chg: [misp-core] standard updated regarding first_seen/last_seen added at attribute and object level
parent
55f6d63494
commit
bcac386ce1
|
@ -813,10 +813,10 @@
|
||||||
<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised</dd>
|
<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised</dd>
|
||||||
<dt>Payload delivery</dt>
|
<dt>Payload delivery</dt>
|
||||||
<dd style="margin-left: 8">
|
<dd style="margin-left: 8">
|
||||||
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised</dd>
|
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
|
||||||
<dt>Payload installation</dt>
|
<dt>Payload installation</dt>
|
||||||
<dd style="margin-left: 8">
|
<dd style="margin-left: 8">
|
||||||
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised</dd>
|
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
|
||||||
<dt>Payload type</dt>
|
<dt>Payload type</dt>
|
||||||
<dd style="margin-left: 8">
|
<dd style="margin-left: 8">
|
||||||
<br>comment, text, other, anonymised</dd>
|
<br>comment, text, other, anonymised</dd>
|
||||||
|
@ -1011,10 +1011,10 @@
|
||||||
<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised</dd>
|
<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised</dd>
|
||||||
<dt>Payload delivery</dt>
|
<dt>Payload delivery</dt>
|
||||||
<dd style="margin-left: 8">
|
<dd style="margin-left: 8">
|
||||||
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised</dd>
|
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
|
||||||
<dt>Payload installation</dt>
|
<dt>Payload installation</dt>
|
||||||
<dd style="margin-left: 8">
|
<dd style="margin-left: 8">
|
||||||
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised</dd>
|
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
|
||||||
<dt>Payload type</dt>
|
<dt>Payload type</dt>
|
||||||
<dd style="margin-left: 8">
|
<dd style="margin-left: 8">
|
||||||
<br>comment, text, other, anonymised</dd>
|
<br>comment, text, other, anonymised</dd>
|
||||||
|
@ -1701,6 +1701,12 @@
|
||||||
"timestamp": {
|
"timestamp": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
|
"first_seen": {
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"last_seen": {
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
"distribution": {
|
"distribution": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
|
@ -1868,6 +1874,12 @@
|
||||||
"timestamp": {
|
"timestamp": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
|
"first_seen": {
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"last_seen": {
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
"comment": {
|
"comment": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
|
|
|
@ -100,7 +100,7 @@ Table of Contents
|
||||||
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 51
|
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 51
|
||||||
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
|
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
|
||||||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
|
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
|
||||||
9.1. Normative References . . . . . . . . . . . . . . . . . . 51
|
9.1. Normative References . . . . . . . . . . . . . . . . . . 52
|
||||||
9.2. Informative References . . . . . . . . . . . . . . . . . 52
|
9.2. Informative References . . . . . . . . . . . . . . . . . 52
|
||||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52
|
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52
|
||||||
|
|
||||||
|
@ -588,7 +588,7 @@ Internet-Draft MISP core format August 2018
|
||||||
hostname|port, email-dst-display-name, email-src-display-name,
|
hostname|port, email-dst-display-name, email-src-display-name,
|
||||||
email-header, email-reply-to, email-x-mailer, email-mime-boundary,
|
email-header, email-reply-to, email-x-mailer, email-mime-boundary,
|
||||||
email-thread-index, email-message-id, mobile-application-id,
|
email-thread-index, email-message-id, mobile-application-id,
|
||||||
whois-registrant-email, anonymised
|
chrome-extension-id, whois-registrant-email, anonymised
|
||||||
|
|
||||||
Payload installation
|
Payload installation
|
||||||
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
|
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
|
||||||
|
@ -601,8 +601,8 @@ Internet-Draft MISP core format August 2018
|
||||||
traffic, pattern-in-memory, stix2-pattern, yara, sigma,
|
traffic, pattern-in-memory, stix2-pattern, yara, sigma,
|
||||||
vulnerability, weakness, attachment, malware-sample, malware-type,
|
vulnerability, weakness, attachment, malware-sample, malware-type,
|
||||||
comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5,
|
comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5,
|
||||||
