From e65b6bb788fabc4e8406e5937859f87e63a3433d Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sun, 21 Nov 2021 16:37:56 +0100
Subject: [PATCH] chg: [rfc] updated to the latest version

---
 rfc/misp-standard-core.html                   | 4649 +++++++++++------
 rfc/misp-standard-core.txt                    | 1212 ++---
 rfc/misp-standard-galaxy-format.html          | 2217 +++++---
 rfc/misp-standard-galaxy-format.txt           |  234 +-
 rfc/misp-standard-object-template-format.html | 3226 +++++++++---
 rfc/misp-standard-object-template-format.txt  | 1606 ++++--
 rfc/misp-standard-taxonomy-format.html        | 2871 ++++++----
 rfc/misp-standard-taxonomy-format.txt         |  852 ++-
 8 files changed, 11350 insertions(+), 5517 deletions(-)

diff --git a/rfc/misp-standard-core.html b/rfc/misp-standard-core.html
index 33c49a8..747ba01 100644
--- a/rfc/misp-standard-core.html
+++ b/rfc/misp-standard-core.html
@@ -1,781 +1,1775 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
-  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<!DOCTYPE html>
+<html lang="en" class="Internet-Draft">
+<head>
+<meta charset="utf-8">
+<meta content="Common,Latin" name="scripts">
+<meta content="initial-scale=1.0" name="viewport">
+<title>MISP core format</title>
+<meta content="Alexandre Dulaunoy" name="author">
+<meta content="Andras Iklody" name="author">
+<meta content="
+       This document describes the MISP core format used to exchange indicators and threat information between
+MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.
+The JSON format includes the overall structure along with the semantic associated for each
+respective key. The format is described to support other implementations which reuse the
+format and ensuring an interoperability with existing MISP   software and other Threat Intelligence Platforms. 
+    " name="description">
+<meta content="xml2rfc 3.9.1" name="generator">
+<meta content="draft-00" name="ietf.draft">
+<!-- Generator version information:
+  xml2rfc 3.9.1
+    Python 3.6.9
+    appdirs 1.4.4
+    ConfigArgParse 1.5.2
+    google-i18n-address 2.3.5
+    html5lib 1.0.1
+    intervaltree 2.1.0
+    Jinja2 2.11.2
+    kitchen 1.2.6
+    lxml 4.6.3
+    pycairo 1.16.2
+    pycountry 18.12.8
+    pyflakes 2.1.1
+    PyYAML 5.4.1
+    requests 2.25.1
+    setuptools 57.1.0
+    six 1.15.0
+    WeasyPrint 48
+-->
+<link href="misp-standard-core.xml" rel="alternate" type="application/rfc+xml">
+<link href="#copyright" rel="license">
+<style type="text/css">/*
 
-<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
-  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
+  NOTE: Changes at the bottom of this file overrides some earlier settings.
 
-  <title>MISP core format</title>
+  Once the style has stabilized and has been adopted as an official RFC style,
+  this can be consolidated so that style settings occur only in one place, but
+  for now the contents of this file consists first of the initial CSS work as
+  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
+  commented changes found necssary during the development of the v3
+  formatters.
 
-  <style type="text/css" title="Xml2Rfc (sans serif)">
-  /*<![CDATA[*/
-	  a {
-	  text-decoration: none;
-	  }
-      /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
-      a.info {
-          /* This is the key. */
-          position: relative;
-          z-index: 24;
-          text-decoration: none;
-      }
-      a.info:hover {
-          z-index: 25;
-          color: #FFF; background-color: #900;
-      }
-      a.info span { display: none; }
-      a.info:hover span.info {
-          /* The span will display just on :hover state. */
-          display: block;
-          position: absolute;
-          font-size: smaller;
-          top: 2em; left: -5em; width: 15em;
-          padding: 2px; border: 1px solid #333;
-          color: #900; background-color: #EEE;
-          text-align: left;
-      }
-	  a.smpl {
-	  color: black;
-	  }
-	  a:hover {
-	  text-decoration: underline;
-	  }
-	  a:active {
-	  text-decoration: underline;
-	  }
-	  address {
-	  margin-top: 1em;
-	  margin-left: 2em;
-	  font-style: normal;
-	  }
-	  body {
-	  color: black;
-	  font-family: verdana, helvetica, arial, sans-serif;
-	  font-size: 10pt;
-	  max-width: 55em;
-	  
-	  }
-	  cite {
-	  font-style: normal;
-	  }
-	  dd {
-	  margin-right: 2em;
-	  }
-	  dl {
-	  margin-left: 2em;
-	  }
-	
-	  ul.empty {
-	  list-style-type: none;
-	  }
-	  ul.empty li {
-	  margin-top: .5em;
-	  }
-	  dl p {
-	  margin-left: 0em;
-	  }
-	  dt {
-	  margin-top: .5em;
-	  }
-	  h1 {
-	  font-size: 14pt;
-	  line-height: 21pt;
-	  page-break-after: avoid;
-	  }
-	  h1.np {
-	  page-break-before: always;
-	  }
-	  h1 a {
-	  color: #333333;
-	  }
-	  h2 {
-	  font-size: 12pt;
-	  line-height: 15pt;
-	  page-break-after: avoid;
-	  }
-	  h3, h4, h5, h6 {
-	  font-size: 10pt;
-	  page-break-after: avoid;
-	  }
-	  h2 a, h3 a, h4 a, h5 a, h6 a {
-	  color: black;
-	  }
-	  img {
-	  margin-left: 3em;
-	  }
-	  li {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  ol {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  ol p {
-	  margin-left: 0em;
-	  }
-	  p {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  pre {
-	  margin-left: 3em;
-	  background-color: lightyellow;
-	  padding: .25em;
-	  }
-	  pre.text2 {
-	  border-style: dotted;
-	  border-width: 1px;
-	  background-color: #f0f0f0;
-	  width: 69em;
-	  }
-	  pre.inline {
-	  background-color: white;
-	  padding: 0em;
-	  }
-	  pre.text {
-	  border-style: dotted;
-	  border-width: 1px;
-	  background-color: #f8f8f8;
-	  width: 69em;
-	  }
-	  pre.drawing {
-	  border-style: solid;
-	  border-width: 1px;
-	  background-color: #f8f8f8;
-	  padding: 2em;
-	  }
-	  table {
-	  margin-left: 2em;
-	  }
-	  table.tt {
-	  vertical-align: top;
-	  }
-	  table.full {
-	  border-style: outset;
-	  border-width: 1px;
-	  }
-	  table.headers {
-	  border-style: outset;
-	  border-width: 1px;
-	  }
-	  table.tt td {
-	  vertical-align: top;
-	  }
-	  table.full td {
-	  border-style: inset;
-	  border-width: 1px;
-	  }
-	  table.tt th {
-	  vertical-align: top;
-	  }
-	  table.full th {
-	  border-style: inset;
-	  border-width: 1px;
-	  }
-	  table.headers th {
-	  border-style: none none inset none;
-	  border-width: 1px;
-	  }
-	  table.left {
-	  margin-right: auto;
-	  }
-	  table.right {
-	  margin-left: auto;
-	  }
-	  table.center {
-	  margin-left: auto;
-	  margin-right: auto;
-	  }
-	  caption {
-	  caption-side: bottom;
-	  font-weight: bold;
-	  font-size: 9pt;
-	  margin-top: .5em;
-	  }
-	
-	  table.header {
-	  border-spacing: 1px;
-	  width: 95%;
-	  font-size: 10pt;
-	  color: white;
-	  }
-	  td.top {
-	  vertical-align: top;
-	  }
-	  td.topnowrap {
-	  vertical-align: top;
-	  white-space: nowrap; 
-	  }
-	  table.header td {
-	  background-color: gray;
-	  width: 50%;
-	  }
-	  table.header a {
-	  color: white;
-	  }
-	  td.reference {
-	  vertical-align: top;
-	  white-space: nowrap;
-	  padding-right: 1em;
-	  }
-	  thead {
-	  display:table-header-group;
-	  }
-	  ul.toc, ul.toc ul {
-	  list-style: none;
-	  margin-left: 1.5em;
-	  margin-right: 0em;
-	  padding-left: 0em;
-	  }
-	  ul.toc li {
-	  line-height: 150%;
-	  font-weight: bold;
-	  font-size: 10pt;
-	  margin-left: 0em;
-	  margin-right: 0em;
-	  }
-	  ul.toc li li {
-	  line-height: normal;
-	  font-weight: normal;
-	  font-size: 9pt;
-	  margin-left: 0em;
-	  margin-right: 0em;
-	  }
-	  li.excluded {
-	  font-size: 0pt;
-	  }
-	  ul p {
-	  margin-left: 0em;
-	  }
-	
-	  .comment {
-	  background-color: yellow;
-	  }
-	  .center {
-	  text-align: center;
-	  }
-	  .error {
-	  color: red;
-	  font-style: italic;
-	  font-weight: bold;
-	  }
-	  .figure {
-	  font-weight: bold;
-	  text-align: center;
-	  font-size: 9pt;
-	  }
-	  .filename {
-	  color: #333333;
-	  font-weight: bold;
-	  font-size: 12pt;
-	  line-height: 21pt;
-	  text-align: center;
-	  }
-	  .fn {
-	  font-weight: bold;
-	  }
-	  .hidden {
-	  display: none;
-	  }
-	  .left {
-	  text-align: left;
-	  }
-	  .right {
-	  text-align: right;
-	  }
-	  .title {
-	  color: #990000;
-	  font-size: 18pt;
-	  line-height: 18pt;
-	  font-weight: bold;
-	  text-align: center;
-	  margin-top: 36pt;
-	  }
-	  .vcardline {
-	  display: block;
-	  }
-	  .warning {
-	  font-size: 14pt;
-	  background-color: yellow;
-	  }
-	
-	
-	  @media print {
-	  .noprint {
-		display: none;
-	  }
-	
-	  a {
-		color: black;
-		text-decoration: none;
-	  }
-	
-	  table.header {
-		width: 90%;
-	  }
-	
-	  td.header {
-		width: 50%;
-		color: black;
-		background-color: white;
-		vertical-align: top;
-		font-size: 12pt;
-	  }
-	
-	  ul.toc a::after {
-		content: leader('.') target-counter(attr(href), page);
-	  }
-	
-	  ul.ind li li a {
-		content: target-counter(attr(href), page);
-	  }
-	
-	  .print2col {
-		column-count: 2;
-		-moz-column-count: 2;
-		column-fill: auto;
-	  }
-	  }
-	
-	  @page {
-	  @top-left {
-		   content: "Internet-Draft"; 
-	  } 
-	  @top-right {
-		   content: "December 2010"; 
-	  } 
-	  @top-center {
-		   content: "Abbreviated Title";
-	  } 
-	  @bottom-left {
-		   content: "Doe"; 
-	  } 
-	  @bottom-center {
-		   content: "Expires June 2011"; 
-	  } 
-	  @bottom-right {
-		   content: "[Page " counter(page) "]"; 
-	  } 
-	  }
-	
-	  @page:first { 
-		@top-left {
-		  content: normal;
-		}
-		@top-right {
-		  content: normal;
-		}
-		@top-center {
-		  content: normal;
-		}
-	  }
-  /*]]>*/
-  </style>
+*/
 
-  <link href="#rfc.toc" rel="Contents">
-<link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
-<link href="#rfc.section.1.1" rel="Chapter" title="1.1 Conventions and Terminology">
-<link href="#rfc.section.2" rel="Chapter" title="2 Format">
-<link href="#rfc.section.2.1" rel="Chapter" title="2.1 Overview">
-<link href="#rfc.section.2.2" rel="Chapter" title="2.2 Event">
-<link href="#rfc.section.2.2.1" rel="Chapter" title="2.2.1 Event Attributes">
-<link href="#rfc.section.2.3" rel="Chapter" title="2.3 Objects">
-<link href="#rfc.section.2.3.1" rel="Chapter" title="2.3.1 Org">
-<link href="#rfc.section.2.3.2" rel="Chapter" title="2.3.2 Orgc">
-<link href="#rfc.section.2.4" rel="Chapter" title="2.4 Attribute">
-<link href="#rfc.section.2.4.1" rel="Chapter" title="2.4.1 Sample Attribute Object">
-<link href="#rfc.section.2.4.2" rel="Chapter" title="2.4.2 Attribute Attributes">
-<link href="#rfc.section.2.5" rel="Chapter" title="2.5 ShadowAttribute">
-<link href="#rfc.section.2.5.1" rel="Chapter" title="2.5.1 Sample Attribute Object">
-<link href="#rfc.section.2.5.2" rel="Chapter" title="2.5.2 ShadowAttribute Attributes">
-<link href="#rfc.section.2.5.3" rel="Chapter" title="2.5.3 Org">
-<link href="#rfc.section.2.6" rel="Chapter" title="2.6 Object">
-<link href="#rfc.section.2.6.1" rel="Chapter" title="2.6.1 Sample Object">
-<link href="#rfc.section.2.6.2" rel="Chapter" title="2.6.2 Object Attributes">
-<link href="#rfc.section.2.7" rel="Chapter" title="2.7 Object References">
-<link href="#rfc.section.2.7.1" rel="Chapter" title="2.7.1 Sample ObjectReference object">
-<link href="#rfc.section.2.7.2" rel="Chapter" title="2.7.2 ObjectReference Attributes">
-<link href="#rfc.section.2.8" rel="Chapter" title="2.8 EventReport">
-<link href="#rfc.section.2.8.1" rel="Chapter" title="2.8.1 id">
-<link href="#rfc.section.2.8.2" rel="Chapter" title="2.8.2 UUID">
-<link href="#rfc.section.2.8.3" rel="Chapter" title="2.8.3 event_id">
-<link href="#rfc.section.2.8.4" rel="Chapter" title="2.8.4 name">
-<link href="#rfc.section.2.8.5" rel="Chapter" title="2.8.5 content">
-<link href="#rfc.section.2.8.6" rel="Chapter" title="2.8.6 distribution">
-<link href="#rfc.section.2.8.7" rel="Chapter" title="2.8.7 sharing_group_id">
-<link href="#rfc.section.2.8.8" rel="Chapter" title="2.8.8 timestamp">
-<link href="#rfc.section.2.8.9" rel="Chapter" title="2.8.9 deleted">
-<link href="#rfc.section.2.9" rel="Chapter" title="2.9 Tag">
-<link href="#rfc.section.2.9.1" rel="Chapter" title="2.9.1 Sample Tag">
-<link href="#rfc.section.2.10" rel="Chapter" title="2.10 Sighting">
-<link href="#rfc.section.2.10.1" rel="Chapter" title="2.10.1 Sample Sighting">
-<link href="#rfc.section.2.11" rel="Chapter" title="2.11 Galaxy">
-<link href="#rfc.section.2.11.1" rel="Chapter" title="2.11.1 Sample Galaxy">
-<link href="#rfc.section.3" rel="Chapter" title="3 JSON Schema">
-<link href="#rfc.section.4" rel="Chapter" title="4 Manifest">
-<link href="#rfc.section.4.1" rel="Chapter" title="4.1 Format">
-<link href="#rfc.section.4.1.1" rel="Chapter" title="4.1.1 Sample Manifest">
-<link href="#rfc.section.5" rel="Chapter" title="5 Implementation">
-<link href="#rfc.section.6" rel="Chapter" title="6 Security Considerations">
-<link href="#rfc.section.7" rel="Chapter" title="7 Acknowledgements">
-<link href="#rfc.section.8" rel="Chapter" title="8 References">
-<link href="#rfc.references" rel="Chapter" title="9 References">
-<link href="#rfc.references.1" rel="Chapter" title="9.1 Normative References">
-<link href="#rfc.references.2" rel="Chapter" title="9.2 Informative References">
-<link href="#rfc.authors" rel="Chapter">
+/* fonts */
+@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
+@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
+@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */
+
+@viewport {
+  zoom: 1.0;
+  width: extend-to-zoom;
+}
+@-ms-viewport {
+  width: extend-to-zoom;
+  zoom: 1.0;
+}
+/* general and mobile first */
+html {
+}
+body {
+  max-width: 90%;
+  margin: 1.5em auto;
+  color: #222;
+  background-color: #fff;
+  font-size: 14px;
+  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
+  line-height: 1.6;
+  scroll-behavior: smooth;
+}
+.ears {
+  display: none;
+}
+
+/* headings */
+#title, h1, h2, h3, h4, h5, h6 {
+  margin: 1em 0 0.5em;
+  font-weight: bold;
+  line-height: 1.3;
+}
+#title {
+  clear: both;
+  border-bottom: 1px solid #ddd;
+  margin: 0 0 0.5em 0;
+  padding: 1em 0 0.5em;
+}
+.author {
+  padding-bottom: 4px;
+}
+h1 {
+  font-size: 26px;
+  margin: 1em 0;
+}
+h2 {
+  font-size: 22px;
+  margin-top: -20px;  /* provide offset for in-page anchors */
+  padding-top: 33px;
+}
+h3 {
+  font-size: 18px;
+  margin-top: -36px;  /* provide offset for in-page anchors */
+  padding-top: 42px;
+}
+h4 {
+  font-size: 16px;
+  margin-top: -36px;  /* provide offset for in-page anchors */
+  padding-top: 42px;
+}
+h5, h6 {
+  font-size: 14px;
+}
+#n-copyright-notice {
+  border-bottom: 1px solid #ddd;
+  padding-bottom: 1em;
+  margin-bottom: 1em;
+}
+/* general structure */
+p {
+  padding: 0;
+  margin: 0 0 1em 0;
+  text-align: left;
+}
+div, span {
+  position: relative;
+}
+div {
+  margin: 0;
+}
+.alignRight.art-text {
+  background-color: #f9f9f9;
+  border: 1px solid #eee;
+  border-radius: 3px;
+  padding: 1em 1em 0;
+  margin-bottom: 1.5em;
+}
+.alignRight.art-text pre {
+  padding: 0;
+}
+.alignRight {
+  margin: 1em 0;
+}
+.alignRight > *:first-child {
+  border: none;
+  margin: 0;
+  float: right;
+  clear: both;
+}
+.alignRight > *:nth-child(2) {
+  clear: both;
+  display: block;
+  border: none;
+}
+svg {
+  display: block;
+}
+.alignCenter.art-text {
+  background-color: #f9f9f9;
+  border: 1px solid #eee;
+  border-radius: 3px;
+  padding: 1em 1em 0;
+  margin-bottom: 1.5em;
+}
+.alignCenter.art-text pre {
+  padding: 0;
+}
+.alignCenter {
+  margin: 1em 0;
+}
+.alignCenter > *:first-child {
+  border: none;
+  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
+     support flexbox yet.
