MISP
/
misp-standard.org
mirror of https://github.com/MISP/misp-standard.org
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [core] updated

master
Alexandre Dulaunoy 2023-02-26 12:40:21 +01:00
parent b264a322af
commit dac0ccfb83
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
2 changed files with 213 additions and 213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
rfc/misp-standard-core.html
View File

@ -15,7 +15,7 @@ respective key. The format is described to support other implementations which r
format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms.
" name="description">
<meta content="xml2rfc 3.12.1" name="generator">
<meta content="draft-00" name="ietf.draft">
<meta content="draft-16" name="ietf.draft">
<!-- Generator version information:
xml2rfc 3.12.1
Python 3.8.10
@ -24,16 +24,16 @@ format and ensuring an interoperability with existing MISP software and other
google-i18n-address 2.5.0
html5lib 1.1
intervaltree 3.1.0
Jinja2 2.11.3
Jinja2 3.1.2
kitchen 1.2.6
lxml 4.7.1
lxml 4.9.1
pycairo 1.16.2
pycountry 22.1.10
pycountry 22.3.5
pyflakes 2.4.0
PyYAML 5.4.1
requests 2.24.0
setuptools 45.2.0
six 1.15.0
PyYAML 6.0
requests 2.28.1
setuptools 65.4.0
six 1.16.0
-->
<link href="raw.md.xml" rel="alternate" type="application/rfc+xml">
<link href="#copyright" rel="license">
@ -1190,11 +1190,11 @@ li > p:last-of-type {
<thead><tr>
<td class="left">Internet-Draft</td>
<td class="center">MISP core format</td>
<td class="right">February 2022</td>
<td class="right">February 2023</td>
</tr></thead>
<tfoot><tr>
<td class="left">Dulaunoy &amp; Iklody</td>
<td class="center">Expires 19 August 2022</td>
<td class="center">Expires 30 August 2023</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
@ -1204,15 +1204,15 @@ li > p:last-of-type {
<dt class="label-workgroup">Workgroup:</dt>
<dd class="workgroup">Network Working Group</dd>
<dt class="label-internet-draft">Internet-Draft:</dt>
<dd class="internet-draft">draft-00</dd>
<dd class="internet-draft">draft-16</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2022-02-15" class="published">15 February 2022</time>
<time datetime="2023-02-26" class="published">26 February 2023</time>
</dd>
<dt class="label-intended-status">Intended Status:</dt>
<dd class="intended-status">Informational</dd>
<dt class="label-expires">Expires:</dt>
<dd class="expires"><time datetime="2022-08-19">19 August 2022</time></dd>
<dd class="expires"><time datetime="2023-08-30">30 August 2023</time></dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
@ -1254,7 +1254,7 @@ format and ensuring an interoperability with existing MISP <span>[<a href="#MISP
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow"></a></p>
<p id="section-boilerplate.1-4">
This Internet-Draft will expire on 19 August 2022.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
This Internet-Draft will expire on 30 August 2023.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
</section>
</div>
<div id="copyright">
@ -1263,7 +1263,7 @@ format and ensuring an interoperability with existing MISP <span>[<a href="#MISP
<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
</h2>
<p id="section-boilerplate.2-1">
Copyright (c) 2022 IETF Trust and the persons identified as the
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow"></a></p>
<p id="section-boilerplate.2-2">
This document is subject to BCP 78 and the IETF Trust's Legal
@ -1856,11 +1856,11 @@ represented as an unsigned integer.<a href="#section-2.3.2.2-1" class="pilcrow">
</dd>
<dd class="break"></dd>
<dt id="section-2.3.2.3-3.17">Payload delivery</dt>
<dd style="margin-left: 1.5em" id="section-2.3.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.3.2.3-3.18" class="pilcrow"></a>
<dd style="margin-left: 1.5em" id="section-2.3.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.3.2.3-3.18" class="pilcrow"></a>
</dd>
<dd class="break"></dd>