x509-fingerprint-sha256, mobile-application-id, other, mime-type,
|
x509-fingerprint-sha256, mobile-application-id, chrome-extension-
|
||||||
anonymised
|
id, other, mime-type, anonymised
|
||||||
|
|
||||||
Payload type
|
Payload type
|
||||||
comment, text, other, anonymised
|
comment, text, other, anonymised
|
||||||
|
@ -985,7 +985,7 @@ Internet-Draft MISP core format August 2018
|
||||||
hostname|port, email-dst-display-name, email-src-display-name,
|
hostname|port, email-dst-display-name, email-src-display-name,
|
||||||
email-header, email-reply-to, email-x-mailer, email-mime-boundary,
|
email-header, email-reply-to, email-x-mailer, email-mime-boundary,
|
||||||
email-thread-index, email-message-id, mobile-application-id,
|
email-thread-index, email-message-id, mobile-application-id,
|
||||||
whois-registrant-email, anonymised
|
chrome-extension-id, whois-registrant-email, anonymised
|
||||||
|
|
||||||
Payload installation
|
Payload installation
|
||||||
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
|
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
|
||||||
|
@ -998,8 +998,8 @@ Internet-Draft MISP core format August 2018
|
||||||
traffic, pattern-in-memory, stix2-pattern, yara, sigma,
|
traffic, pattern-in-memory, stix2-pattern, yara, sigma,
|
||||||
vulnerability, weakness, attachment, malware-sample, malware-type,
|
vulnerability, weakness, attachment, malware-sample, malware-type,
|
||||||
comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5,
|
comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5,
|
||||||
x509-fingerprint-sha256, mobile-application-id, other, mime-type,
|
x509-fingerprint-sha256, mobile-application-id, chrome-extension-
|
||||||
anonymised
|
id, other, mime-type, anonymised
|
||||||
|
|
||||||
Payload type
|
Payload type
|
||||||
|
|
||||||
|
@ -2144,6 +2144,12 @@ Internet-Draft MISP core format August 2018
|
||||||
"timestamp": {
|
"timestamp": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
|
"first_seen": {
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"last_seen": {
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
"distribution": {
|
"distribution": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
|
@ -2172,12 +2178,6 @@ Internet-Draft MISP core format August 2018
|
||||||
"sighthing": {
|
"sighthing": {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"additionalProperties": false,
|
"additionalProperties": false,
|
||||||
"properties": {
|
|
||||||
"id": {
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"attribute_id": {
|
|
||||||
"type": "string"
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -2186,6 +2186,12 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 39]
|
||||||
Internet-Draft MISP core format August 2018
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
|
"properties": {
|
||||||
|
"id": {
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"attribute_id": {
|
||||||
|
"type": "string"
|
||||||
},
|
},
|
||||||
"event_id": {
|
"event_id": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
@ -2228,12 +2234,6 @@ Internet-Draft MISP core format August 2018
|
||||||
"objectreference": {
|
"objectreference": {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"additionalProperties": false,
|
"additionalProperties": false,
|
||||||
"properties": {
|
|
||||||
"deleted": {
|
|
||||||
"type": "boolean"
|
|
||||||
},
|
|
||||||
"object_id": {
|
|
||||||
"type": "string"
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -2242,6 +2242,12 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 40]
|
||||||
Internet-Draft MISP core format August 2018
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
|
"properties": {
|
||||||
|
"deleted": {
|
||||||
|
"type": "boolean"
|
||||||
|
},
|
||||||
|
"object_id": {
|
||||||
|
"type": "string"
|
||||||
},
|
},
|
||||||
"event_id": {
|
"event_id": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
@ -2284,12 +2290,6 @@ Internet-Draft MISP core format August 2018
|
||||||
"attribute": {
|
"attribute": {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"additionalProperties": false,
|
"additionalProperties": false,
|
||||||
"properties": {
|
|
||||||
"id": {
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"old_id": {
|
|
||||||
"type": "string"
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -2298,6 +2298,12 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 41]
|
||||||
Internet-Draft MISP core format August 2018
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
|
"properties": {
|
||||||
|
"id": {
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"old_id": {
|
||||||
|
"type": "string"
|
||||||
},
|
},
|
||||||
"type": {
|
"type": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