+  */
+  display: table;
+  margin: 0 auto;
+}
+
+/* lists */
+ol, ul {
+  padding: 0;
+  margin: 0 0 1em 2em;
+}
+ol ol, ul ul, ol ul, ul ol {
+  margin-left: 1em;
+}
+li {
+  margin: 0 0 0.25em 0;
+}
+.ulCompact li {
+  margin: 0;
+}
+ul.empty, .ulEmpty {
+  list-style-type: none;
+}
+ul.empty li, .ulEmpty li {
+  margin-top: 0.5em;
+}
+ul.ulBare, li.ulBare {
+  margin-left: 0em !important;
+}
+ul.compact, .ulCompact,
+ol.compact, .olCompact {
+  line-height: 100%;
+  margin: 0 0 0 2em;
+}
+
+/* definition lists */
+dl {
+}
+dl > dt {
+  float: left;
+  margin-right: 1em;
+}
+/* 
+dl.nohang > dt {
+  float: none;
+}
+*/
+dl > dd {
+  margin-bottom: .8em;
+  min-height: 1.3em;
+}
+dl.compact > dd, .dlCompact > dd {
+  margin-bottom: 0em;
+}
+dl > dd > dl {
+  margin-top: 0.5em;
+  margin-bottom: 0em;
+}
+
+/* links */
+a {
+  text-decoration: none;
+}
+a[href] {
+  color: #22e; /* Arlen: WCAG 2019 */
+}
+a[href]:hover {
+  background-color: #f2f2f2;
+}
+figcaption a[href],
+a[href].selfRef {
+  color: #222;
+}
+/* XXX probably not this:
+a.selfRef:hover {
+  background-color: transparent;
+  cursor: default;
+} */
+
+/* Figures */
+tt, code, pre, code {
+  background-color: #f9f9f9;
+  font-family: 'Roboto Mono', monospace;
+}
+pre {
+  border: 1px solid #eee;
+  margin: 0;
+  padding: 1em;
+}
+img {
+  max-width: 100%;
+}
+figure {
+  margin: 0;
+}
+figure blockquote {
+  margin: 0.8em 0.4em 0.4em;
+}
+figcaption {
+  font-style: italic;
+  margin: 0 0 1em 0;
+}
+@media screen {
+  pre {
+    overflow-x: auto;
+    max-width: 100%;
+    max-width: calc(100% - 22px);
+  }
+}
+
+/* aside, blockquote */
+aside, blockquote {
+  margin-left: 0;
+  padding: 1.2em 2em;
+}
+blockquote {
+  background-color: #f9f9f9;
+  color: #111; /* Arlen: WCAG 2019 */
+  border: 1px solid #ddd;
+  border-radius: 3px;
+  margin: 1em 0;
+}
+cite {
+  display: block;
+  text-align: right;
+  font-style: italic;
+}
+
+/* tables */
+table {
+  width: 100%;
+  margin: 0 0 1em;
+  border-collapse: collapse;
+  border: 1px solid #eee;
+}
+th, td {
+  text-align: left;
+  vertical-align: top;
+  padding: 0.5em 0.75em;
+}
+th {
+  text-align: left;
+  background-color: #e9e9e9;
+}
+tr:nth-child(2n+1) > td {
+  background-color: #f5f5f5;
+}
+table caption {
+  font-style: italic;
+  margin: 0;
+  padding: 0;
+  text-align: left;
+}
+table p {
+  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
+     be allowed within tables more generally, it would be far better to select on a class. */
+  margin: 0;
+}
+
+/* pilcrow */
+a.pilcrow {
+  color: #666; /* Arlen: AHDJ 2019 */
+  text-decoration: none;
+  visibility: hidden;
+  user-select: none;
+  -ms-user-select: none;
+  -o-user-select:none;
+  -moz-user-select: none;
+  -khtml-user-select: none;
+  -webkit-user-select: none;
+  -webkit-touch-callout: none;
+}
+@media screen {
+  aside:hover > a.pilcrow,
+  p:hover > a.pilcrow,
+  blockquote:hover > a.pilcrow,
+  div:hover > a.pilcrow,
+  li:hover > a.pilcrow,
+  pre:hover > a.pilcrow {
+    visibility: visible;
+  }
+  a.pilcrow:hover {
+    background-color: transparent;
+  }
+}
+
+/* misc */
+hr {
+  border: 0;
+  border-top: 1px solid #eee;
+}
+.bcp14 {
+  font-variant: small-caps;
+}
+
+.role {
+  font-variant: all-small-caps;
+}
+
+/* info block */
+#identifiers {
+  margin: 0;
+  font-size: 0.9em;
+}
+#identifiers dt {
+  width: 3em;
+  clear: left;
+}
+#identifiers dd {
+  float: left;
+  margin-bottom: 0;
+}
+#identifiers .authors .author {
+  display: inline-block;
+  margin-right: 1.5em;
+}
+#identifiers .authors .org {
+  font-style: italic;
+}
+
+/* The prepared/rendered info at the very bottom of the page */
+.docInfo {
+  color: #666; /* Arlen: WCAG 2019 */
+  font-size: 0.9em;
+  font-style: italic;
+  margin-top: 2em;
+}
+.docInfo .prepared {
+  float: left;
+}
+.docInfo .prepared {
+  float: right;
+}
+
+/* table of contents */
+#toc  {
+  padding: 0.75em 0 2em 0;
+  margin-bottom: 1em;
+}
+nav.toc ul {
+  margin: 0 0.5em 0 0;
+  padding: 0;
+  list-style: none;
+}
+nav.toc li {
+  line-height: 1.3em;
+  margin: 0.75em 0;
+  padding-left: 1.2em;
+  text-indent: -1.2em;
+}
+/* references */
+.references dt {
+  text-align: right;
+  font-weight: bold;
+  min-width: 7em;
+}
+.references dd {
+  margin-left: 8em;
+  overflow: auto;
+}
+
+.refInstance {
+  margin-bottom: 1.25em;
+}
+
+.references .ascii {
+  margin-bottom: 0.25em;
+}
+
+/* index */
+.index ul {
+  margin: 0 0 0 1em;
+  padding: 0;
+  list-style: none;
+}
+.index ul ul {
+  margin: 0;
+}
+.index li {
+  margin: 0;
+  text-indent: -2em;
+  padding-left: 2em;
+  padding-bottom: 5px;
+}
+.indexIndex {
+  margin: 0.5em 0 1em;
+}
+.index a {
+  font-weight: 700;
+}
+/* make the index two-column on all but the smallest screens */
+@media (min-width: 600px) {
+  .index ul {
+    -moz-column-count: 2;
+    -moz-column-gap: 20px;
+  }
+  .index ul ul {
+    -moz-column-count: 1;
+    -moz-column-gap: 0;
+  }
+}
+
+/* authors */
+address.vcard {
+  font-style: normal;
+  margin: 1em 0;
+}
+
+address.vcard .nameRole {
+  font-weight: 700;
+  margin-left: 0;
+}
+address.vcard .label {
+  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
+  margin: 0.5em 0;
+}
+address.vcard .type {
+  display: none;
+}
+.alternative-contact {
+  margin: 1.5em 0 1em;
+}
+hr.addr {
+  border-top: 1px dashed;
+  margin: 0;
+  color: #ddd;
+  max-width: calc(100% - 16px);
+}
+
+/* temporary notes */
+.rfcEditorRemove::before {
+  position: absolute;
+  top: 0.2em;
+  right: 0.2em;
+  padding: 0.2em;
+  content: "The RFC Editor will remove this note";
+  color: #9e2a00; /* Arlen: WCAG 2019 */
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+}
+.rfcEditorRemove {
+  position: relative;
+  padding-top: 1.8em;
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+  border-radius: 3px;
+}
+.cref {
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+  padding: 2px 4px;
+}
+.crefSource {
+  font-style: italic;
+}
+/* alternative layout for smaller screens */
+@media screen and (max-width: 1023px) {
+  body {
+    padding-top: 2em;
+  }
+  #title {
+    padding: 1em 0;
+  }
+  h1 {
+    font-size: 24px;
+  }
+  h2 {
+    font-size: 20px;
+    margin-top: -18px;  /* provide offset for in-page anchors */
+    padding-top: 38px;
+  }
+  #identifiers dd {
+    max-width: 60%;
+  }
+  #toc {
+    position: fixed;
+    z-index: 2;
+    top: 0;
+    right: 0;
+    padding: 0;
+    margin: 0;
+    background-color: inherit;
+    border-bottom: 1px solid #ccc;
+  }
+  #toc h2 {
+    margin: -1px 0 0 0;
+    padding: 4px 0 4px 6px;
+    padding-right: 1em;
+    min-width: 190px;
+    font-size: 1.1em;
+    text-align: right;
+    background-color: #444;
+    color: white;
+    cursor: pointer;
+  }
+  #toc h2::before { /* css hamburger */
+    float: right;
+    position: relative;
+    width: 1em;
+    height: 1px;
+    left: -164px;
+    margin: 6px 0 0 0;
+    background: white none repeat scroll 0 0;
+    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
+    content: "";
+  }
+  #toc nav {
+    display: none;
+    padding: 0.5em 1em 1em;
+    overflow: auto;
+    height: calc(100vh - 48px);
+    border-left: 1px solid #ddd;
+  }
+}
+
+/* alternative layout for wide screens */
+@media screen and (min-width: 1024px) {
+  body {
+    max-width: 724px;
+    margin: 42px auto;
+    padding-left: 1.5em;
+    padding-right: 29em;
+  }
+  #toc {
+    position: fixed;
+    top: 42px;
+    right: 42px;
+    width: 25%;
+    margin: 0;
+    padding: 0 1em;
+    z-index: 1;
+  }
+  #toc h2 {
+    border-top: none;
+    border-bottom: 1px solid #ddd;
+    font-size: 1em;
+    font-weight: normal;
+    margin: 0;
+    padding: 0.25em 1em 1em 0;
+  }
+  #toc nav {
+    display: block;
+    height: calc(90vh - 84px);
+    bottom: 0;
+    padding: 0.5em 0 0;
+    overflow: auto;
+  }
+  img { /* future proofing */
+    max-width: 100%;
+    height: auto;
+  }
+}
+
+/* pagination */
+@media print {
+  body {
+
+    width: 100%;
+  }
+  p {
+    orphans: 3;
+    widows: 3;
+  }
+  #n-copyright-notice {
+    border-bottom: none;
+  }
+  #toc, #n-introduction {
+    page-break-before: always;
+  }
+  #toc {
+    border-top: none;
+    padding-top: 0;
+  }
+  figure, pre {
+    page-break-inside: avoid;
+  }
+  figure {
+    overflow: scroll;
+  }
+  h1, h2, h3, h4, h5, h6 {
+    page-break-after: avoid;
+  }
+  h2+*, h3+*, h4+*, h5+*, h6+* {
+    page-break-before: avoid;
+  }
+  pre {
+    white-space: pre-wrap;
+    word-wrap: break-word;
+    font-size: 10pt;
+  }
+  table {
+    border: 1px solid #ddd;
+  }
+  td {
+    border-top: 1px solid #ddd;
+  }
+}
+
+/* This is commented out here, as the string-set: doesn't
+   pass W3C validation currently */
+/*
+.ears thead .left {
+  string-set: ears-top-left content();
+}
+
+.ears thead .center {
+  string-set: ears-top-center content();
+}
+
+.ears thead .right {
+  string-set: ears-top-right content();
+}
+
+.ears tfoot .left {
+  string-set: ears-bottom-left content();
+}
+
+.ears tfoot .center {
+  string-set: ears-bottom-center content();
+}
+
+.ears tfoot .right {
+  string-set: ears-bottom-right content();
+}
+*/
+
+@page :first {
+  padding-top: 0;
+  @top-left {
+    content: normal;
+    border: none;
+  }
+  @top-center {
+    content: normal;
+    border: none;
+  }
+  @top-right {
+    content: normal;
+    border: none;
+  }
+}
+
+@page {
+  size: A4;
+  margin-bottom: 45mm;
+  padding-top: 20px;
+  /* The follwing is commented out here, but set appropriately by in code, as
+     the content depends on the document */
+  /*
+  @top-left {
+    content: 'Internet-Draft';
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-left {
+    content: string(ears-top-left);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-center {
+    content: string(ears-top-center);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-right {
+    content: string(ears-top-right);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @bottom-left {
+    content: string(ears-bottom-left);
+    vertical-align: top;
+    border-top: solid 1px #ccc;
+  }
+  @bottom-center {
+    content: string(ears-bottom-center);
+    vertical-align: top;
+    border-top: solid 1px #ccc;
+  }
+  @bottom-right {
+      content: '[Page ' counter(page) ']';
+      vertical-align: top;
+      border-top: solid 1px #ccc;
+  }
+  */
+
+}
+
+/* Changes introduced to fix issues found during implementation */
+/* Make sure links are clickable even if overlapped by following H* */
+a {
+  z-index: 2;
+}
+/* Separate body from document info even without intervening H1 */
+section {
+  clear: both;
+}
 
 
-  <meta name="generator" content="xml2rfc version 2.23.1 - https://tools.ietf.org/tools/xml2rfc" />
-  <link rel="schema.dct" href="http://purl.org/dc/terms/" />
+/* Top align author divs, to avoid names without organization dropping level with org names */
+.author {
+  vertical-align: top;
+}
 
-  <meta name="dct.creator" content="Dulaunoy, A. and A. Iklody" />
-  <meta name="dct.identifier" content="urn:ietf:id:" />
-  <meta name="dct.issued" scheme="ISO8601" content="2020-10-21" />
-  <meta name="dct.abstract" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.  The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP  software and other Threat Intelligence Platforms." />
-  <meta name="description" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.  The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP  software and other Threat Intelligence Platforms." />
+/* Leave room in document info to show Internet-Draft on one line */
+#identifiers dt {
+  width: 8em;
+}
 
+/* Don't waste quite as much whitespace between label and value in doc info */
+#identifiers dd {
+  margin-left: 1em;
+}
+
+/* Give floating toc a background color (needed when it's a div inside section */
+#toc {
+  background-color: white;
+}
+