<dt id="section-2.3.2.3-3.19">Payload installation</dt>
<dd style="margin-left: 1.5em" id="section-2.3.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.3.2.3-3.20" class="pilcrow"></a>
<dd style="margin-left: 1.5em" id="section-2.3.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.3.2.3-3.20" class="pilcrow"></a>
</dd>
<dd class="break"></dd>
<dt id="section-2.3.2.3-3.21">Payload type</dt>
@ -2155,11 +2155,11 @@ id is represented as a JSON string. id <span class="bcp14">SHALL</span> be prese
</dd>
<dd class="break"></dd>
<dt id="section-2.4.2.3-3.17">Payload delivery</dt>
<dd style="margin-left: 1.5em" id="section-2.4.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.4.2.3-3.18" class="pilcrow"></a>
<dd style="margin-left: 1.5em" id="section-2.4.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.4.2.3-3.18" class="pilcrow"></a>
</dd>
<dd class="break"></dd>
<dt id="section-2.4.2.3-3.19">Payload installation</dt>
<dd style="margin-left: 1.5em" id="section-2.4.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.4.2.3-3.20" class="pilcrow"></a>
<dd style="margin-left: 1.5em" id="section-2.4.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.4.2.3-3.20" class="pilcrow"></a>
</dd>
<dd class="break"></dd>
<dt id="section-2.4.2.3-3.21">Payload type</dt>
@ -3925,8 +3925,8 @@ for the review of the JSON Schema.<a href="#section-7-1" class="pilcrow">¶</a><
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Alexandre Dulaunoy</span></div>
<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
<div dir="auto" class="left"><span class="street-address">122, rue Adolphe Fischer</span></div>
<div dir="auto" class="left">L-<span class="postal-code">L-1521</span> <span class="locality">Luxembourg</span>
</div>
<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
<div class="tel">
@ -3941,8 +3941,8 @@ for the review of the JSON Schema.<a href="#section-7-1" class="pilcrow">¶</a><
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Andras Iklody</span></div>
<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
<div dir="auto" class="left"><span class="street-address">122, rue Adolphe Fischer</span></div>
<div dir="auto" class="left">L-<span class="postal-code">L-1521</span> <span class="locality">Luxembourg</span>
</div>
<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
<div class="tel">

380
rfc/misp-standard-core.txt
View File

@ -5,11 +5,11 @@
Network Working Group A. Dulaunoy
Internet-Draft A. Iklody
Intended status: Informational CIRCL
Expires: 19 August 2022 15 February 2022
Expires: 30 August 2023 26 February 2023
MISP core format
draft-00
draft-16
Abstract
@ -37,11 +37,11 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 19 August 2022.
This Internet-Draft will expire on 30 August 2023.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
@ -53,9 +53,9 @@ Copyright Notice
Dulaunoy & Iklody Expires 19 August 2022 [Page 1]
Dulaunoy & Iklody Expires 30 August 2023 [Page 1]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
Table of Contents
@ -109,9 +109,9 @@ Table of Contents
Dulaunoy & Iklody Expires 19 August 2022 [Page 2]
Dulaunoy & Iklody Expires 30 August 2023 [Page 2]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53
@ -165,9 +165,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 3]
Dulaunoy & Iklody Expires 30 August 2023 [Page 3]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
uuid is represented as a JSON string. uuid MUST be present.
@ -221,9 +221,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 4]
Dulaunoy & Iklody Expires 30 August 2023 [Page 4]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
1: Ongoing
@ -277,9 +277,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 5]
Dulaunoy & Iklody Expires 30 August 2023 [Page 5]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
org_id is represented as a JSON string. org_id MUST be present.