@ -2334,6 +2340,20 @@ Internet-Draft MISP core format August 2018
|
||||||
},
|
},
|
||||||
"timestamp": {
|
"timestamp": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
},
|
||||||
|
"first_seen": {
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"last_seen": {
|
||||||
|
"type": "string"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 42]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
},
|
},
|
||||||
"comment": {
|
"comment": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
@ -2346,14 +2366,6 @@ Internet-Draft MISP core format August 2018
|
||||||
},
|
},
|
||||||
"disable_correlation": {
|
"disable_correlation": {
|
||||||
"type": "boolean"
|
"type": "boolean"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 42]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format August 2018
|
|
||||||
|
|
||||||
|
|
||||||
},
|
},
|
||||||
"value": {
|
"value": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
@ -2390,6 +2402,14 @@ Internet-Draft MISP core format August 2018
|
||||||
"items": {
|
"items": {
|
||||||
"$ref": "#/defs/galaxy"
|
"$ref": "#/defs/galaxy"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 43]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
},
|
},
|
||||||
"Tag": {
|
"Tag": {
|
||||||
"uniqueItems": true,
|
"uniqueItems": true,
|
||||||
|
@ -2402,14 +2422,6 @@ Internet-Draft MISP core format August 2018
|
||||||
},
|
},
|
||||||
"event": {
|
"event": {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 43]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format August 2018
|
|
||||||
|
|
||||||
|
|
||||||
"additionalProperties": false,
|
"additionalProperties": false,
|
||||||
"properties": {
|
"properties": {
|
||||||
"id": {
|
"id": {
|
||||||
|
@ -2446,6 +2458,14 @@ Internet-Draft MISP core format August 2018
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
"timestamp": {
|
"timestamp": {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 44]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
"distribution": {
|
"distribution": {
|
||||||
|
@ -2458,14 +2478,6 @@ Internet-Draft MISP core format August 2018
|
||||||
"type": "boolean"
|
"type": "boolean"
|
||||||
},
|
},
|
||||||
"publish_timestamp": {
|
"publish_timestamp": {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 44]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format August 2018
|
|
||||||
|
|
||||||
|
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
"sharing_group_id": {
|
"sharing_group_id": {
|
||||||
|
@ -2502,6 +2514,14 @@ Internet-Draft MISP core format August 2018
|
||||||
},
|
},
|
||||||
"RelatedEvent": {
|
"RelatedEvent": {
|
||||||
"type": "array",
|
"type": "array",
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 45]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
"uniqueItems": true,
|
"uniqueItems": true,
|
||||||
"items": {
|
"items": {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
|
@ -2514,14 +2534,6 @@ Internet-Draft MISP core format August 2018
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"Galaxy": {
|
"Galaxy": {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 45]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format August 2018
|
|
||||||
|
|
||||||
|
|
||||||
"type": "array",
|
"type": "array",
|
||||||
"uniqueItems": true,
|
"uniqueItems": true,
|
||||||
"items": {
|
"items": {
|
||||||
|
@ -2558,6 +2570,14 @@ Internet-Draft MISP core format August 2018
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
"exportable": {
|
"exportable": {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 46]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
"type": "boolean"
|
"type": "boolean"
|
||||||
},
|
},
|
||||||
"hide_tag": {
|
"hide_tag": {
|
||||||
|
@ -2570,14 +2590,6 @@ Internet-Draft MISP core format August 2018
|
||||||
},
|
},
|
||||||
"galaxy": {
|
"galaxy": {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 46]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format August 2018
|
|
||||||
|
|
||||||
|
|
||||||
"additionalProperties": false,
|
"additionalProperties": false,
|
||||||
"properties": {
|
"properties": {
|
||||||
"id": {
|
"id": {
|
||||||
|
@ -2614,6 +2626,14 @@ Internet-Draft MISP core format August 2018
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"galaxy_cluster": {
|
"galaxy_cluster": {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 47]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"additionalProperties": false,
|
"additionalProperties": false,
|
||||||
"properties": {
|
"properties": {
|
||||||
|
@ -2626,14 +2646,6 @@ Internet-Draft MISP core format August 2018
|
||||||
"type": {
|
"type": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 47]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format August 2018
|
|
||||||