+/* Make the collapsed ToC header render white on gray also when it's a link */
+@media screen and (max-width: 1023px) {
+  #toc h2 a,
+  #toc h2 a:link,
+  #toc h2 a:focus,
+  #toc h2 a:hover,
+  #toc a.toplink,
+  #toc a.toplink:hover {
+    color: white;
+    background-color: #444;
+    text-decoration: none;
+  }
+}
+
+/* Give the bottom of the ToC some whitespace */
+@media screen and (min-width: 1024px) {
+  #toc {
+    padding: 0 0 1em 1em;
+  }
+}
+
+/* Style section numbers with more space between number and title */
+.section-number {
+  padding-right: 0.5em;
+}
+
+/* prevent monospace from becoming overly large */
+tt, code, pre, code {
+  font-size: 95%;
+}
+
+/* Fix the height/width aspect for ascii art*/
+pre.sourcecode,
+.art-text pre {
+  line-height: 1.12;
+}
+
+
+/* Add styling for a link in the ToC that points to the top of the document */
+a.toplink {
+  float: right;
+  margin-right: 0.5em;
+}
+
+/* Fix the dl styling to match the RFC 7992 attributes */
+dl > dt,
+dl.dlParallel > dt {
+  float: left;
+  margin-right: 1em;
+}
+dl.dlNewline > dt {
+  float: none;
+}
+
+/* Provide styling for table cell text alignment */
+table td.text-left,
+table th.text-left {
+  text-align: left;
+}
+table td.text-center,
+table th.text-center {
+  text-align: center;
+}
+table td.text-right,
+table th.text-right {
+  text-align: right;
+}
+
+/* Make the alternative author contact informatio look less like just another
+   author, and group it closer with the primary author contact information */
+.alternative-contact {
+  margin: 0.5em 0 0.25em 0;
+}
+address .non-ascii {
+  margin: 0 0 0 2em;
+}
+
+/* With it being possible to set tables with alignment
+  left, center, and right, { width: 100%; } does not make sense */
+table {
+  width: auto;
+}
+
+/* Avoid reference text that sits in a block with very wide left margin,
+   because of a long floating dt label.*/
+.references dd {
+  overflow: visible;
+}
+
+/* Control caption placement */
+caption {
+  caption-side: bottom;
+}
+
+/* Limit the width of the author address vcard, so names in right-to-left
+   script don't end up on the other side of the page. */
+
+address.vcard {
+  max-width: 30em;
+  margin-right: auto;
+}
+
+/* For address alignment dependent on LTR or RTL scripts */
+address div.left {
+  text-align: left;
+}
+address div.right {
+  text-align: right;
+}
+
+/* Provide table alignment support.  We can't use the alignX classes above
+   since they do unwanted things with caption and other styling. */
+table.right {
+ margin-left: auto;
+ margin-right: 0;
+}
+table.center {
+ margin-left: auto;
+ margin-right: auto;
+}
+table.left {
+ margin-left: 0;
+ margin-right: auto;
+}
+
+/* Give the table caption label the same styling as the figcaption */
+caption a[href] {
+  color: #222;
+}
+
+@media print {
+  .toplink {
+    display: none;
+  }
+
+  /* avoid overwriting the top border line with the ToC header */
+  #toc {
+    padding-top: 1px;
+  }
+
+  /* Avoid page breaks inside dl and author address entries */
+  .vcard {
+    page-break-inside: avoid;
+  }
+
+}
+/* Tweak the bcp14 keyword presentation */
+.bcp14 {
+  font-variant: small-caps;
+  font-weight: bold;
+  font-size: 0.9em;
+}
+/* Tweak the invisible space above H* in order not to overlay links in text above */
+ h2 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 31px;
+ }
+ h3 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 24px;
+ }
+ h4 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 24px;
+ }
+/* Float artwork pilcrow to the right */
+@media screen {
+  .artwork a.pilcrow {
+    display: block;
+    line-height: 0.7;
+    margin-top: 0.15em;
+  }
+}
+/* Make pilcrows on dd visible */
+@media screen {
+  dd:hover > a.pilcrow {
+    visibility: visible;
+  }
+}
+/* Make the placement of figcaption match that of a table's caption
+   by removing the figure's added bottom margin */
+.alignLeft.art-text,
+.alignCenter.art-text,
+.alignRight.art-text {
+   margin-bottom: 0;
+}
+.alignLeft,
+.alignCenter,
+.alignRight {
+  margin: 1em 0 0 0;
+}
+/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
+   possibly even requiring a new line */
+@media print {
+  a.pilcrow {
+    display: none;
+  }
+}
+/* Styling for the external metadata */
+div#external-metadata {
+  background-color: #eee;
+  padding: 0.5em;
+  margin-bottom: 0.5em;
+  display: none;
+}
+div#internal-metadata {
+  padding: 0.5em;                       /* to match the external-metadata padding */
+}
+/* Styling for title RFC Number */
+h1#rfcnum {
+  clear: both;
+  margin: 0 0 -1em;
+  padding: 1em 0 0 0;
+}
+/* Make .olPercent look the same as <ol><li> */
+dl.olPercent > dd {
+  margin-bottom: 0.25em;
+  min-height: initial;
+}
+/* Give aside some styling to set it apart */
+aside {
+  border-left: 1px solid #ddd;
+  margin: 1em 0 1em 2em;
+  padding: 0.2em 2em;
+}
+aside > dl,
+aside > ol,
+aside > ul,
+aside > table,
+aside > p {
+  margin-bottom: 0.5em;
+}
+/* Additional page break settings */
+@media print {
+  figcaption, table caption {
+    page-break-before: avoid;
+  }
+}
+/* Font size adjustments for print */
+@media print {
+  body  { font-size: 10pt;      line-height: normal; max-width: 96%; }
+  h1    { font-size: 1.72em;    padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
+  h2    { font-size: 1.44em;    padding-top: 1.5em; } /* 1*1.2*1.2 */
+  h3    { font-size: 1.2em;     padding-top: 1.5em; } /* 1*1.2 */
+  h4    { font-size: 1em;       padding-top: 1.5em; }
+  h5, h6 { font-size: 1em;      margin: initial; padding: 0.5em 0 0.3em; }
+}
+/* Sourcecode margin in print, when there's no pilcrow */
+@media print {
+  .artwork,
+  .sourcecode {
+    margin-bottom: 1em;
+  }
+}
+/* Avoid narrow tables forcing too narrow table captions, which may render badly */
+table {
+  min-width: 20em;
+}
+/* ol type a */
+ol.type-a { list-style-type: lower-alpha; }
+ol.type-A { list-style-type: upper-alpha; }
+ol.type-i { list-style-type: lower-roman; }
+ol.type-I { list-style-type: lower-roman; }
+/* Apply the print table and row borders in general, on request from the RPC,
+and increase the contrast between border and odd row background sligthtly */
+table {
+  border: 1px solid #ddd;
+}
+td {
+  border-top: 1px solid #ddd;
+}
+tr:nth-child(2n+1) > td {
+  background-color: #f8f8f8;
+}
+/* Use style rules to govern display of the TOC. */
+@media screen and (max-width: 1023px) {
+  #toc nav { display: none; }
+  #toc.active nav { display: block; }
+}
+/* Add support for keepWithNext */
+.keepWithNext {
+  break-after: avoid-page;
+  break-after: avoid-page;
+}
+/* Add support for keepWithPrevious */
+.keepWithPrevious {
+  break-before: avoid-page;
+}
+/* Change the approach to avoiding breaks inside artwork etc. */
+figure, pre, table, .artwork, .sourcecode  {
+  break-before: avoid-page;
+  break-after: auto;
+}
+/* Avoid breaks between <dt> and <dd> */
+dl {
+  break-before: auto;
+  break-inside: auto;
+}
+dt {
+  break-before: auto;
+  break-after: avoid-page;
+}
+dd {
+  break-before: avoid-page;
+  break-after: auto;
+  orphans: 3;
+  widows: 3
+}
+span.break, dd.break {
+  margin-bottom: 0;
+  min-height: 0;
+  break-before: auto;
+  break-inside: auto;
+  break-after: auto;
+}
+/* Undo break-before ToC */
+@media print {
+  #toc {
+    break-before: auto;
+  }
+}
+/* Text in compact lists should not get extra bottim margin space,
+   since that would makes the list not compact */
+ul.compact p, .ulCompact p,
+ol.compact p, .olCompact p {
+ margin: 0;
+}
+/* But the list as a whole needs the extra space at the end */
+section ul.compact,
+section .ulCompact,
+section ol.compact,
+section .olCompact {
+  margin-bottom: 1em;                    /* same as p not within ul.compact etc. */
+}
+/* The tt and code background above interferes with for instance table cell
+   backgrounds.  Changed to something a bit more selective. */
+tt, code {
+  background-color: transparent;
+}
+p tt, p code, li tt, li code {
+  background-color: #f8f8f8;
+}
+/* Tweak the pre margin -- 0px doesn't come out well */
+pre {
+   margin-top: 0.5px;
+}
+/* Tweak the comact list text */
+ul.compact, .ulCompact,
+ol.compact, .olCompact,
+dl.compact, .dlCompact {
+  line-height: normal;
+}
+/* Don't add top margin for nested lists */
+li > ul, li > ol, li > dl,
+dd > ul, dd > ol, dd > dl,
+dl > dd > dl {
+  margin-top: initial;
+}
+/* Elements that should not be rendered on the same line as a <dt> */
+/* This should match the element list in writer.text.TextWriter.render_dl() */
+dd > div.artwork:first-child,
+dd > aside:first-child,
+dd > figure:first-child,
+dd > ol:first-child,
+dd > div:first-child > pre.sourcecode,
+dd > table:first-child,
+dd > ul:first-child {
+  clear: left;
+}
+/* fix for weird browser behaviour when <dd/> is empty */
+dt+dd:empty::before{
+  content: "\00a0";
+}
+/* Make paragraph spacing inside <li> smaller than in body text, to fit better within the list */
+li > p {
+  margin-bottom: 0.5em
+}
+/* Don't let p margin spill out from inside list items */
+li > p:last-of-type {
+  margin-bottom: 0;
+}
+</style>
+<link href="rfc-local.css" rel="stylesheet" type="text/css">
+<script type="application/javascript">async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(let t=0;t<e.length;t++)if(/#identifiers/.exec(e[t].selectorText)){const a=e[t].cssText.replace("#identifiers","#external-updates");document.styleSheets[0].insertRule(a,document.styleSheets[0].cssRules.length)}}catch(e){console.log(e)}const e=document.getElementById("external-metadata");if(e)try{var t,a="",o=function(e){const t=document.getElementsByTagName("meta");for(let a=0;a<t.length;a++)if(t[a].getAttribute("name")===e)return t[a].getAttribute("content");return""}("rfc.number");if(o){t="https://www.rfc-editor.org/rfc/rfc"+o+".json";try{const e=await fetch(t);a=await e.json()}catch(e){t=document.URL.indexOf("html")>=0?document.URL.replace(/html$/,"json"):document.URL+".json";const o=await fetch(t);a=await o.json()}}if(!a)return;e.style.display="block";const s="",d="https://datatracker.ietf.org/doc",n="https://datatracker.ietf.org/ipr/search",c="https://www.rfc-editor.org/info",l=a.doc_id.toLowerCase(),i=a.doc_id.slice(0,3).toLowerCase(),f=a.doc_id.slice(3).replace(/^0+/,""),u={status:"Status",obsoletes:"Obsoletes",obsoleted_by:"Obsoleted By",updates:"Updates",updated_by:"Updated By",see_also:"See Also",errata_url:"Errata"};let h="<dl style='overflow:hidden' id='external-updates'>";["status","obsoletes","obsoleted_by","updates","updated_by","see_also","errata_url"].forEach(e=>{if("status"==e){a[e]=a[e].toLowerCase();var t=a[e].split(" "),o=t.length,w="",p=1;for(let e=0;e<o;e++)p<o?w=w+r(t[e])+" ":w+=r(t[e]),p++;a[e]=w}else if("obsoletes"==e||"obsoleted_by"==e||"updates"==e||"updated_by"==e){var g,m="",b=1;g=a[e].length;for(let t=0;t<g;t++)a[e][t]&&(a[e][t]=String(a[e][t]).toLowerCase(),m=b<g?m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>, ":m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>",b++);a[e]=m}else if("see_also"==e){var y,L="",C=1;y=a[e].length;for(let t=0;t<y;t++)if(a[e][t]){a[e][t]=String(a[e][t]);var _=a[e][t].slice(0,3),v=a[e][t].slice(3).replace(/^0+/,"");L=C<y?"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>, ":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>, ":"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>",C++}a[e]=L}else if("errata_url"==e){var R="";R=a[e]?R+"<a href='"+a[e]+"'>Errata exist</a> | <a href='"+d+"/"+l+"'>Datatracker</a>| <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>":"<a href='"+d+"/"+l+"'>Datatracker</a> | <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>",a[e]=R}""!=a[e]?"Errata"==u[e]?h+=`<dt>More info:</dt><dd>${a[e]}</dd>`:h+=`<dt>${u[e]}:</dt><dd>${a[e]}</dd>`:"Errata"==u[e]&&(h+=`<dt>More info:</dt><dd>${a[e]}</dd>`)}),h+="</dl>",e.innerHTML=h}catch(e){console.log(e)}else console.log("Could not locate metadata <div> element");function r(e){return e.charAt(0).toUpperCase()+e.slice(1)}}window.removeEventListener("load",addMetadata),window.addEventListener("load",addMetadata);</script>
