as an array containing one or more
+   strings and SHALL be present. synonyms is represented as an array
+   containing one or more strings and SHALL be present. official-refs is
    represented as an array containing one or more strings and SHALL be
-   present. synonyms is represented as an array containing one or more
-   strings and SHALL be present.
+   present.
 
    date, status MAY be used to give time information about an cluster.
    date is represented as a string describing a time or period and SHALL
@@ -215,9 +218,6 @@ Internet-Draft             MISP galaxy format               October 2019
    field is described as an RGB colour fill in hexadecimal
    representation.
 
-   complexity, effectiveness, impact, possible_issues MAY be used to
-   give further information in preventive-measure galaxy. complexity is
-   represented by an enumerated value from a fixed vocabulary and SHALL
 
 
 
@@ -226,6 +226,9 @@ Dulaunoy, et al.          Expires April 6, 2020                 [Page 4]
 Internet-Draft             MISP galaxy format               October 2019
 
 
+   complexity, effectiveness, impact, possible_issues MAY be used to
+   give further information in preventive-measure galaxy. complexity is
+   represented by an enumerated value from a fixed vocabulary and SHALL
    be present. effectiveness is represented by an enumerated value from
    a fixed vocabulary and SHALL be present. impact is represented by an
    enumerated value from a fixed vocabulary and SHALL be present.
@@ -252,9 +255,12 @@ Internet-Draft             MISP galaxy format               October 2019
   "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
 }
 
-   country, motive MAY be used to give further information in threat-
-   actor galaxy. country is represented as a string and SHOULD be
-   present. motive is represented as a string and SHOULD be present.
+   country, motive, spoken-language MAY be used to give further
+   information in threat-actor galaxy. country is represented as a
+   string and SHOULD be present. motive is represented as a string and
+   SHOULD be present. spoken-language is represented as an array
+   containing one or more strings describing a language using ISO 639-2
+   code and SHALL be present.
 
    Example use of the country, motive fields in the threat-actor galaxy:
 
@@ -271,12 +277,6 @@ Internet-Draft             MISP galaxy format               October 2019
 
 
 
-
-
-
-
-
-
 Dulaunoy, et al.          Expires April 6, 2020                 [Page 5]
 
 Internet-Draft             MISP galaxy format               October 2019