|
|
||||||
|
|
||||||
"value": {
|
"value": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
|
@ -2670,6 +2682,14 @@ Internet-Draft MISP core format August 2018
|
||||||
},
|
},
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 48]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
"Event": {
|
"Event": {
|
||||||
"$ref": "#/defs/event"
|
"$ref": "#/defs/event"
|
||||||
}
|
}
|
||||||
|
@ -2679,17 +2699,6 @@ Internet-Draft MISP core format August 2018
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 48]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format August 2018
|
|
||||||
|
|
||||||
|
|
||||||
4. Manifest
|
4. Manifest
|
||||||
|
|
||||||
MISP events can be shared over an HTTP repository, a file package or
|
MISP events can be shared over an HTTP repository, a file package or
|
||||||
|
@ -2729,6 +2738,14 @@ Internet-Draft MISP core format August 2018
|
||||||
representation of the associated MISP event file to ensure
|
representation of the associated MISP event file to ensure
|
||||||
integrity of the file. (SHOULD)
|
integrity of the file. (SHOULD)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 49]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
o integrity:pgp represents a detached PGP signature [RFC4880] of the
|
o integrity:pgp represents a detached PGP signature [RFC4880] of the
|
||||||
associated MISP event file to ensure integrity of the file.
|
associated MISP event file to ensure integrity of the file.
|
||||||
(SHOULD)
|
(SHOULD)
|
||||||
|
@ -2738,14 +2755,6 @@ Internet-Draft MISP core format August 2018
|
||||||
detached PGP signature for a manifest file is a manifest.json.asc
|
detached PGP signature for a manifest file is a manifest.json.asc
|
||||||
file containing the PGP signature.
|
file containing the PGP signature.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 49]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format August 2018
|
|
||||||
|
|
||||||
|
|
||||||
4.1.1. Sample Manifest
|
4.1.1. Sample Manifest
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -2785,6 +2794,14 @@ Internet-Draft MISP core format August 2018
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"colour": "#3d7a00",
|
"colour": "#3d7a00",
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 50]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
"name": "circl:incident-classification=\"malware\""
|
"name": "circl:incident-classification=\"malware\""
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -2794,14 +2811,6 @@ Internet-Draft MISP core format August 2018
|
||||||
],
|
],
|
||||||
"timestamp": "1461764231",
|
"timestamp": "1461764231",
|
||||||
"date": "2016-04-27",
|
"date": "2016-04-27",
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 50]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format August 2018
|
|
||||||
|
|
||||||
|
|
||||||
"threat_level_id": "3"
|
"threat_level_id": "3"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -2837,6 +2846,18 @@ Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
9. References
|
9. References
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 51]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
9.1. Normative References
|
9.1. Normative References
|
||||||
|
|
||||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||||||
|
@ -2849,15 +2870,6 @@ Internet-Draft MISP core format August 2018
|
||||||
DOI 10.17487/RFC4122, July 2005,
|
DOI 10.17487/RFC4122, July 2005,
|
||||||
<https://www.rfc-editor.org/info/rfc4122>.
|
<https://www.rfc-editor.org/info/rfc4122>.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 51]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format August 2018
|
|
||||||
|
|
||||||
|
|
||||||
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
|
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
|
||||||
Thayer, "OpenPGP Message Format", RFC 4880,
|
Thayer, "OpenPGP Message Format", RFC 4880,
|
||||||
DOI 10.17487/RFC4880, November 2007,
|
DOI 10.17487/RFC4880, November 2007,
|
||||||
|
@ -2888,6 +2900,20 @@ Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
Authors' Addresses
|
Authors' Addresses
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 52]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format August 2018
|
||||||
|
|
||||||
|
|
||||||
Alexandre Dulaunoy
|
Alexandre Dulaunoy
|
||||||
Computer Incident Response Center Luxembourg
|
Computer Incident Response Center Luxembourg
|
||||||
16, bd d'Avranches
|
16, bd d'Avranches
|
||||||
|
@ -2909,4 +2935,34 @@ Authors' Addresses
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires February 9, 2019 [Page 52]
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires February 9, 2019 [Page 53]
|
||||||
|
|
Loading…
Reference in New Issue