 </head>
-
 <body>
-
-  <table class="header">
-    <tbody>
-    
-    	<tr>
-<td class="left">Network Working Group</td>
-<td class="right">A. Dulaunoy</td>
-</tr>
-<tr>
+<script src="metadata.min.js"></script>
+<table class="ears">
+<thead><tr>
 <td class="left">Internet-Draft</td>
-<td class="right">A. Iklody</td>
-</tr>
-<tr>
-<td class="left">Expires: April 24, 2021</td>
-<td class="right">CIRCL</td>
-</tr>
-<tr>
-<td class="left"></td>
-<td class="right">October 21, 2020</td>
-</tr>
-
-    	
-    </tbody>
-  </table>
-
-  <p class="title">MISP core format<br />
-  <span class="filename"></span></p>
-  
-  <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
-<p>This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.  The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP <a href="#MISP-P" class="xref">[MISP-P]</a> software and other Threat Intelligence Platforms.</p>
-<h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1>
-<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
-<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF).  Note that other groups may also distribute working documents as Internet-Drafts.  The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
-<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.  It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
-<p>This Internet-Draft will expire on April 24, 2021.</p>
-<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
-<p>Copyright (c) 2020 IETF Trust and the persons identified as the document authors.  All rights reserved.</p>
-<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document.  Please review these documents carefully, as they describe your rights and restrictions with respect to this document.  Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
-
-  
-  <hr class="noprint" />
-  <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
-  <ul class="toc">
-
-  	<li>1.   <a href="#rfc.section.1">Introduction</a>
-</li>
-<ul><li>1.1.   <a href="#rfc.section.1.1">Conventions and Terminology</a>
-</li>
-</ul><li>2.   <a href="#rfc.section.2">Format</a>
-</li>
-<ul><li>2.1.   <a href="#rfc.section.2.1">Overview</a>
-</li>
-<li>2.2.   <a href="#rfc.section.2.2">Event</a>
-</li>
-<ul><li>2.2.1.   <a href="#rfc.section.2.2.1">Event Attributes</a>
-</li>
-</ul><li>2.3.   <a href="#rfc.section.2.3">Objects</a>
-</li>
-<ul><li>2.3.1.   <a href="#rfc.section.2.3.1">Org</a>
-</li>
-<li>2.3.2.   <a href="#rfc.section.2.3.2">Orgc</a>
-</li>
-</ul><li>2.4.   <a href="#rfc.section.2.4">Attribute</a>
-</li>
-<ul><li>2.4.1.   <a href="#rfc.section.2.4.1">Sample Attribute Object</a>
-</li>
-<li>2.4.2.   <a href="#rfc.section.2.4.2">Attribute Attributes</a>
-</li>
-</ul><li>2.5.   <a href="#rfc.section.2.5">ShadowAttribute</a>
-</li>
-<ul><li>2.5.1.   <a href="#rfc.section.2.5.1">Sample Attribute Object</a>
-</li>
-<li>2.5.2.   <a href="#rfc.section.2.5.2">ShadowAttribute Attributes</a>
-</li>
-<li>2.5.3.   <a href="#rfc.section.2.5.3">Org</a>
-</li>
-</ul><li>2.6.   <a href="#rfc.section.2.6">Object</a>
-</li>
-<ul><li>2.6.1.   <a href="#rfc.section.2.6.1">Sample Object</a>
-</li>
-<li>2.6.2.   <a href="#rfc.section.2.6.2">Object Attributes</a>
-</li>
-</ul><li>2.7.   <a href="#rfc.section.2.7">Object References</a>
-</li>
-<ul><li>2.7.1.   <a href="#rfc.section.2.7.1">Sample ObjectReference object</a>
-</li>
-<li>2.7.2.   <a href="#rfc.section.2.7.2">ObjectReference Attributes</a>
-</li>
-</ul><li>2.8.   <a href="#rfc.section.2.8">EventReport</a>
-</li>
-<ul><li>2.8.1.   <a href="#rfc.section.2.8.1">id</a>
-</li>
-<li>2.8.2.   <a href="#rfc.section.2.8.2">UUID</a>
-</li>
-<li>2.8.3.   <a href="#rfc.section.2.8.3">event_id</a>
-</li>
-<li>2.8.4.   <a href="#rfc.section.2.8.4">name</a>
-</li>
-<li>2.8.5.   <a href="#rfc.section.2.8.5">content</a>
-</li>
-<li>2.8.6.   <a href="#rfc.section.2.8.6">distribution</a>
-</li>
-<li>2.8.7.   <a href="#rfc.section.2.8.7">sharing_group_id</a>
-</li>
-<li>2.8.8.   <a href="#rfc.section.2.8.8">timestamp</a>
-</li>
-<li>2.8.9.   <a href="#rfc.section.2.8.9">deleted</a>
-</li>
-</ul><li>2.9.   <a href="#rfc.section.2.9">Tag</a>
-</li>
-<ul><li>2.9.1.   <a href="#rfc.section.2.9.1">Sample Tag</a>
-</li>
-</ul><li>2.10.   <a href="#rfc.section.2.10">Sighting</a>
-</li>
-<ul><li>2.10.1.   <a href="#rfc.section.2.10.1">Sample Sighting</a>
-</li>
-</ul><li>2.11.   <a href="#rfc.section.2.11">Galaxy</a>
-</li>
-<ul><li>2.11.1.   <a href="#rfc.section.2.11.1">Sample Galaxy</a>
-</li>
-</ul></ul><li>3.   <a href="#rfc.section.3">JSON Schema</a>
-</li>
-<li>4.   <a href="#rfc.section.4">Manifest</a>
-</li>
-<ul><li>4.1.   <a href="#rfc.section.4.1">Format</a>
-</li>
-<ul><li>4.1.1.   <a href="#rfc.section.4.1.1">Sample Manifest</a>
-</li>
-</ul></ul><li>5.   <a href="#rfc.section.5">Implementation</a>
-</li>
-<li>6.   <a href="#rfc.section.6">Security Considerations</a>
-</li>
-<li>7.   <a href="#rfc.section.7">Acknowledgements</a>
-</li>
-<li>8.   <a href="#rfc.section.8">References</a>
-</li>
-<li>9.   <a href="#rfc.references">References</a>
-</li>
-<ul><li>9.1.   <a href="#rfc.references.1">Normative References</a>
-</li>
-<li>9.2.   <a href="#rfc.references.2">Informative References</a>
-</li>
-</ul><li><a href="#rfc.authors">Authors' Addresses</a>
-</li>
-
-
-  </ul>
-
-  <h1 id="rfc.section.1">
-<a href="#rfc.section.1">1.</a> <a href="#introduction" id="introduction">Introduction</a>
-</h1>
-<p id="rfc.section.1.p.1">Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. MISP <a href="#MISP-P" class="xref">[MISP-P]</a> started as an open source project in late 2011 and the MISP format started to be widely used as an exchange format within the community in the past years. The aim of this document is to describe the specification and the MISP core format.</p>
-<h1 id="rfc.section.1.1">
-<a href="#rfc.section.1.1">1.1.</a> <a href="#conventions-and-terminology" id="conventions-and-terminology">Conventions and Terminology</a>
-</h1>
-<p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 <a href="#RFC2119" class="xref">[RFC2119]</a>.</p>
-<h1 id="rfc.section.2">
-<a href="#rfc.section.2">2.</a> <a href="#format" id="format">Format</a>
-</h1>
-<h1 id="rfc.section.2.1">
-<a href="#rfc.section.2.1">2.1.</a> <a href="#overview" id="overview">Overview</a>
-</h1>
-<p id="rfc.section.2.1.p.1">The MISP core format is in the JSON <a href="#RFC8259" class="xref">[RFC8259]</a> format. In MISP, an event is composed of a single JSON object.</p>
-<p id="rfc.section.2.1.p.2">A capitalized key (like Event, Org) represent a data model and a non-capitalised key is just an attribute. This nomenclature can support an implementation to represent the MISP format in another data structure.</p>
-<h1 id="rfc.section.2.2">
-<a href="#rfc.section.2.2">2.2.</a> <a href="#event" id="event">Event</a>
-</h1>
-<p id="rfc.section.2.2.p.1">An event is a simple meta structure scheme where attributes and meta-data are embedded to compose a coherent set of indicators. An event can be composed from an incident, a security analysis report or a specific threat actor analysis. The meaning of an event only depends of the information embedded in the event.</p>
-<h1 id="rfc.section.2.2.1">
-<a href="#rfc.section.2.2.1">2.2.1.</a> <a href="#event-attributes" id="event-attributes">Event Attributes</a>
-</h1>
-<h1 id="rfc.section.2.2.1.1">
-<a href="#rfc.section.2.2.1.1">2.2.1.1.</a> <a href="#uuid" id="uuid">uuid</a>
-</h1>
-<p id="rfc.section.2.2.1.1.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the event. The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.</p>
-<p id="rfc.section.2.2.1.1.p.2">uuid is represented as a JSON string. uuid MUST be present.</p>
-<h1 id="rfc.section.2.2.1.2">
-<a href="#rfc.section.2.2.1.2">2.2.1.2.</a> <a href="#id" id="id">id</a>
-</h1>
-<p id="rfc.section.2.2.1.2.p.1">id represents the human-readable identifier associated to the event for a specific MISP instance.  A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.2.1.2.p.2">id is represented as a JSON string. id SHALL be present.</p>
-<h1 id="rfc.section.2.2.1.3">
-<a href="#rfc.section.2.2.1.3">2.2.1.3.</a> <a href="#published" id="published">published</a>
-</h1>
-<p id="rfc.section.2.2.1.3.p.1">published represents the event publication state. If the event was published, the published value MUST be true.  In any other publication state, the published value MUST be false.</p>
-<p id="rfc.section.2.2.1.3.p.2">published is represented as a JSON boolean. published MUST be present.</p>
-<h1 id="rfc.section.2.2.1.4">
-<a href="#rfc.section.2.2.1.4">2.2.1.4.</a> <a href="#info" id="info">info</a>
-</h1>
-<p id="rfc.section.2.2.1.4.p.1">info represents the information field of the event. info is a free-text value to provide a human-readable summary of the event. info SHOULD NOT be bigger than 256 characters and SHOULD NOT include new-lines.</p>
-<p id="rfc.section.2.2.1.4.p.2">info is represented as a JSON string. info MUST be present.</p>
-<h1 id="rfc.section.2.2.1.5">
-<a href="#rfc.section.2.2.1.5">2.2.1.5.</a> <a href="#threat-level-id" id="threat-level-id">threat_level_id</a>
-</h1>
-<p id="rfc.section.2.2.1.5.p.1">threat<em>level</em>id represents the threat level.</p>
-<p></p>
-
-<dl>
-<dt>4:</dt>
-<dd style="margin-left: 8">
-<br>Undefined</dd>
-<dt>3:</dt>
-<dd style="margin-left: 8">
-<br>Low</dd>
-<dt>2:</dt>
-<dd style="margin-left: 8">
-<br>Medium</dd>
-<dt>1:</dt>
-<dd style="margin-left: 8">
-<br>High</dd>
+<td class="center">MISP core format</td>
+<td class="right">October 2021</td>
+</tr></thead>
+<tfoot><tr>
+<td class="left">Dulaunoy &amp; Iklody</td>
+<td class="center">Expires 1 May 2022</td>
+<td class="right">[Page]</td>
+</tr></tfoot>
+</table>
+<div id="external-metadata" class="document-information"></div>
+<div id="internal-metadata" class="document-information">
+<dl id="identifiers">
+<dt class="label-workgroup">Workgroup:</dt>
+<dd class="workgroup">Network Working Group</dd>
+<dt class="label-internet-draft">Internet-Draft:</dt>
+<dd class="internet-draft">draft-00</dd>
+<dt class="label-published">Published:</dt>
+<dd class="published">
+<time datetime="2021-10-28" class="published">28 October 2021</time>
+    </dd>
+<dt class="label-intended-status">Intended Status:</dt>
+<dd class="intended-status">Informational</dd>
+<dt class="label-expires">Expires:</dt>
+<dd class="expires"><time datetime="2022-05-01">1 May 2022</time></dd>
+<dt class="label-authors">Authors:</dt>
+<dd class="authors">
+<div class="author">
+      <div class="author-name">A. Dulaunoy</div>
+<div class="org">CIRCL</div>
+</div>
+<div class="author">
+      <div class="author-name">A. Iklody</div>
+<div class="org">CIRCL</div>
+</div>
+</dd>
 </dl>
-
-<p> </p>
-<p id="rfc.section.2.2.1.5.p.3">If a higher granularity is required, a MISP taxonomy applied as a Tag SHOULD be preferred.</p>
-<p id="rfc.section.2.2.1.5.p.4">threat<em>level</em>id is represented as a JSON string. threat<em>level</em>id SHALL be present.</p>
-<h1 id="rfc.section.2.2.1.6">
-<a href="#rfc.section.2.2.1.6">2.2.1.6.</a> <a href="#analysis" id="analysis">analysis</a>
-</h1>
-<p id="rfc.section.2.2.1.6.p.1">analysis represents the analysis level.</p>
-<p></p>
-
-<dl>
-<dt>0:</dt>
-<dd style="margin-left: 8">
-<br>Initial</dd>
-<dt>1:</dt>
-<dd style="margin-left: 8">
-<br>Ongoing</dd>
-<dt>2:</dt>
-<dd style="margin-left: 8">
-<br>Complete</dd>
+</div>
+<h1 id="title">MISP core format</h1>
+<section id="section-abstract">
+      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
+<p id="section-abstract-1">This document describes the MISP core format used to exchange indicators and threat information between
+MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances.