@ -333,9 +333,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 6]
Dulaunoy & Iklody Expires 30 August 2023 [Page 6]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
2.2.1.15. extends_uuid
@ -389,9 +389,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 7]
Dulaunoy & Iklody Expires 30 August 2023 [Page 7]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
uuid, name and id are represented as a JSON string. uuid, name and id
@ -445,9 +445,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 8]
Dulaunoy & Iklody Expires 30 August 2023 [Page 8]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
2.3.2.2. id
@ -501,9 +501,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 9]
Dulaunoy & Iklody Expires 30 August 2023 [Page 9]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
pattern-in-traffic, pattern-in-memory, filename-pattern,
@ -549,17 +549,17 @@ Internet-Draft MISP core format February 2022
jarm-fingerprint, hassh-md5, hasshserver-md5, other,
hostname|port, email-dst-display-name, email-src-display-name,
email-header, email-reply-to, email-x-mailer, email-mime-boundary,
email-thread-index, email-message-id, mobile-application-id,
chrome-extension-id, whois-registrant-email, anonymised
email-thread-index, email-message-id, azure-application-id,
mobile-application-id, chrome-extension-id, whois-registrant-
email, anonymised
Payload installation md5, sha1, sha224, sha256, sha384, sha512,
Dulaunoy & Iklody Expires 19 August 2022 [Page 10]
Dulaunoy & Iklody Expires 30 August 2023 [Page 10]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
@ -574,8 +574,9 @@ Internet-Draft MISP core format February 2022
traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
sigma, vulnerability, cpe, weakness, attachment, malware-sample,
malware-type, comment, text, hex, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
chrome-extension-id, other, mime-type, anonymised
fingerprint-md5, x509-fingerprint-sha256, azure-application-id,
azure-application-id, mobile-application-id, chrome-extension-id,
other, mime-type, anonymised
Payload type comment, text, other, anonymised
Persistence mechanism filename, regkey, regkey|value, comment, text,
other, hex, anonymised
@ -607,17 +608,20 @@ Internet-Draft MISP core format February 2022
selected by the attribute creator, using a list of pre-defined
attribute categories.
Dulaunoy & Iklody Expires 30 August 2023 [Page 11]
Internet-Draft MISP core format February 2023
category is represented as a JSON string. category MUST be present
and it MUST be a valid selection for the chosen type. The list of
valid category-type combinations is mentioned above.
Dulaunoy & Iklody Expires 19 August 2022 [Page 11]
Internet-Draft MISP core format February 2022
2.3.2.5. to_ids
to_ids represents whether the attribute is meant to be actionable.
@ -662,18 +666,18 @@ Internet-Draft MISP core format February 2022
timestamp is represented as a JSON string. timestamp MUST be present.
Dulaunoy & Iklody Expires 30 August 2023 [Page 12]
Internet-Draft MISP core format February 2023
2.3.2.9. comment
comment is a contextual comment field.
Dulaunoy & Iklody Expires 19 August 2022 [Page 12]
Internet-Draft MISP core format February 2022
comment is represented by a JSON string. comment MAY be present.
2.3.2.10. sharing_group_id
@ -721,13 +725,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 13]
Dulaunoy & Iklody Expires 30 August 2023 [Page 13]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
2.3.2.14. ShadowAttribute
@ -781,9 +781,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 14]
Dulaunoy & Iklody Expires 30 August 2023 [Page 14]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
2.4.1. Sample Attribute Object
@ -837,9 +837,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 15]
Dulaunoy & Iklody Expires 30 August 2023 [Page 15]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
type is represented as a JSON string. type MUST be present and it
@ -893,9 +893,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 16]
Dulaunoy & Iklody Expires 30 August 2023 [Page 16]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
hostname, domain, domain|ip, mac-address, mac-eui-64, email,
@ -929,9 +929,31 @@ Internet-Draft MISP core format February 2022
jarm-fingerprint, hassh-md5, hasshserver-md5, other,
hostname|port, email-dst-display-name, email-src-display-name,
email-header, email-reply-to, email-x-mailer, email-mime-boundary,
email-thread-index, email-message-id, mobile-application-id,
chrome-extension-id, whois-registrant-email, anonymised
email-thread-index, email-message-id, azure-application-id,
mobile-application-id, chrome-extension-id, whois-registrant-
email, anonymised
Payload installation md5, sha1, sha224, sha256, sha384, sha512,
Dulaunoy & Iklody Expires 30 August 2023 [Page 17]
Internet-Draft MISP core format February 2023
sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
tlsh, cdhash, filename, filename|md5, filename|sha1,
@ -944,16 +966,9 @@ Internet-Draft MISP core format February 2022
traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
sigma, vulnerability, cpe, weakness, attachment, malware-sample,
malware-type, comment, text, hex, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
chrome-extension-id, other, mime-type, anonymised
Dulaunoy & Iklody Expires 19 August 2022 [Page 17]
Internet-Draft MISP core format February 2022
fingerprint-md5, x509-fingerprint-sha256, azure-application-id,
azure-application-id, mobile-application-id, chrome-extension-id,
other, mime-type, anonymised
Payload type comment, text, other, anonymised
Persistence mechanism filename, regkey, regkey|value, comment, text,
other, hex, anonymised
@ -985,6 +1000,16 @@ Internet-Draft MISP core format February 2022
selected by the attribute creator, using a list of pre-defined
attribute categories.
