chg: [misp-standards] updated to the latest version
parent
c1ba65cc2f
commit
55f6d63494
|
@ -792,7 +792,7 @@
|
|||
<br>link, comment, text, hex, attachment, other, anonymised</dd>
|
||||
<dt>Artifacts dropped</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised</dd>
|
||||
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised</dd>
|
||||
<dt>Attribution</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised</dd>
|
||||
|
@ -807,7 +807,7 @@
|
|||
<br>text, link, comment, other, hex, anonymised</dd>
|
||||
<dt>Network activity</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
|
||||
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
|
||||
<dt>Other</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised</dd>
|
||||
|
@ -828,7 +828,7 @@
|
|||
<br>first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised</dd>
|
||||
<dt>Social network</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised</dd>
|
||||
<br>github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised</dd>
|
||||
<dt>Support Tool</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>link, text, attachment, comment, other, hex, anonymised</dd>
|
||||
|
@ -990,7 +990,7 @@
|
|||
<br>link, comment, text, hex, attachment, other, anonymised</dd>
|
||||
<dt>Artifacts dropped</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised</dd>
|
||||
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised</dd>
|
||||
<dt>Attribution</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised</dd>
|
||||
|
@ -1005,7 +1005,7 @@
|
|||
<br>text, link, comment, other, hex, anonymised</dd>
|
||||
<dt>Network activity</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
|
||||
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
|
||||
<dt>Other</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised</dd>
|
||||
|
@ -1026,7 +1026,7 @@
|
|||
<br>first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised</dd>
|
||||
<dt>Social network</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised</dd>
|
||||
<br>github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised</dd>
|
||||
<dt>Support Tool</dt>
|
||||
<dd style="margin-left: 8">
|
||||
<br>link, text, attachment, comment, other, hex, anonymised</dd>
|
||||
|
|
|
@ -521,7 +521,7 @@ Internet-Draft MISP core format August 2018
|
|||
sample, named pipe, mutex, windows-scheduled-task, windows-
|
||||
service-name, windows-service-displayname, comment, text, hex,
|
||||
x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-
|
||||
sha256, other, cookie, gene, mime-type, anonymised
|
||||
sha256, other, cookie, gene, kusto-query, mime-type, anonymised
|
||||
|
||||
Attribution
|
||||
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
|
||||
|
@ -550,10 +550,10 @@ Internet-Draft MISP core format August 2018
|
|||
|
||||
Network activity
|
||||
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
|
||||
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
|
||||
agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
|
||||
pattern-in-traffic, attachment, comment, text, x509-fingerprint-
|
||||
md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-
|
||||
domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn,
|
||||
url, uri, user-agent, http-method, AS, snort, pattern-in-file,
|
||||
stix2-pattern, pattern-in-traffic, attachment, comment, text,
|
||||
x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-
|
||||
|
||||
|
||||
|
||||
|
@ -562,8 +562,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 10]
|
|||
Internet-Draft MISP core format August 2018
|
||||
|
||||
|
||||
fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie,
|
||||
hostname|port, bro, zeek, anonymised, community-id, email-subject
|
||||
sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other,
|
||||
hex, cookie, hostname|port, bro, zeek, anonymised, community-id,
|
||||
email-subject
|
||||
|
||||
Other
|
||||
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
|
||||
|
@ -612,7 +613,6 @@ Internet-Draft MISP core format August 2018
|
|||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 11]
|
||||
|
||||
Internet-Draft MISP core format August 2018
|
||||
|
@ -631,8 +631,8 @@ Internet-Draft MISP core format August 2018
|
|||
|
||||
Social network
|
||||
github-username, github-repository, github-organisation, jabber-
|
||||
id, twitter-id, email-src, email-dst, comment, text, other, whois-
|
||||
registrant-email, anonymised
|
||||
id, twitter-id, email-src, email-dst, eppn, comment, text, other,
|
||||
whois-registrant-email, anonymised
|
||||
|
||||
Support Tool
|
||||
link, text, attachment, comment, other, hex, anonymised
|
||||
|
@ -917,7 +917,7 @@ Internet-Draft MISP core format August 2018
|
|||
sample, named pipe, mutex, windows-scheduled-task, windows-
|
||||
service-name, windows-service-displayname, comment, text, hex,
|
||||
x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-
|
||||
sha256, other, cookie, gene, mime-type, anonymised
|
||||
sha256, other, cookie, gene, kusto-query, mime-type, anonymised
|
||||
|
||||
Attribution
|
||||
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
|
||||
|
@ -955,12 +955,13 @@ Internet-Draft MISP core format August 2018
|
|||
|
||||
|
||||