+The JSON format includes the overall structure along with the semantic associated for each
+respective key. The format is described to support other implementations which reuse the
+format and ensuring an interoperability with existing MISP <span>[<a href="#MISP-P" class="xref">MISP-P</a>]</span> software and other Threat Intelligence Platforms.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
+</section>
+<div id="status-of-memo">
+<section id="section-boilerplate.1">
+        <h2 id="name-status-of-this-memo">
+<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
+        </h2>
+<p id="section-boilerplate.1-1">
+        This Internet-Draft is submitted in full conformance with the
+        provisions of BCP 78 and BCP 79.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-2">
+        Internet-Drafts are working documents of the Internet Engineering Task
+        Force (IETF). Note that other groups may also distribute working
+        documents as Internet-Drafts. The list of current Internet-Drafts is
+        at <span><a href="https://datatracker.ietf.org/drafts/current/">https://datatracker.ietf.org/drafts/current/</a></span>.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-3">
+        Internet-Drafts are draft documents valid for a maximum of six months
+        and may be updated, replaced, or obsoleted by other documents at any
+        time. It is inappropriate to use Internet-Drafts as reference
+        material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-4">
+        This Internet-Draft will expire on 1 May 2022.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="copyright">
+<section id="section-boilerplate.2">
+        <h2 id="name-copyright-notice">
+<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
+        </h2>
+<p id="section-boilerplate.2-1">
+            Copyright (c) 2021 IETF Trust and the persons identified as the
+            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.2-2">
+            This document is subject to BCP 78 and the IETF Trust's Legal
+            Provisions Relating to IETF Documents
+            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
+            publication of this document. Please review these documents
+            carefully, as they describe your rights and restrictions with
+            respect to this document.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="toc">
+<section id="section-toc.1">
+        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
+<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
+        </h2>
+<nav class="toc"><ul class="ulBare toc compact ulEmpty">
+<li class="ulBare toc compact ulEmpty" id="section-toc.1-1.1">
+            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.1.2.1">
+                <p id="section-toc.1-1.1.2.1.1" class="keepWithNext"><a href="#section-1.1" class="xref">1.1</a>.  <a href="#name-conventions-and-terminology" class="xref">Conventions and Terminology</a></p>
+</li>
+            </ul>
+</li>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.2">
+            <p id="section-toc.1-1.2.1"><a href="#section-2" class="xref">2</a>.  <a href="#name-format" class="xref">Format</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.1">
+                <p id="section-toc.1-1.2.2.1.1" class="keepWithNext"><a href="#section-2.1" class="xref">2.1</a>.  <a href="#name-overview" class="xref">Overview</a></p>
+</li>
+              <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.2">
+                <p id="section-toc.1-1.2.2.2.1"><a href="#section-2.2" class="xref">2.2</a>.  <a href="#name-event" class="xref">Event</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.2.2.1">
+                    <p id="section-toc.1-1.2.2.2.2.1.1"><a href="#section-2.2.1" class="xref">2.2.1</a>.  <a href="#name-event-attributes" class="xref">Event Attributes</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.3">
+                <p id="section-toc.1-1.2.2.3.1"><a href="#section-2.3" class="xref">2.3</a>.  <a href="#name-objects" class="xref">Objects</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.3.2.1">
+                    <p id="section-toc.1-1.2.2.3.2.1.1"><a href="#section-2.3.1" class="xref">2.3.1</a>.  <a href="#name-org" class="xref">Org</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.3.2.2">
+                    <p id="section-toc.1-1.2.2.3.2.2.1"><a href="#section-2.3.2" class="xref">2.3.2</a>.  <a href="#name-orgc" class="xref">Orgc</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.4">
+                <p id="section-toc.1-1.2.2.4.1"><a href="#section-2.4" class="xref">2.4</a>.  <a href="#name-attribute" class="xref">Attribute</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.4.2.1">
+                    <p id="section-toc.1-1.2.2.4.2.1.1"><a href="#section-2.4.1" class="xref">2.4.1</a>.  <a href="#name-sample-attribute-object" class="xref">Sample Attribute Object</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.4.2.2">
+                    <p id="section-toc.1-1.2.2.4.2.2.1"><a href="#section-2.4.2" class="xref">2.4.2</a>.  <a href="#name-attribute-attributes" class="xref">Attribute Attributes</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.5">
+                <p id="section-toc.1-1.2.2.5.1"><a href="#section-2.5" class="xref">2.5</a>.  <a href="#name-shadowattribute-2" class="xref">ShadowAttribute</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.5.2.1">
+                    <p id="section-toc.1-1.2.2.5.2.1.1"><a href="#section-2.5.1" class="xref">2.5.1</a>.  <a href="#name-sample-attribute-object-2" class="xref">Sample Attribute Object</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.5.2.2">
+                    <p id="section-toc.1-1.2.2.5.2.2.1"><a href="#section-2.5.2" class="xref">2.5.2</a>.  <a href="#name-shadowattribute-attributes" class="xref">ShadowAttribute Attributes</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.5.2.3">
+                    <p id="section-toc.1-1.2.2.5.2.3.1"><a href="#section-2.5.3" class="xref">2.5.3</a>.  <a href="#name-org-2" class="xref">Org</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.6">
+                <p id="section-toc.1-1.2.2.6.1"><a href="#section-2.6" class="xref">2.6</a>.  <a href="#name-object" class="xref">Object</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.6.2.1">
+                    <p id="section-toc.1-1.2.2.6.2.1.1"><a href="#section-2.6.1" class="xref">2.6.1</a>.  <a href="#name-sample-object" class="xref">Sample Object</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.6.2.2">
+                    <p id="section-toc.1-1.2.2.6.2.2.1"><a href="#section-2.6.2" class="xref">2.6.2</a>.  <a href="#name-object-attributes" class="xref">Object Attributes</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.7">
+                <p id="section-toc.1-1.2.2.7.1"><a href="#section-2.7" class="xref">2.7</a>.  <a href="#name-object-references" class="xref">Object References</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.7.2.1">
+                    <p id="section-toc.1-1.2.2.7.2.1.1"><a href="#section-2.7.1" class="xref">2.7.1</a>.  <a href="#name-sample-objectreference-obje" class="xref">Sample ObjectReference object</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.7.2.2">
+                    <p id="section-toc.1-1.2.2.7.2.2.1"><a href="#section-2.7.2" class="xref">2.7.2</a>.  <a href="#name-objectreference-attributes" class="xref">ObjectReference Attributes</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.8">
+                <p id="section-toc.1-1.2.2.8.1"><a href="#section-2.8" class="xref">2.8</a>.  <a href="#name-eventreport" class="xref">EventReport</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.8.2.1">
+                    <p id="section-toc.1-1.2.2.8.2.1.1"><a href="#section-2.8.1" class="xref">2.8.1</a>.  <a href="#name-id-6" class="xref">id</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.8.2.2">
+                    <p id="section-toc.1-1.2.2.8.2.2.1"><a href="#section-2.8.2" class="xref">2.8.2</a>.  <a href="#name-uuid-6" class="xref">UUID</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.8.2.3">
+                    <p id="section-toc.1-1.2.2.8.2.3.1"><a href="#section-2.8.3" class="xref">2.8.3</a>.  <a href="#name-event_id-5" class="xref">event_id</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.8.2.4">
+                    <p id="section-toc.1-1.2.2.8.2.4.1"><a href="#section-2.8.4" class="xref">2.8.4</a>.  <a href="#name-name-2" class="xref">name</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.8.2.5">
+                    <p id="section-toc.1-1.2.2.8.2.5.1"><a href="#section-2.8.5" class="xref">2.8.5</a>.  <a href="#name-content" class="xref">content</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.8.2.6">
+                    <p id="section-toc.1-1.2.2.8.2.6.1"><a href="#section-2.8.6" class="xref">2.8.6</a>.  <a href="#name-distribution-4" class="xref">distribution</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.8.2.7">
+                    <p id="section-toc.1-1.2.2.8.2.7.1"><a href="#section-2.8.7" class="xref">2.8.7</a>.  <a href="#name-sharing_group_id-4" class="xref">sharing_group_id</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.8.2.8">
+                    <p id="section-toc.1-1.2.2.8.2.8.1"><a href="#section-2.8.8" class="xref">2.8.8</a>.  <a href="#name-timestamp-6" class="xref">timestamp</a></p>
+</li>
+                  <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.8.2.9">
+                    <p id="section-toc.1-1.2.2.8.2.9.1"><a href="#section-2.8.9" class="xref">2.8.9</a>.  <a href="#name-deleted-5" class="xref">deleted</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.9">
+                <p id="section-toc.1-1.2.2.9.1"><a href="#section-2.9" class="xref">2.9</a>.  <a href="#name-tag" class="xref">Tag</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.9.2.1">
+                    <p id="section-toc.1-1.2.2.9.2.1.1"><a href="#section-2.9.1" class="xref">2.9.1</a>.  <a href="#name-sample-tag" class="xref">Sample Tag</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.10">
+                <p id="section-toc.1-1.2.2.10.1"><a href="#section-2.10" class="xref">2.10</a>. <a href="#name-sighting" class="xref">Sighting</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.10.2.1">
+                    <p id="section-toc.1-1.2.2.10.2.1.1"><a href="#section-2.10.1" class="xref">2.10.1</a>.  <a href="#name-sample-sighting" class="xref">Sample Sighting</a></p>
+</li>
+                </ul>
+</li>
+              <li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.11">
+                <p id="section-toc.1-1.2.2.11.1"><a href="#section-2.11" class="xref">2.11</a>. <a href="#name-galaxy" class="xref">Galaxy</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.2.2.11.2.1">
+                    <p id="section-toc.1-1.2.2.11.2.1.1"><a href="#section-2.11.1" class="xref">2.11.1</a>.  <a href="#name-sample-galaxy" class="xref">Sample Galaxy</a></p>
+</li>
+                </ul>
+</li>
+            </ul>
+</li>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.3">
+            <p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>.  <a href="#name-json-schema" class="xref">JSON Schema</a></p>
+</li>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.4">
+            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-manifest" class="xref">Manifest</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.4.2.1">
+                <p id="section-toc.1-1.4.2.1.1"><a href="#section-4.1" class="xref">4.1</a>.  <a href="#name-format-2" class="xref">Format</a></p>
+<ul class="compact ulBare ulEmpty toc">
+<li class="compact ulBare ulEmpty toc" id="section-toc.1-1.4.2.1.2.1">
+                    <p id="section-toc.1-1.4.2.1.2.1.1"><a href="#section-4.1.1" class="xref">4.1.1</a>.  <a href="#name-sample-manifest" class="xref">Sample Manifest</a></p>
+</li>
+                </ul>
+</li>
+            </ul>
+</li>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.5">
+            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-implementation" class="xref">Implementation</a></p>
+</li>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.6">
+            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-security-considerations" class="xref">Security Considerations</a></p>
+</li>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.7">
+            <p id="section-toc.1-1.7.1"><a href="#section-7" class="xref">7</a>.  <a href="#name-acknowledgements" class="xref">Acknowledgements</a></p>
+</li>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.8">
+            <p id="section-toc.1-1.8.1"><a href="#section-8" class="xref">8</a>.  <a href="#name-references" class="xref">References</a></p>
+</li>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.9">
+            <p id="section-toc.1-1.9.1"><a href="#section-9" class="xref">9</a>.  <a href="#name-normative-references" class="xref">Normative References</a></p>
+</li>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.10">
+            <p id="section-toc.1-1.10.1"><a href="#section-10" class="xref">10</a>. <a href="#name-informative-references" class="xref">Informative References</a></p>
+</li>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.11">
+            <p id="section-toc.1-1.11.1"><a href="#appendix-A" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a></p>
+</li>
+        </ul>
+</nav>
+</section>
+</div>
+<div id="introduction">
+<section id="section-1">
+      <h2 id="name-introduction">
+<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
+      </h2>
+<p id="section-1-1">Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat
+information can include indicators of compromise, malicious file indicators, financial fraud indicators
+or even detailed information about a threat actor. MISP <span>[<a href="#MISP-P" class="xref">MISP-P</a>]</span> started as an open source project in late 2011 and
+the MISP format started to be widely used as an exchange format within the community in the past years. The aim of this document
+is to describe the specification and the MISP core format.<a href="#section-1-1" class="pilcrow">¶</a></p>
+<div id="conventions-and-terminology">
+<section id="section-1.1">
+        <h3 id="name-conventions-and-terminology">
+<a href="#section-1.1" class="section-number selfRef">1.1. </a><a href="#name-conventions-and-terminology" class="section-name selfRef">Conventions and Terminology</a>
+        </h3>
+<p id="section-1.1-1">The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>", "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>",
+"<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>", "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this
+document are to be interpreted as described in RFC 2119 <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span>.<a href="#section-1.1-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="format">
+<section id="section-2">
+      <h2 id="name-format">
+<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-format" class="section-name selfRef">Format</a>
+      </h2>
+<div id="overview">
+<section id="section-2.1">
+        <h3 id="name-overview">
+<a href="#section-2.1" class="section-number selfRef">2.1. </a><a href="#name-overview" class="section-name selfRef">Overview</a>
+        </h3>
+<p id="section-2.1-1">The MISP core format is in the JSON <span>[<a href="#RFC8259" class="xref">RFC8259</a>]</span> format. In MISP, an event is composed of a single JSON object.<a href="#section-2.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.1-2">A capitalized key (like Event, Org) represent a data model and a non-capitalised key is just an attribute. This nomenclature
+can support an implementation to represent the MISP format in another data structure.<a href="#section-2.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event">
+<section id="section-2.2">
+        <h3 id="name-event">
+<a href="#section-2.2" class="section-number selfRef">2.2. </a><a href="#name-event" class="section-name selfRef">Event</a>
+        </h3>
+<p id="section-2.2-1">An event is a simple meta structure scheme where attributes and meta-data are embedded to compose a coherent set
+of indicators. An event can be composed from an incident, a security analysis report or a specific threat actor
+analysis. The meaning of an event only depends of the information embedded in the event.<a href="#section-2.2-1" class="pilcrow">¶</a></p>
+<div id="event-attributes">
+<section id="section-2.2.1">
+          <h4 id="name-event-attributes">
+<a href="#section-2.2.1" class="section-number selfRef">2.2.1. </a><a href="#name-event-attributes" class="section-name selfRef">Event Attributes</a>
+          </h4>
+<div id="uuid">
+<section id="section-2.2.1.1">
+            <h5 id="name-uuid">
+<a href="#section-2.2.1.1" class="section-number selfRef">2.2.1.1. </a><a href="#name-uuid" class="section-name selfRef">uuid</a>
+            </h5>
+<p id="section-2.2.1.1-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the event. The uuid <span class="bcp14">MUST</span> be preserved
+for any updates or transfer of the same event. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new event.<a href="#section-2.2.1.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.1-2">uuid is represented as a JSON string. uuid <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="id">
+<section id="section-2.2.1.2">
+            <h5 id="name-id">
+<a href="#section-2.2.1.2" class="section-number selfRef">2.2.1.2. </a><a href="#name-id" class="section-name selfRef">id</a>
+            </h5>
+<p id="section-2.2.1.2-1">id represents the human-readable identifier associated to the event for a specific MISP instance.  A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.2.1.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.2-2">id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.2.1.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="published">
+<section id="section-2.2.1.3">
+            <h5 id="name-published">
+<a href="#section-2.2.1.3" class="section-number selfRef">2.2.1.3. </a><a href="#name-published" class="section-name selfRef">published</a>
+            </h5>
+<p id="section-2.2.1.3-1">published represents the event publication state. If the event was published, the published value <span class="bcp14">MUST</span> be true.