Dulaunoy & Iklody Expires 30 August 2023 [Page 18]
Internet-Draft MISP core format February 2023
category is represented as a JSON string. category MUST be present
and it MUST be a valid selection for the chosen type. The list of
valid category-type combinations is mentioned above.
@ -999,17 +1024,6 @@ Internet-Draft MISP core format February 2022
to_ids is represented as a JSON boolean. to_ids MUST be present.
Dulaunoy & Iklody Expires 19 August 2022 [Page 18]
Internet-Draft MISP core format February 2022
2.4.2.6. event_id
event_id represents a human-readable identifier referencing the Event
@ -1044,6 +1058,14 @@ Internet-Draft MISP core format February 2022
timestamp is represented as a JSON string. timestamp MUST be present.
Dulaunoy & Iklody Expires 30 August 2023 [Page 19]
Internet-Draft MISP core format February 2023
2.4.2.9. comment
comment is a contextual comment field.
@ -1056,16 +1078,6 @@ Internet-Draft MISP core format February 2022
proposal creator's Organisation object. A human-readable identifier
MUST be represented as an unsigned integer.
Dulaunoy & Iklody Expires 19 August 2022 [Page 19]
Internet-Draft MISP core format February 2022
Whilst attributes can only be created by the event creator
organisation, shadow attributes can be created by third parties.
org_id tracks the creator organisation.
@ -1102,6 +1114,14 @@ Internet-Draft MISP core format February 2022
data is represented by a JSON string in base64 encoding. data MUST be
set for shadow attributes of type malware-sample and attachment.
Dulaunoy & Iklody Expires 30 August 2023 [Page 20]
Internet-Draft MISP core format February 2023
2.4.2.14. first_seen
first_seen represents a reference time when the attribute was first
@ -1111,17 +1131,6 @@ Internet-Draft MISP core format February 2022
first_seen is represented as a JSON string. first_seen MAY be
present.
Dulaunoy & Iklody Expires 19 August 2022 [Page 20]
Internet-Draft MISP core format February 2022
2.4.2.15. last_seen
last_seen represents a reference time when the attribute was last
@ -1157,27 +1166,24 @@ Internet-Draft MISP core format February 2022
2.4.3.1.1. Sample Org Object
Dulaunoy & Iklody Expires 30 August 2023 [Page 21]
Internet-Draft MISP core format February 2023
"Org": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
}
Dulaunoy & Iklody Expires 19 August 2022 [Page 21]
Internet-Draft MISP core format February 2022
2.5. Object
Objects serve as a contextual bond between a list of attributes
@ -1223,15 +1229,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 22]
Dulaunoy & Iklody Expires 30 August 2023 [Page 22]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"Object": {
@ -1285,9 +1285,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 23]
Dulaunoy & Iklody Expires 30 August 2023 [Page 23]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
2.5.2.1. uuid
@ -1341,9 +1341,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 24]
Dulaunoy & Iklody Expires 30 August 2023 [Page 24]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
template_uuid is represented as a JSON string. template_uuid MUST be
@ -1397,9 +1397,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 25]
Dulaunoy & Iklody Expires 30 August 2023 [Page 25]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
2.5.2.11. sharing_group_id
@ -1453,9 +1453,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 26]
Dulaunoy & Iklody Expires 30 August 2023 [Page 26]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
last_seen is represented as a JSON string. last_seen MAY be present.