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
|
||||
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
|
||||
agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
|
||||
pattern-in-traffic, attachment, comment, text, x509-fingerprint-
|
||||
md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-
|
||||
fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie,
|
||||
hostname|port, bro, zeek, anonymised, community-id, email-subject
|
||||
domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn,
|
||||
url, uri, user-agent, http-method, AS, snort, pattern-in-file,
|
||||
stix2-pattern, pattern-in-traffic, attachment, comment, text,
|
||||
x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-
|
||||
sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other,
|
||||
hex, cookie, hostname|port, bro, zeek, anonymised, community-id,
|
||||
email-subject
|
||||
|
||||
Other
|
||||
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
|
||||
|
@ -1001,7 +1002,6 @@ Internet-Draft MISP core format August 2018
|
|||
anonymised
|
||||
|
||||
Payload type
|
||||
comment, text, other, anonymised
|
||||
|
||||
|
||||
|
||||
|
@ -1010,6 +1010,8 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 18]
|
|||
Internet-Draft MISP core format August 2018
|
||||
|
||||
|
||||
comment, text, other, anonymised
|
||||
|
||||
Persistence mechanism
|
||||
filename, regkey, regkey|value, comment, text, other, hex,
|
||||
anonymised
|
||||
|
@ -1027,8 +1029,8 @@ Internet-Draft MISP core format August 2018
|
|||
|
||||
Social network
|
||||
github-username, github-repository, github-organisation, jabber-
|
||||
id, twitter-id, email-src, email-dst, comment, text, other, whois-
|
||||
registrant-email, anonymised
|
||||
id, twitter-id, email-src, email-dst, eppn, comment, text, other,
|
||||
whois-registrant-email, anonymised
|
||||
|
||||
Support Tool
|
||||
link, text, attachment, comment, other, hex, anonymised
|
||||
|
@ -1056,8 +1058,6 @@ Internet-Draft MISP core format August 2018
|
|||
to_ids represents whether the Attribute to be created if the
|
||||
ShadowAttribute is accepted is meant to be actionable. Actionable
|
||||
defined attributes that can be used in automated processes as a
|
||||
pattern for detection in Local or Network Intrusion Detection System,
|
||||
log analysis tools or even filtering mechanisms.
|
||||
|
||||
|
||||
|
||||
|
@ -1066,6 +1066,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 19]
|
|||
Internet-Draft MISP core format August 2018
|
||||
|
||||
|
||||
pattern for detection in Local or Network Intrusion Detection System,
|
||||
log analysis tools or even filtering mechanisms.
|
||||
|
||||
to_ids is represented as a JSON boolean. to_ids MUST be present.
|
||||
|
||||
2.5.2.6. event_id
|
||||
|
@ -1108,11 +1111,8 @@ Internet-Draft MISP core format August 2018
|
|||
|
||||
comment is represented by a JSON string. comment MAY be present.
|
||||
|
||||
2.5.2.10. org_id
|
||||
|
||||
org_id represents a human-readable identifier referencing the
|
||||
proposal creator's Organisation object. A human-readable identifier
|
||||
MUST be represented as an unsigned integer.
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -1122,6 +1122,12 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 20]
|
|||
Internet-Draft MISP core format August 2018
|
||||
|
||||
|
||||
2.5.2.10. org_id
|
||||
|
||||
org_id represents a human-readable identifier referencing the
|
||||
proposal creator's Organisation object. A human-readable identifier
|
||||
MUST be represented as an unsigned integer.
|
||||
|
||||
Whilst attributes can only be created by the event creator
|
||||
organisation, shadow attributes can be created by third parties.
|
||||
org_id tracks the creator organisation.
|
||||
|
@ -1164,12 +1170,6 @@ Internet-Draft MISP core format August 2018
|
|||
seen. first_seen as an ISO 8601 datetime up to the micro-second with
|
||||
time zone support.
|
||||
|
||||
first_seen is represented as a JSON string. first_seen MAY be
|
||||
present.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -1178,6 +1178,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 21]
|
|||
Internet-Draft MISP core format August 2018
|
||||
|
||||
|
||||
first_seen is represented as a JSON string. first_seen MAY be
|
||||
present.
|
||||
|
||||
2.5.2.15. last_seen
|
||||
|
||||
last_seen represents a reference time when the attribute was last
|
||||
|
@ -1223,9 +1226,6 @@ Internet-Draft MISP core format August 2018
|
|||
within an event. Their main purpose is to describe more complex
|
||||
structures than can be described by a single attribute Each object is
|
||||
created using an Object Template and carries the meta-data of the
|
||||
template used for its creation within. Objects belong to a meta-
|
||||
category and are defined by a name.
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -1234,6 +1234,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 22]
|
|||
Internet-Draft MISP core format August 2018
|
||||
|
||||
|
||||
template used for its creation within. Objects belong to a meta-
|
||||
category and are defined by a name.
|
||||
|
||||
The schema used is described by the template_uuid and
|
||||
template_version fields.