+In any other publication state, the published value <span class="bcp14">MUST</span> be false.<a href="#section-2.2.1.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.3-2">published is represented as a JSON boolean. published <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.3-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="info">
+<section id="section-2.2.1.4">
+            <h5 id="name-info">
+<a href="#section-2.2.1.4" class="section-number selfRef">2.2.1.4. </a><a href="#name-info" class="section-name selfRef">info</a>
+            </h5>
+<p id="section-2.2.1.4-1">info represents the information field of the event. info is a free-text value to provide a human-readable summary
+of the event. info <span class="bcp14">SHOULD</span> NOT be bigger than 256 characters and <span class="bcp14">SHOULD</span> NOT include new-lines.<a href="#section-2.2.1.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.4-2">info is represented as a JSON string. info <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="threat-level-id">
+<section id="section-2.2.1.5">
+            <h5 id="name-threat_level_id">
+<a href="#section-2.2.1.5" class="section-number selfRef">2.2.1.5. </a><a href="#name-threat_level_id" class="section-name selfRef">threat_level_id</a>
+            </h5>
+<p id="section-2.2.1.5-1">threat<em>level</em>id represents the threat level.<a href="#section-2.2.1.5-1" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlParallel" id="section-2.2.1.5-2">
+              <dt id="section-2.2.1.5-2.1">4:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.5-2.2">Undefined<a href="#section-2.2.1.5-2.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.5-2.3">3:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.5-2.4">Low<a href="#section-2.2.1.5-2.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.5-2.5">2:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.5-2.6">Medium<a href="#section-2.2.1.5-2.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.5-2.7">1:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.5-2.8">High<a href="#section-2.2.1.5-2.8" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<p id="rfc.section.2.2.1.6.p.3">If a higher granularity is required, a MISP taxonomy applied as a Tag SHOULD be preferred.</p>
-<p id="rfc.section.2.2.1.6.p.4">analysis is represented as a JSON string. analysis SHALL be present.</p>
-<h1 id="rfc.section.2.2.1.7">
-<a href="#rfc.section.2.2.1.7">2.2.1.7.</a> <a href="#date" id="date">date</a>
-</h1>
-<p id="rfc.section.2.2.1.7.p.1">date represents a reference date to the event in ISO 8601 format (date only: YYYY-MM-DD). This date corresponds to the date the event occurred, which may be in the past.</p>
-<p id="rfc.section.2.2.1.7.p.2">date is represented as a JSON string. date MUST be present.</p>
-<h1 id="rfc.section.2.2.1.8">
-<a href="#rfc.section.2.2.1.8">2.2.1.8.</a> <a href="#timestamp" id="timestamp">timestamp</a>
-</h1>
-<p id="rfc.section.2.2.1.8.p.1">timestamp represents a reference time when the event, or one of the attributes within the event was created, or last updated/edited on the instance. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.</p>
-<p id="rfc.section.2.2.1.8.p.2">timestamp is represented as a JSON string. timestamp MUST be present.</p>
-<h1 id="rfc.section.2.2.1.9">
-<a href="#rfc.section.2.2.1.9">2.2.1.9.</a> <a href="#publish-timestamp" id="publish-timestamp">publish_timestamp</a>
-</h1>
-<p id="rfc.section.2.2.1.9.p.1">publish<em>timestamp represents a reference time when the event was published on the instance. published</em>timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). At each publication of an event, publish<em>timestamp MUST be updated. The time zone MUST be UTC. If the published</em>timestamp is present and the published flag is set to false, the publish<em>timestamp represents the previous publication timestamp. If the event was never published, the published</em>timestamp MUST be set to 0.</p>
-<p id="rfc.section.2.2.1.9.p.2">publish<em>timestamp is represented as a JSON string. publish</em>timestamp MUST be present.</p>
-<h1 id="rfc.section.2.2.1.10">
-<a href="#rfc.section.2.2.1.10">2.2.1.10.</a> <a href="#org-id" id="org-id">org_id</a>
-</h1>
-<p id="rfc.section.2.2.1.10.p.1">org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.2.1.10.p.2">The org_id MUST be updated when the event is generated by a new instance.</p>
-<p id="rfc.section.2.2.1.10.p.3">org<em>id is represented as a JSON string. org</em>id MUST be present.</p>
-<h1 id="rfc.section.2.2.1.11">
-<a href="#rfc.section.2.2.1.11">2.2.1.11.</a> <a href="#orgc-id" id="orgc-id">orgc_id</a>
-</h1>
-<p id="rfc.section.2.2.1.11.p.1">orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event.</p>
-<p id="rfc.section.2.2.1.11.p.2">The orgc_id and Org object MUST be preserved for any updates or transfer of the same event.</p>
-<p id="rfc.section.2.2.1.11.p.3">orgc<em>id is represented as a JSON string. orgc</em>id MUST be present.</p>
-<h1 id="rfc.section.2.2.1.12">
-<a href="#rfc.section.2.2.1.12">2.2.1.12.</a> <a href="#attribute-count" id="attribute-count">attribute_count</a>
-</h1>
-<p id="rfc.section.2.2.1.12.p.1">attribute<em>count represents the number of attributes in the event. attribute</em>count is expressed in decimal.</p>
-<p id="rfc.section.2.2.1.12.p.2">attribute<em>count is represented as a JSON string. attribute</em>count SHALL be present.</p>
-<h1 id="rfc.section.2.2.1.13">
-<a href="#rfc.section.2.2.1.13">2.2.1.13.</a> <a href="#distribution" id="distribution">distribution</a>
-</h1>
-<p id="rfc.section.2.2.1.13.p.1">distribution represents the basic distribution rules of the event. The system must adhere to the distribution setting for access control and for dissemination of the event.</p>
-<p id="rfc.section.2.2.1.13.p.2">distribution is represented by a JSON string. distribution MUST be present and be one of the following options:</p>
-<p></p>
-
-<dl>
-<dt>0</dt>
-<dd style="margin-left: 8">
-<br>Your Organisation Only</dd>
-<dt>1</dt>
-<dd style="margin-left: 8">
-<br>This Community Only</dd>
-<dt>2</dt>
-<dd style="margin-left: 8">
-<br>Connected Communities</dd>
-<dt>3</dt>
-<dd style="margin-left: 8">
-<br>All Communities</dd>
-<dt>4</dt>
-<dd style="margin-left: 8">
-<br>Sharing Group</dd>
+<p id="section-2.2.1.5-3">If a higher granularity is required, a MISP taxonomy applied as a Tag <span class="bcp14">SHOULD</span> be preferred.<a href="#section-2.2.1.5-3" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.5-4">threat<em>level</em>id is represented as a JSON string. threat<em>level</em>id <span class="bcp14">SHALL</span> be present.<a href="#section-2.2.1.5-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="analysis">
+<section id="section-2.2.1.6">
+            <h5 id="name-analysis">
+<a href="#section-2.2.1.6" class="section-number selfRef">2.2.1.6. </a><a href="#name-analysis" class="section-name selfRef">analysis</a>
+            </h5>
+<p id="section-2.2.1.6-1">analysis represents the analysis level.<a href="#section-2.2.1.6-1" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlParallel" id="section-2.2.1.6-2">
+              <dt id="section-2.2.1.6-2.1">0:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.6-2.2">Initial<a href="#section-2.2.1.6-2.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.6-2.3">1:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.6-2.4">Ongoing<a href="#section-2.2.1.6-2.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.6-2.5">2:</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.6-2.6">Complete<a href="#section-2.2.1.6-2.6" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<h1 id="rfc.section.2.2.1.14">
-<a href="#rfc.section.2.2.1.14">2.2.1.14.</a> <a href="#sharing-group-id" id="sharing-group-id">sharing_group_id</a>
-</h1>
-<p id="rfc.section.2.2.1.14.p.1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the event, if distribution level "4" is set. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.2.1.14.p.2">sharing_group_id is represented by a JSON string and SHOULD be present. If a distribution level other than "4" is chosen the sharing_group_id MUST be set to "0".</p>
-<h1 id="rfc.section.2.2.1.15">
-<a href="#rfc.section.2.2.1.15">2.2.1.15.</a> <a href="#extends-uuid" id="extends-uuid">extends_uuid</a>
-</h1>
-<p id="rfc.section.2.2.1.15.p.1">extends_uuid represents which event is extended by this event. The extends_uuid is described as a Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> with the UUID of the extended event.</p>
-<p id="rfc.section.2.2.1.15.p.2">extends_uuid is represented as a JSON string. extends_uuid SHOULD be present.</p>
-<h1 id="rfc.section.2.3">
-<a href="#rfc.section.2.3">2.3.</a> <a href="#objects" id="objects">Objects</a>
-</h1>
-<h1 id="rfc.section.2.3.1">
-<a href="#rfc.section.2.3.1">2.3.1.</a> <a href="#org" id="org">Org</a>
-</h1>
-<p id="rfc.section.2.3.1.p.1">An Org object is composed of an uuid, name and id.</p>
-<p id="rfc.section.2.3.1.p.2">The uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the organisation.  The organisation UUID is globally assigned to an organisation and SHALL be kept overtime.</p>
-<p id="rfc.section.2.3.1.p.3">The name is a readable description of the organisation and SHOULD be present.  The id is a human-readable identifier generated by the instance and used as reference in the event.  A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.3.1.p.4">uuid, name and id are represented as a JSON string. uuid, name and id MUST be present.</p>
-<h1 id="rfc.section.2.3.1.1">
-<a href="#rfc.section.2.3.1.1">2.3.1.1.</a> <a href="#sample-org-object" id="sample-org-object">Sample Org Object</a>
-</h1>
+<p id="section-2.2.1.6-3">If a higher granularity is required, a MISP taxonomy applied as a Tag <span class="bcp14">SHOULD</span> be preferred.<a href="#section-2.2.1.6-3" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.6-4">analysis is represented as a JSON string. analysis <span class="bcp14">SHALL</span> be present.<a href="#section-2.2.1.6-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="date">
+<section id="section-2.2.1.7">
+            <h5 id="name-date">
+<a href="#section-2.2.1.7" class="section-number selfRef">2.2.1.7. </a><a href="#name-date" class="section-name selfRef">date</a>
+            </h5>
+<p id="section-2.2.1.7-1">date represents a reference date to the event in ISO 8601 format (date only: YYYY-MM-DD). This date corresponds to the date the event occurred, which may be in the past.<a href="#section-2.2.1.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.7-2">date is represented as a JSON string. date <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.7-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="timestamp">
+<section id="section-2.2.1.8">
+            <h5 id="name-timestamp">
+<a href="#section-2.2.1.8" class="section-number selfRef">2.2.1.8. </a><a href="#name-timestamp" class="section-name selfRef">timestamp</a>
+            </h5>
+<p id="section-2.2.1.8-1">timestamp represents a reference time when the event, or one of the attributes within the event was created, or last updated/edited on the instance. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.2.1.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.8-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="publish-timestamp">
+<section id="section-2.2.1.9">
+            <h5 id="name-publish_timestamp">
+<a href="#section-2.2.1.9" class="section-number selfRef">2.2.1.9. </a><a href="#name-publish_timestamp" class="section-name selfRef">publish_timestamp</a>
+            </h5>
+<p id="section-2.2.1.9-1">publish<em>timestamp represents a reference time when the event was published on the instance. published</em>timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). At each publication of an event, publish<em>timestamp <span class="bcp14">MUST</span> be updated. The time zone <span class="bcp14">MUST</span> be UTC. If the published</em>timestamp is present and the published flag is set to false, the publish<em>timestamp represents the previous publication timestamp. If the event was never published, the published</em>timestamp <span class="bcp14">MUST</span> be set to 0.<a href="#section-2.2.1.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.9-2">publish<em>timestamp is represented as a JSON string. publish</em>timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="org-id">
+<section id="section-2.2.1.10">
+            <h5 id="name-org_id">
+<a href="#section-2.2.1.10" class="section-number selfRef">2.2.1.10. </a><a href="#name-org_id" class="section-name selfRef">org_id</a>
+            </h5>
+<p id="section-2.2.1.10-1">org_id represents a human-readable identifier referencing an Org object of the organisation which generated the event. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.2.1.10-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.10-2">The org_id <span class="bcp14">MUST</span> be updated when the event is generated by a new instance.<a href="#section-2.2.1.10-2" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.10-3">org<em>id is represented as a JSON string. org</em>id <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.10-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="orgc-id">
+<section id="section-2.2.1.11">
+            <h5 id="name-orgc_id">
+<a href="#section-2.2.1.11" class="section-number selfRef">2.2.1.11. </a><a href="#name-orgc_id" class="section-name selfRef">orgc_id</a>
+            </h5>
+<p id="section-2.2.1.11-1">orgc_id represents a human-readable identifier referencing an Orgc object of the organisation which created the event.<a href="#section-2.2.1.11-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.11-2">The orgc_id and Org object <span class="bcp14">MUST</span> be preserved for any updates or transfer of the same event.<a href="#section-2.2.1.11-2" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.11-3">orgc<em>id is represented as a JSON string. orgc</em>id <span class="bcp14">MUST</span> be present.<a href="#section-2.2.1.11-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="attribute-count">
+<section id="section-2.2.1.12">
+            <h5 id="name-attribute_count">
+<a href="#section-2.2.1.12" class="section-number selfRef">2.2.1.12. </a><a href="#name-attribute_count" class="section-name selfRef">attribute_count</a>
+            </h5>
+<p id="section-2.2.1.12-1">attribute<em>count represents the number of attributes in the event. attribute</em>count is expressed in decimal.<a href="#section-2.2.1.12-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.12-2">attribute<em>count is represented as a JSON string. attribute</em>count <span class="bcp14">SHALL</span> be present.<a href="#section-2.2.1.12-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="distribution">
+<section id="section-2.2.1.13">
+            <h5 id="name-distribution">
+<a href="#section-2.2.1.13" class="section-number selfRef">2.2.1.13. </a><a href="#name-distribution" class="section-name selfRef">distribution</a>
+            </h5>
+<p id="section-2.2.1.13-1">distribution represents the basic distribution rules of the event. The system must adhere to the distribution setting for access control and for dissemination of the event.<a href="#section-2.2.1.13-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.13-2">distribution is represented by a JSON string. distribution <span class="bcp14">MUST</span> be present and be one of the following options:<a href="#section-2.2.1.13-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlParallel" id="section-2.2.1.13-3">
+              <dt id="section-2.2.1.13-3.1">0</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.13-3.2">Your Organisation Only<a href="#section-2.2.1.13-3.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.13-3.3">1</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.13-3.4">This Community Only<a href="#section-2.2.1.13-3.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.13-3.5">2</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.13-3.6">Connected Communities<a href="#section-2.2.1.13-3.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.13-3.7">3</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.13-3.8">All Communities<a href="#section-2.2.1.13-3.8" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.2.1.13-3.9">4</dt>
+              <dd style="margin-left: 1.5em" id="section-2.2.1.13-3.10">Sharing Group<a href="#section-2.2.1.13-3.10" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+</dl>
+</section>
+</div>
+<div id="sharing-group-id">
+<section id="section-2.2.1.14">
+            <h5 id="name-sharing_group_id">
+<a href="#section-2.2.1.14" class="section-number selfRef">2.2.1.14. </a><a href="#name-sharing_group_id" class="section-name selfRef">sharing_group_id</a>
+            </h5>
+<p id="section-2.2.1.14-1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the event, if distribution level "4" is set. A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.2.1.14-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.14-2">sharing_group_id is represented by a JSON string and <span class="bcp14">SHOULD</span> be present. If a distribution level other than "4" is chosen the sharing_group_id <span class="bcp14">MUST</span> be set to "0".<a href="#section-2.2.1.14-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="extends-uuid">
+<section id="section-2.2.1.15">
+            <h5 id="name-extends_uuid">
+<a href="#section-2.2.1.15" class="section-number selfRef">2.2.1.15. </a><a href="#name-extends_uuid" class="section-name selfRef">extends_uuid</a>
+            </h5>
+<p id="section-2.2.1.15-1">extends_uuid represents which event is extended by this event. The extends_uuid is described as a Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> with the UUID of the extended event.<a href="#section-2.2.1.15-1" class="pilcrow">¶</a></p>
+<p id="section-2.2.1.15-2">extends_uuid is represented as a JSON string. extends_uuid <span class="bcp14">SHOULD</span> be present.<a href="#section-2.2.1.15-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="objects">
+<section id="section-2.3">
+        <h3 id="name-objects">
+<a href="#section-2.3" class="section-number selfRef">2.3. </a><a href="#name-objects" class="section-name selfRef">Objects</a>
+        </h3>
+<div id="org">
+<section id="section-2.3.1">
+          <h4 id="name-org">
+<a href="#section-2.3.1" class="section-number selfRef">2.3.1. </a><a href="#name-org" class="section-name selfRef">Org</a>
+          </h4>
+<p id="section-2.3.1-1">An Org object is composed of an uuid, name and id.<a href="#section-2.3.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.1-2">The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the organisation.
+The organisation UUID is globally assigned to an organisation and <span class="bcp14">SHALL</span> be kept overtime.<a href="#section-2.3.1-2" class="pilcrow">¶</a></p>
+<p id="section-2.3.1-3">The name is a readable description of the organisation and <span class="bcp14">SHOULD</span> be present.
+The id is a human-readable identifier generated by the instance and used as reference in the event.