@ -1509,9 +1509,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 27]
Dulaunoy & Iklody Expires 30 August 2023 [Page 27]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
2.6.2.3. timestamp
@ -1565,9 +1565,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 28]
Dulaunoy & Iklody Expires 30 August 2023 [Page 28]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
relationship_type is represented as a JSON string. relationship_type
@ -1621,9 +1621,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 29]
Dulaunoy & Iklody Expires 30 August 2023 [Page 29]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
2.7.2. UUID
@ -1677,9 +1677,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 30]
Dulaunoy & Iklody Expires 30 August 2023 [Page 30]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
2 Connected Communities
@ -1733,9 +1733,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 31]
Dulaunoy & Iklody Expires 30 August 2023 [Page 31]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
2.8.1. Sample Tag
@ -1789,9 +1789,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 32]
Dulaunoy & Iklody Expires 30 August 2023 [Page 32]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
id, event_id and attribute_id are represented as a JSON string and
@ -1845,9 +1845,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 33]
Dulaunoy & Iklody Expires 30 August 2023 [Page 33]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"Sighting": [
@ -1901,9 +1901,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 34]
Dulaunoy & Iklody Expires 30 August 2023 [Page 34]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"Galaxy": [ {
@ -1957,9 +1957,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 35]
Dulaunoy & Iklody Expires 30 August 2023 [Page 35]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
3. JSON Schema
@ -2013,9 +2013,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 36]
Dulaunoy & Iklody Expires 30 August 2023 [Page 36]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"type": "object",
@ -2069,9 +2069,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 37]
Dulaunoy & Iklody Expires 30 August 2023 [Page 37]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"items": {
@ -2125,9 +2125,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 38]
Dulaunoy & Iklody Expires 30 August 2023 [Page 38]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"type": "string"
@ -2181,9 +2181,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 39]
Dulaunoy & Iklody Expires 30 August 2023 [Page 39]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"type": "string"
@ -2237,9 +2237,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 40]
Dulaunoy & Iklody Expires 30 August 2023 [Page 40]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"properties": {
@ -2293,9 +2293,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 41]
Dulaunoy & Iklody Expires 30 August 2023 [Page 41]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"properties": {
@ -2349,9 +2349,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 42]
Dulaunoy & Iklody Expires 30 August 2023 [Page 42]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"properties": {
@ -2405,9 +2405,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 43]
Dulaunoy & Iklody Expires 30 August 2023 [Page 43]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
},
@ -2461,9 +2461,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 44]
Dulaunoy & Iklody Expires 30 August 2023 [Page 44]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
},
@ -2517,9 +2517,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 45]
Dulaunoy & Iklody Expires 30 August 2023 [Page 45]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"type": "string"
@ -2573,9 +2573,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 46]
Dulaunoy & Iklody Expires 30 August 2023 [Page 46]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"uniqueItems": true,
@ -2629,9 +2629,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 47]
Dulaunoy & Iklody Expires 30 August 2023 [Page 47]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"type": "boolean"
@ -2685,9 +2685,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 48]
Dulaunoy & Iklody Expires 30 August 2023 [Page 48]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"type": "object",
@ -2741,9 +2741,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 49]
Dulaunoy & Iklody Expires 30 August 2023 [Page 49]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"Event": {
@ -2797,9 +2797,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 50]
Dulaunoy & Iklody Expires 30 August 2023 [Page 50]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
If a detached PGP signature is used for each MISP event, a detached
@ -2853,9 +2853,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 51]
Dulaunoy & Iklody Expires 30 August 2023 [Page 51]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
"name": "malware_classification:malware-category=\"Ransomware\""
@ -2909,9 +2909,9 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 52]
Dulaunoy & Iklody Expires 30 August 2023 [Page 52]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
@ -2952,8 +2952,8 @@ Authors' Addresses
Alexandre Dulaunoy
Computer Incident Response Center Luxembourg
16, bd d'Avranches
L-L-1160 Luxembourg
122, rue Adolphe Fischer
L-L-1521 Luxembourg
Luxembourg
Phone: +352 247 88444
@ -2965,15 +2965,15 @@ Authors' Addresses
Dulaunoy & Iklody Expires 19 August 2022 [Page 53]
Dulaunoy & Iklody Expires 30 August 2023 [Page 53]
Internet-Draft MISP core format February 2022
Internet-Draft MISP core format February 2023
Andras Iklody
Computer Incident Response Center Luxembourg
16, bd d'Avranches
L-L-1160 Luxembourg
122, rue Adolphe Fischer
L-L-1521 Luxembourg
Luxembourg
Phone: +352 247 88444
@ -3021,4 +3021,4 @@ Internet-Draft MISP core format February 2022
Dulaunoy & Iklody Expires 19 August 2022 [Page 54]
Dulaunoy & Iklody Expires 30 August 2023 [Page 54]