|
||||
|
||||
|
@ -1262,9 +1265,6 @@ Internet-Draft MISP core format August 2018
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -522,8 +522,8 @@
|
|||
<h1 id="rfc.section.2.4">
|
||||
<a href="#rfc.section.2.4">2.4.</a> <a href="#meta" id="meta">meta</a>
|
||||
</h1>
|
||||
<p id="rfc.section.2.4.p.1">Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.</p>
|
||||
<p id="rfc.section.2.4.p.2">refs, synonyms SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present.</p>
|
||||
<p id="rfc.section.2.4.p.1">Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.</p>
|
||||
<p id="rfc.section.2.4.p.2">refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present. official-refs is represented as an array containing one or more strings and SHALL be present.</p>
|
||||
<p id="rfc.section.2.4.p.3">date, status MAY be used to give time information about an cluster. date is represented as a string describing a time or period and SHALL be present. status is represented as a string describing the current status of the clusters. It MAY also describe a time or period and SHALL be present.</p>
|
||||
<p id="rfc.section.2.4.p.4">colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.</p>
|
||||
<p id="rfc.section.2.4.p.5">complexity, effectiveness, impact, possible<em>issues MAY be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and SHALL be present. effectiveness is represented by an enumerated value from a fixed vocabulary and SHALL be present. impact is represented by an enumerated value from a fixed vocabulary and SHALL be present. possible</em>issues is represented as a string and SHOULD be present.</p>
|
||||
|
@ -546,7 +546,7 @@
|
|||
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
|
||||
}
|
||||
</pre>
|
||||
<p id="rfc.section.2.4.p.7">country, motive MAY be used to give further information in threat-actor galaxy. country is represented as a string and SHOULD be present. motive is represented as a string and SHOULD be present.</p>
|
||||
<p id="rfc.section.2.4.p.7">country, motive, spoken-language MAY be used to give further information in threat-actor galaxy. country is represented as a string and SHOULD be present. motive is represented as a string and SHOULD be present. spoken-language is represented as an array containing one or more strings describing a language using ISO 639-2 code and SHALL be present.</p>
|
||||
<p id="rfc.section.2.4.p.8">Example use of the country, motive fields in the threat-actor galaxy:</p>
|
||||
<pre>{
|
||||
"meta": {
|
||||
|
|
|
@ -195,14 +195,17 @@ Internet-Draft MISP galaxy format October 2019
|
|||
filenames, ransomnotes-refs, suspected-victims, suspected-state-
|
||||
sponsor, type-of-incident, target-category, cfr-suspected-victims,
|
||||
cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-
|
||||
category, attribution-confidence, payment-method, price wherever
|
||||
applicable. Additional meta field MAY be added without the need to
|
||||
be referenced or registered in advance.
|
||||
category, attribution-confidence, payment-method, price, spoken-
|
||||
language, official-refs wherever applicable. Additional meta field
|
||||
MAY be added without the need to be referenced or registered in
|
||||
advance.
|
||||
|
||||
refs, synonyms SHALL be used to give further informations. refs is
|
||||
refs, synonyms, official-refs SHALL be used to give further
|
||||
informations. refs is represented as an array containing one or more
|
||||
strings and SHALL be present. synonyms is represented as an array
|
||||
containing one or more strings and SHALL be present. official-refs is
|
||||
represented as an array containing one or more strings and SHALL be
|
||||
present. synonyms is represented as an array containing one or more
|
||||
strings and SHALL be present.
|
||||
present.
|
||||
|
||||
date, status MAY be used to give time information about an cluster.
|
||||
date is represented as a string describing a time or period and SHALL
|
||||
|
@ -215,9 +218,6 @@ Internet-Draft MISP galaxy format October 2019
|
|||
field is described as an RGB colour fill in hexadecimal
|
||||
representation.
|
||||
|
||||
complexity, effectiveness, impact, possible_issues MAY be used to
|
||||
give further information in preventive-measure galaxy. complexity is
|
||||
represented by an enumerated value from a fixed vocabulary and SHALL
|
||||
|
||||
|
||||
|
||||
|
@ -226,6 +226,9 @@ Dulaunoy, et al. Expires April 6, 2020 [Page 4]
|
|||
Internet-Draft MISP galaxy format October 2019
|
||||
|
||||
|
||||
complexity, effectiveness, impact, possible_issues MAY be used to
|
||||
give further information in preventive-measure galaxy. complexity is
|
||||
represented by an enumerated value from a fixed vocabulary and SHALL
|
||||
be present. effectiveness is represented by an enumerated value from
|
||||
a fixed vocabulary and SHALL be present. impact is represented by an
|
||||
enumerated value from a fixed vocabulary and SHALL be present.
|
||||
|
@ -252,9 +255,12 @@ Internet-Draft MISP galaxy format October 2019
|
|||
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
|
||||
}
|
||||
|
||||
country, motive MAY be used to give further information in threat-
|
||||
actor galaxy. country is represented as a string and SHOULD be
|
||||
present. motive is represented as a string and SHOULD be present.
|
||||
country, motive, spoken-language MAY be used to give further
|
||||
information in threat-actor galaxy. country is represented as a
|
||||
string and SHOULD be present. motive is represented as a string and
|
||||
SHOULD be present. spoken-language is represented as an array
|
||||
containing one or more strings describing a language using ISO 639-2
|
||||
code and SHALL be present.
|
||||
|
||||
Example use of the country, motive fields in the threat-actor galaxy:
|
||||
|
||||
|
@ -271,12 +277,6 @@ Internet-Draft MISP galaxy format October 2019
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy, et al. Expires April 6, 2020 [Page 5]
|
||||
|
||||
Internet-Draft MISP galaxy format October 2019
|
||||
|
|
Loading…
Reference in New Issue