+A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.3.1-3" class="pilcrow">¶</a></p>
+<p id="section-2.3.1-4">uuid, name and id are represented as a JSON string. uuid, name and id <span class="bcp14">MUST</span> be present.<a href="#section-2.3.1-4" class="pilcrow">¶</a></p>
+<div id="sample-org-object">
+<section id="section-2.3.1.1">
+            <h5 id="name-sample-org-object">
+<a href="#section-2.3.1.1" class="section-number selfRef">2.3.1.1. </a><a href="#name-sample-org-object" class="section-name selfRef">Sample Org Object</a>
+            </h5>
+<div class="artwork art-text alignLeft" id="section-2.3.1.1-1">
 <pre>"Org": {
         "id": "2",
         "name": "CIRCL",
         "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
        }
-</pre>
-<h1 id="rfc.section.2.3.2">
-<a href="#rfc.section.2.3.2">2.3.2.</a> <a href="#orgc" id="orgc">Orgc</a>
-</h1>
-<p id="rfc.section.2.3.2.p.1">An Orgc object is composed of an uuid, name and id.</p>
-<p id="rfc.section.2.3.2.p.2">The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.  The organisation UUID is globally assigned to an organisation and SHALL be kept overtime.</p>
-<p id="rfc.section.2.3.2.p.3">The name is a readable description of the organisation and SHOULD be present.  The id is a human-readable identifier generated by the instance and used as reference in the event.  A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.3.2.p.4">uuid, name and id are represented as a JSON string. uuid, name and id MUST be present.</p>
-<h1 id="rfc.section.2.4">
-<a href="#rfc.section.2.4">2.4.</a> <a href="#attribute" id="attribute">Attribute</a>
-</h1>
-<p id="rfc.section.2.4.p.1">Attributes are used to describe the indicators and contextual data of an event. The main information contained in an attribute is made up of a category-type-value triplet, where the category and type give meaning and context to the value. Through the various category-type combinations a wide range of information can be conveyed.</p>
-<p id="rfc.section.2.4.p.2">A MISP document MUST at least includes category-type-value triplet described in section "Attribute Attributes".</p>
-<h1 id="rfc.section.2.4.1">
-<a href="#rfc.section.2.4.1">2.4.1.</a> <a href="#sample-attribute-object" id="sample-attribute-object">Sample Attribute Object</a>
-</h1>
+</pre><a href="#section-2.3.1.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="orgc">
+<section id="section-2.3.2">
+          <h4 id="name-orgc">
+<a href="#section-2.3.2" class="section-number selfRef">2.3.2. </a><a href="#name-orgc" class="section-name selfRef">Orgc</a>
+          </h4>
+<p id="section-2.3.2-1">An Orgc object is composed of an uuid, name and id.<a href="#section-2.3.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.3.2-2">The uuid <span class="bcp14">MUST</span> be preserved for any updates or transfer of the same event. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new event.
+The organisation UUID is globally assigned to an organisation and <span class="bcp14">SHALL</span> be kept overtime.<a href="#section-2.3.2-2" class="pilcrow">¶</a></p>
+<p id="section-2.3.2-3">The name is a readable description of the organisation and <span class="bcp14">SHOULD</span> be present.
+The id is a human-readable identifier generated by the instance and used as reference in the event.
+A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.3.2-3" class="pilcrow">¶</a></p>
+<p id="section-2.3.2-4">uuid, name and id are represented as a JSON string. uuid, name and id <span class="bcp14">MUST</span> be present.<a href="#section-2.3.2-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="attribute">
+<section id="section-2.4">
+        <h3 id="name-attribute">
+<a href="#section-2.4" class="section-number selfRef">2.4. </a><a href="#name-attribute" class="section-name selfRef">Attribute</a>
+        </h3>
+<p id="section-2.4-1">Attributes are used to describe the indicators and contextual data of an event. The main information contained in an attribute is made up of a category-type-value triplet,
+where the category and type give meaning and context to the value. Through the various category-type combinations a wide range of information can be conveyed.<a href="#section-2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.4-2">A MISP document <span class="bcp14">MUST</span> at least includes category-type-value triplet described in section "Attribute Attributes".<a href="#section-2.4-2" class="pilcrow">¶</a></p>
+<div id="sample-attribute-object">
+<section id="section-2.4.1">
+          <h4 id="name-sample-attribute-object">
+<a href="#section-2.4.1" class="section-number selfRef">2.4.1. </a><a href="#name-sample-attribute-object" class="section-name selfRef">Sample Attribute Object</a>
+          </h4>
+<div class="artwork art-text alignLeft" id="section-2.4.1-1">
 <pre>"Attribute": {
               "id": "346056",
               "type": "comment",
@@ -795,183 +1789,284 @@
               "first_seen": "2019-06-02T22:14:28.711954+00:00",
               "last_seen": null
              }
-</pre>
-<h1 id="rfc.section.2.4.2">
-<a href="#rfc.section.2.4.2">2.4.2.</a> <a href="#attribute-attributes" id="attribute-attributes">Attribute Attributes</a>
-</h1>
-<h1 id="rfc.section.2.4.2.1">
-<a href="#rfc.section.2.4.2.1">2.4.2.1.</a> <a href="#uuid-1" id="uuid-1">uuid</a>
-</h1>
-<p id="rfc.section.2.4.2.1.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the event. The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.</p>
-<p id="rfc.section.2.4.2.1.p.2">uuid is represented as a JSON string. uuid MUST be present.</p>
-<h1 id="rfc.section.2.4.2.2">
-<a href="#rfc.section.2.4.2.2">2.4.2.2.</a> <a href="#id-1" id="id-1">id</a>
-</h1>
-<p id="rfc.section.2.4.2.2.p.1">id represents the human-readable identifier associated to the event for a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.4.2.2.p.2">id is represented as a JSON string. id SHALL be present.</p>
-<h1 id="rfc.section.2.4.2.3">
-<a href="#rfc.section.2.4.2.3">2.4.2.3.</a> <a href="#type" id="type">type</a>
-</h1>
-<p id="rfc.section.2.4.2.3.p.1">type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.</p>
-<p id="rfc.section.2.4.2.3.p.2">type is represented as a JSON string. type MUST be present and it MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows:</p>
-<p></p>
-
-<dl>
-<dt>Antivirus detection</dt>
-<dd style="margin-left: 8">
-<br>link, comment, text, hex, attachment, other, anonymised</dd>
-<dt>Artifacts dropped</dt>
-<dd style="margin-left: 8">
-<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Attribution</dt>
-<dd style="margin-left: 8">
-<br>threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email</dd>
-<dt>External analysis</dt>
-<dd style="margin-left: 8">
-<br>md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id</dd>
-<dt>Financial fraud</dt>
-<dd style="margin-left: 8">
-<br>btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
-<dt>Internal reference</dt>
-<dd style="margin-left: 8">
-<br>text, link, comment, other, hex, anonymised, git-commit-id</dd>
-<dt>Network activity</dt>
-<dd style="margin-left: 8">
-<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
-<dt>Other</dt>
-<dd style="margin-left: 8">
-<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Payload delivery</dt>
-<dd style="margin-left: 8">
-<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
-<dt>Payload installation</dt>
-<dd style="margin-left: 8">
-<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
-<dt>Payload type</dt>
-<dd style="margin-left: 8">
-<br>comment, text, other, anonymised</dd>
-<dt>Persistence mechanism</dt>
-<dd style="margin-left: 8">
-<br>filename, regkey, regkey|value, comment, text, other, hex, anonymised</dd>
-<dt>Person</dt>
-<dd style="margin-left: 8">
-<br>first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key</dd>
-<dt>Social network</dt>
-<dd style="margin-left: 8">
-<br>github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Support Tool</dt>
-<dd style="margin-left: 8">
-<br>link, text, attachment, comment, other, hex, anonymised</dd>
-<dt>Targeting data</dt>
-<dd style="margin-left: 8">
-<br>target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised</dd>
+</pre><a href="#section-2.4.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="attribute-attributes">
+<section id="section-2.4.2">
+          <h4 id="name-attribute-attributes">
+<a href="#section-2.4.2" class="section-number selfRef">2.4.2. </a><a href="#name-attribute-attributes" class="section-name selfRef">Attribute Attributes</a>
+          </h4>
+<div id="uuid-1">
+<section id="section-2.4.2.1">
+            <h5 id="name-uuid-2">
+<a href="#section-2.4.2.1" class="section-number selfRef">2.4.2.1. </a><a href="#name-uuid-2" class="section-name selfRef">uuid</a>
+            </h5>
+<p id="section-2.4.2.1-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the event. The uuid <span class="bcp14">MUST</span> be preserved
+for any updates or transfer of the same event. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new event.<a href="#section-2.4.2.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.1-2">uuid is represented as a JSON string. uuid <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="id-1">
+<section id="section-2.4.2.2">
+            <h5 id="name-id-2">
+<a href="#section-2.4.2.2" class="section-number selfRef">2.4.2.2. </a><a href="#name-id-2" class="section-name selfRef">id</a>
+            </h5>
+<p id="section-2.4.2.2-1">id represents the human-readable identifier associated to the event for a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.4.2.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.2-2">id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.4.2.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="type">
+<section id="section-2.4.2.3">
+            <h5 id="name-type">
+<a href="#section-2.4.2.3" class="section-number selfRef">2.4.2.3. </a><a href="#name-type" class="section-name selfRef">type</a>
+            </h5>
+<p id="section-2.4.2.3-1">type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.<a href="#section-2.4.2.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.3-2">type is represented as a JSON string. type <span class="bcp14">MUST</span> be present and it <span class="bcp14">MUST</span> be a valid selection for the chosen category. The list of valid category-type combinations is as follows:<a href="#section-2.4.2.3-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlParallel" id="section-2.4.2.3-3">
+              <dt id="section-2.4.2.3-3.1">Antivirus detection</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.2">link, comment, text, hex, attachment, other, anonymised<a href="#section-2.4.2.3-3.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.3">Artifacts dropped</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.4">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, process-state, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.4.2.3-3.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.5">Attribution</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.6">threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email<a href="#section-2.4.2.3-3.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.7">External analysis</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.8">md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id<a href="#section-2.4.2.3-3.8" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.9">Financial fraud</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.10">btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised<a href="#section-2.4.2.3-3.10" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.11">Internal reference</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.12">text, link, comment, other, hex, anonymised, git-commit-id<a href="#section-2.4.2.3-3.12" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.13">Network activity</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.14">ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject, favicon-mmh3, dkim, dkim-signature, ssh-fingerprint<a href="#section-2.4.2.3-3.14" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.15">Other</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.16">comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.4.2.3-3.16" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.17">Payload delivery</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.4.2.3-3.18" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.19">Payload installation</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.4.2.3-3.20" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.21">Payload type</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.22">comment, text, other, anonymised<a href="#section-2.4.2.3-3.22" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.23">Persistence mechanism</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.24">filename, regkey, regkey|value, comment, text, other, hex, anonymised<a href="#section-2.4.2.3-3.24" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.25">Person</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.26">first-name, middle-name, last-name, full-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key<a href="#section-2.4.2.3-3.26" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.27">Social network</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.28">github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.4.2.3-3.28" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.29">Support Tool</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.30">link, text, attachment, comment, other, hex, anonymised<a href="#section-2.4.2.3-3.30" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.3-3.31">Targeting data</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.3-3.32">target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised<a href="#section-2.4.2.3-3.32" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<p id="rfc.section.2.4.2.3.p.4">Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.</p>
-<h1 id="rfc.section.2.4.2.4">
-<a href="#rfc.section.2.4.2.4">2.4.2.4.</a> <a href="#category" id="category">category</a>
-</h1>
-<p id="rfc.section.2.4.2.4.p.1">category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.</p>
-<p id="rfc.section.2.4.2.4.p.2">category is represented as a JSON string. category MUST be present and it MUST be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.</p>
-<h1 id="rfc.section.2.4.2.5">
-<a href="#rfc.section.2.4.2.5">2.4.2.5.</a> <a href="#to-ids" id="to-ids">to_ids</a>
-</h1>
-<p id="rfc.section.2.4.2.5.p.1">to_ids represents whether the attribute is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.</p>
-<p id="rfc.section.2.4.2.5.p.2">to_ids is represented as a JSON boolean. to_ids MUST be present.</p>
-<h1 id="rfc.section.2.4.2.6">
-<a href="#rfc.section.2.4.2.6">2.4.2.6.</a> <a href="#event-id" id="event-id">event_id</a>
-</h1>
-<p id="rfc.section.2.4.2.6.p.1">event_id represents a human-readable identifier referencing the Event object that the attribute belongs to. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.4.2.6.p.2">The event_id SHOULD be updated when the event is imported to reflect the newly created event's id on the instance.</p>
-<p id="rfc.section.2.4.2.6.p.3">event_id is represented as a JSON string. event_id MUST be present.</p>
-<h1 id="rfc.section.2.4.2.7">
-<a href="#rfc.section.2.4.2.7">2.4.2.7.</a> <a href="#distribution-1" id="distribution-1">distribution</a>
-</h1>
-<p id="rfc.section.2.4.2.7.p.1">distribution represents the basic distribution rules of the attribute. The system must adhere to the distribution setting for access control and for dissemination of the attribute.</p>
-<p id="rfc.section.2.4.2.7.p.2">distribution is represented by a JSON string. distribution MUST be present and be one of the following options:</p>
-<p></p>
-
-<dl>
-<dt>0</dt>
-<dd style="margin-left: 8">
-<br>Your Organisation Only</dd>
-<dt>1</dt>
-<dd style="margin-left: 8">
-<br>This Community Only</dd>
-<dt>2</dt>
-<dd style="margin-left: 8">
-<br>Connected Communities</dd>
-<dt>3</dt>
-<dd style="margin-left: 8">
-<br>All Communities</dd>
-<dt>4</dt>
-<dd style="margin-left: 8">
-<br>Sharing Group</dd>
-<dt>5</dt>
-<dd style="margin-left: 8">
-<br>Inherit Event</dd>
+<p id="section-2.4.2.3-4">Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.<a href="#section-2.4.2.3-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="category">
+<section id="section-2.4.2.4">
+            <h5 id="name-category">
+<a href="#section-2.4.2.4" class="section-number selfRef">2.4.2.4. </a><a href="#name-category" class="section-name selfRef">category</a>
+            </h5>
+<p id="section-2.4.2.4-1">category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.<a href="#section-2.4.2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.4-2">category is represented as a JSON string. category <span class="bcp14">MUST</span> be present and it <span class="bcp14">MUST</span> be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.<a href="#section-2.4.2.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="to-ids">
+<section id="section-2.4.2.5">
+            <h5 id="name-to_ids">
+<a href="#section-2.4.2.5" class="section-number selfRef">2.4.2.5. </a><a href="#name-to_ids" class="section-name selfRef">to_ids</a>
+            </h5>
+<p id="section-2.4.2.5-1">to_ids represents whether the attribute is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.<a href="#section-2.4.2.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.5-2">to_ids is represented as a JSON boolean. to_ids <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.5-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event-id">
+<section id="section-2.4.2.6">
+            <h5 id="name-event_id">
+<a href="#section-2.4.2.6" class="section-number selfRef">2.4.2.6. </a><a href="#name-event_id" class="section-name selfRef">event_id</a>
+            </h5>
+<p id="section-2.4.2.6-1">event_id represents a human-readable identifier referencing the Event object that the attribute belongs to. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.4.2.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.6-2">The event_id <span class="bcp14">SHOULD</span> be updated when the event is imported to reflect the newly created event's id on the instance.<a href="#section-2.4.2.6-2" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.6-3">event_id is represented as a JSON string. event_id <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.6-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="distribution-1">
+<section id="section-2.4.2.7">
+            <h5 id="name-distribution-2">
+<a href="#section-2.4.2.7" class="section-number selfRef">2.4.2.7. </a><a href="#name-distribution-2" class="section-name selfRef">distribution</a>
+            </h5>
+<p id="section-2.4.2.7-1">distribution represents the basic distribution rules of the attribute. The system must adhere to the distribution setting for access control and for dissemination of the attribute.<a href="#section-2.4.2.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.7-2">distribution is represented by a JSON string. distribution <span class="bcp14">MUST</span> be present and be one of the following options:<a href="#section-2.4.2.7-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlParallel" id="section-2.4.2.7-3">
+              <dt id="section-2.4.2.7-3.1">0</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.7-3.2">Your Organisation Only<a href="#section-2.4.2.7-3.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.7-3.3">1</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.7-3.4">This Community Only<a href="#section-2.4.2.7-3.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.7-3.5">2</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.7-3.6">Connected Communities<a href="#section-2.4.2.7-3.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.7-3.7">3</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.7-3.8">All Communities<a href="#section-2.4.2.7-3.8" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.7-3.9">4</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.7-3.10">Sharing Group<a href="#section-2.4.2.7-3.10" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.4.2.7-3.11">5</dt>
+              <dd style="margin-left: 1.5em" id="section-2.4.2.7-3.12">Inherit Event<a href="#section-2.4.2.7-3.12" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<h1 id="rfc.section.2.4.2.8">
-<a href="#rfc.section.2.4.2.8">2.4.2.8.</a> <a href="#timestamp-1" id="timestamp-1">timestamp</a>
-</h1>
-<p id="rfc.section.2.4.2.8.p.1">timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.</p>
-<p id="rfc.section.2.4.2.8.p.2">timestamp is represented as a JSON string. timestamp MUST be present.</p>
-<h1 id="rfc.section.2.4.2.9">
-<a href="#rfc.section.2.4.2.9">2.4.2.9.</a> <a href="#comment" id="comment">comment</a>
-</h1>
-<p id="rfc.section.2.4.2.9.p.1">comment is a contextual comment field.</p>
-<p id="rfc.section.2.4.2.9.p.2">comment is represented by a JSON string. comment MAY be present.</p>
-<h1 id="rfc.section.2.4.2.10">
-<a href="#rfc.section.2.4.2.10">2.4.2.10.</a> <a href="#sharing-group-id-1" id="sharing-group-id-1">sharing_group_id</a>
-</h1>
-<p id="rfc.section.2.4.2.10.p.1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the attribute, if distribution level "4" is set. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.4.2.10.p.2">sharing_group_id is represented by a JSON string and SHOULD be present. If a distribution level other than "4" is chosen the sharing_group_id MUST be set to "0".</p>
-<h1 id="rfc.section.2.4.2.11">
-<a href="#rfc.section.2.4.2.11">2.4.2.11.</a> <a href="#deleted" id="deleted">deleted</a>
-</h1>
-<p id="rfc.section.2.4.2.11.p.1">deleted represents a setting that allows attributes to be revoked. Revoked attributes are not actionable and exist merely to inform other instances of a revocation.</p>
-<p id="rfc.section.2.4.2.11.p.2">deleted is represented by a JSON boolean. deleted MUST be present.</p>
-<h1 id="rfc.section.2.4.2.12">
-<a href="#rfc.section.2.4.2.12">2.4.2.12.</a> <a href="#data" id="data">data</a>
-</h1>
-<p id="rfc.section.2.4.2.12.p.1">data contains the base64 encoded contents of an attachment or a malware sample. For malware samples, the sample MUST be encrypted using a password protected zip archive, with the password being "infected".</p>
-<p id="rfc.section.2.4.2.12.p.2">data is represented by a JSON string in base64 encoding. data MUST be set for attributes of type malware-sample and attachment.</p>
-<h1 id="rfc.section.2.4.2.13">
-<a href="#rfc.section.2.4.2.13">2.4.2.13.</a> <a href="#relatedattribute" id="relatedattribute">RelatedAttribute</a>
-</h1>
-<p id="rfc.section.2.4.2.13.p.1">RelatedAttribute is an array of attributes correlating with the current attribute. Each element in the array represents an JSON object which contains an Attribute dictionnary with the external attributes who correlate. Each Attribute MUST include the id, org_id, info and a value. Only the correlations found on the local instance are shown in RelatedAttribute.</p>
-<p id="rfc.section.2.4.2.13.p.2">RelatedAttribute MAY be present.</p>
-<h1 id="rfc.section.2.4.2.14">
-<a href="#rfc.section.2.4.2.14">2.4.2.14.</a> <a href="#shadowattribute" id="shadowattribute">ShadowAttribute</a>
-</h1>
-<p id="rfc.section.2.4.2.14.p.1">ShadowAttribute is an array of shadow attributes that serve as proposals by third parties to alter the containing attribute. The structure of a ShadowAttribute is similar to that of an Attribute, which can be accepted or discarded by the event creator. If accepted, the original attribute containing the shadow attribute is removed and the shadow attribute is converted into an attribute.</p>
-<p id="rfc.section.2.4.2.14.p.2">Each shadow attribute that references an attribute MUST contain the containing attribute's ID in the old<em>id field and the event's ID in the event</em>id field.</p>
-<h1 id="rfc.section.2.4.2.15">
-<a href="#rfc.section.2.4.2.15">2.4.2.15.</a> <a href="#value" id="value">value</a>
-</h1>
-<p id="rfc.section.2.4.2.15.p.1">value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.</p>
-<p id="rfc.section.2.4.2.15.p.2">value is represented by a JSON string. value MUST be present.</p>
-<h1 id="rfc.section.2.4.2.16">
-<a href="#rfc.section.2.4.2.16">2.4.2.16.</a> <a href="#first-seen" id="first-seen">first_seen</a>
-</h1>
-<p id="rfc.section.2.4.2.16.p.1">first<em>seen represents a reference time when the attribute was first seen. first</em>seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.</p>
-<p id="rfc.section.2.4.2.16.p.2">first<em>seen is represented as a JSON string. first</em>seen MAY be present.</p>
-<h1 id="rfc.section.2.4.2.17">
-<a href="#rfc.section.2.4.2.17">2.4.2.17.</a> <a href="#last-seen" id="last-seen">last_seen</a>
-</h1>
-<p id="rfc.section.2.4.2.17.p.1">last<em>seen represents a reference time when the attribute was last seen. last</em>seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.</p>
-<p id="rfc.section.2.4.2.17.p.2">last<em>seen is represented as a JSON string. last</em>seen MAY be present.</p>
-<h1 id="rfc.section.2.5">
-<a href="#rfc.section.2.5">2.5.</a> <a href="#shadowattribute-1" id="shadowattribute-1">ShadowAttribute</a>
-</h1>
-<p id="rfc.section.2.5.p.1">ShadowAttributes are 3rd party created attributes that either propose to add new information to an event or modify existing information. They are not meant to be actionable until the event creator accepts them - at which point they will be converted into attributes or modify an existing attribute.</p>
-<p id="rfc.section.2.5.p.2">They are similar in structure to Attributes but additionally carry a reference to the creator of the ShadowAttribute as well as a revocation flag.</p>
-<h1 id="rfc.section.2.5.1">
-<a href="#rfc.section.2.5.1">2.5.1.</a> <a href="#sample-attribute-object-1" id="sample-attribute-object-1">Sample Attribute Object</a>
-</h1>
+</section>
+</div>
+<div id="timestamp-1">
+<section id="section-2.4.2.8">
+            <h5 id="name-timestamp-2">
+<a href="#section-2.4.2.8" class="section-number selfRef">2.4.2.8. </a><a href="#name-timestamp-2" class="section-name selfRef">timestamp</a>
+            </h5>
+<p id="section-2.4.2.8-1">timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.4.2.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.8-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="comment">
+<section id="section-2.4.2.9">
+            <h5 id="name-comment">
+<a href="#section-2.4.2.9" class="section-number selfRef">2.4.2.9. </a><a href="#name-comment" class="section-name selfRef">comment</a>
+            </h5>
+<p id="section-2.4.2.9-1">comment is a contextual comment field.<a href="#section-2.4.2.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.9-2">comment is represented by a JSON string. comment <span class="bcp14">MAY</span> be present.<a href="#section-2.4.2.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="sharing-group-id-1">
+<section id="section-2.4.2.10">
+            <h5 id="name-sharing_group_id-2">
+<a href="#section-2.4.2.10" class="section-number selfRef">2.4.2.10. </a><a href="#name-sharing_group_id-2" class="section-name selfRef">sharing_group_id</a>
+            </h5>
+<p id="section-2.4.2.10-1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the attribute, if distribution level "4" is set. A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.4.2.10-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.10-2">sharing_group_id is represented by a JSON string and <span class="bcp14">SHOULD</span> be present. If a distribution level other than "4" is chosen the sharing_group_id <span class="bcp14">MUST</span> be set to "0".<a href="#section-2.4.2.10-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="deleted">
+<section id="section-2.4.2.11">
+            <h5 id="name-deleted">
+<a href="#section-2.4.2.11" class="section-number selfRef">2.4.2.11. </a><a href="#name-deleted" class="section-name selfRef">deleted</a>
+            </h5>
+<p id="section-2.4.2.11-1">deleted represents a setting that allows attributes to be revoked. Revoked attributes are not actionable and exist merely to inform other instances of a revocation.<a href="#section-2.4.2.11-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.11-2">deleted is represented by a JSON boolean. deleted <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.11-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="data">
+<section id="section-2.4.2.12">
+            <h5 id="name-data">
+<a href="#section-2.4.2.12" class="section-number selfRef">2.4.2.12. </a><a href="#name-data" class="section-name selfRef">data</a>
+            </h5>
+<p id="section-2.4.2.12-1">data contains the base64 encoded contents of an attachment or a malware sample. For malware samples,
+the sample <span class="bcp14">MUST</span> be encrypted using a password protected zip archive, with the password being "infected".<a href="#section-2.4.2.12-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.12-2">data is represented by a JSON string in base64 encoding. data <span class="bcp14">MUST</span> be set for attributes of type malware-sample and attachment.<a href="#section-2.4.2.12-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="relatedattribute">
+<section id="section-2.4.2.13">
+            <h5 id="name-relatedattribute">
+<a href="#section-2.4.2.13" class="section-number selfRef">2.4.2.13. </a><a href="#name-relatedattribute" class="section-name selfRef">RelatedAttribute</a>
+            </h5>
+<p id="section-2.4.2.13-1">RelatedAttribute is an array of attributes correlating with the current attribute. Each element in the array represents an JSON object which contains an Attribute dictionnary with the external attributes who correlate. Each Attribute <span class="bcp14">MUST</span> include the id, org_id, info and a value. Only the correlations found on the local instance are shown in RelatedAttribute.<a href="#section-2.4.2.13-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.13-2">RelatedAttribute <span class="bcp14">MAY</span> be present.<a href="#section-2.4.2.13-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="shadowattribute">
+<section id="section-2.4.2.14">
+            <h5 id="name-shadowattribute">
+<a href="#section-2.4.2.14" class="section-number selfRef">2.4.2.14. </a><a href="#name-shadowattribute" class="section-name selfRef">ShadowAttribute</a>
+            </h5>
+<p id="section-2.4.2.14-1">ShadowAttribute is an array of shadow attributes that serve as proposals by third parties to alter the containing attribute. The structure of a ShadowAttribute is similar to that of an Attribute,
+which can be accepted or discarded by the event creator. If accepted, the original attribute containing the shadow attribute is removed and the shadow attribute is converted into an attribute.<a href="#section-2.4.2.14-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.14-2">Each shadow attribute that references an attribute <span class="bcp14">MUST</span> contain the containing attribute's ID in the old<em>id field and the event's ID in the event</em>id field.<a href="#section-2.4.2.14-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="value">
+<section id="section-2.4.2.15">
+            <h5 id="name-value">
+<a href="#section-2.4.2.15" class="section-number selfRef">2.4.2.15. </a><a href="#name-value" class="section-name selfRef">value</a>
+            </h5>
+<p id="section-2.4.2.15-1">value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.<a href="#section-2.4.2.15-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.15-2">value is represented by a JSON string. value <span class="bcp14">MUST</span> be present.<a href="#section-2.4.2.15-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="first-seen">
+<section id="section-2.4.2.16">
+            <h5 id="name-first_seen">
+<a href="#section-2.4.2.16" class="section-number selfRef">2.4.2.16. </a><a href="#name-first_seen" class="section-name selfRef">first_seen</a>
+            </h5>
+<p id="section-2.4.2.16-1">first<em>seen represents a reference time when the attribute was first seen. first</em>seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.4.2.16-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.16-2">first<em>seen is represented as a JSON string. first</em>seen <span class="bcp14">MAY</span> be present.<a href="#section-2.4.2.16-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="last-seen">
+<section id="section-2.4.2.17">
+            <h5 id="name-last_seen">
+<a href="#section-2.4.2.17" class="section-number selfRef">2.4.2.17. </a><a href="#name-last_seen" class="section-name selfRef">last_seen</a>
+            </h5>
+<p id="section-2.4.2.17-1">last<em>seen represents a reference time when the attribute was last seen. last</em>seen is expressed as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.4.2.17-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.2.17-2">last<em>seen is represented as a JSON string. last</em>seen <span class="bcp14">MAY</span> be present.<a href="#section-2.4.2.17-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="shadowattribute-1">
+<section id="section-2.5">
+        <h3 id="name-shadowattribute-2">
+<a href="#section-2.5" class="section-number selfRef">2.5. </a><a href="#name-shadowattribute-2" class="section-name selfRef">ShadowAttribute</a>
+        </h3>
+<p id="section-2.5-1">ShadowAttributes are 3rd party created attributes that either propose to add new information to an event or modify existing information. They are not meant to be actionable until the event creator accepts them - at which point they will be converted into attributes or modify an existing attribute.<a href="#section-2.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.5-2">They are similar in structure to Attributes but additionally carry a reference to the creator of the ShadowAttribute as well as a revocation flag.<a href="#section-2.5-2" class="pilcrow">¶</a></p>
+<div id="sample-attribute-object-1">
+<section id="section-2.5.1">
+          <h4 id="name-sample-attribute-object-2">
+<a href="#section-2.5.1" class="section-number selfRef">2.5.1. </a><a href="#name-sample-attribute-object-2" class="section-name selfRef">Sample Attribute Object</a>
+          </h4>
+<div class="artwork art-text alignLeft" id="section-2.5.1-1">
 <pre>"ShadowAttribute":  {
                        "id": "8",
                        "type": "ip-src",
@@ -994,175 +2089,281 @@
                        "first_seen": "2019-06-02T22:14:28.711954+00:00",
                        "last_seen": null
                    }
-</pre>
-<h1 id="rfc.section.2.5.2">
-<a href="#rfc.section.2.5.2">2.5.2.</a> <a href="#shadowattribute-attributes" id="shadowattribute-attributes">ShadowAttribute Attributes</a>
-</h1>
-<h1 id="rfc.section.2.5.2.1">
-<a href="#rfc.section.2.5.2.1">2.5.2.1.</a> <a href="#uuid-2" id="uuid-2">uuid</a>
-</h1>
-<p id="rfc.section.2.5.2.1.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the event. The uuid MUST be preserved for any updates or transfer of the same event. UUID version 4 is RECOMMENDED when assigning it to a new event.</p>
-<p id="rfc.section.2.5.2.1.p.2">uuid is represented as a JSON string. uuid MUST be present.</p>
-<h1 id="rfc.section.2.5.2.2">
-<a href="#rfc.section.2.5.2.2">2.5.2.2.</a> <a href="#id-2" id="id-2">id</a>
-</h1>
-<p id="rfc.section.2.5.2.2.p.1">id represents the human-readable identifier associated to the event for a specific MISP instance. human-readable identifier MUST be represented as an unsigned integer.  id is represented as a JSON string. id SHALL be present.</p>
-<h1 id="rfc.section.2.5.2.3">
-<a href="#rfc.section.2.5.2.3">2.5.2.3.</a> <a href="#type-1" id="type-1">type</a>
-</h1>
-<p id="rfc.section.2.5.2.3.p.1">type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.</p>
-<p id="rfc.section.2.5.2.3.p.2">type is represented as a JSON string. type MUST be present and it MUST be a valid selection for the chosen category. The list of valid category-type combinations is as follows:</p>
-<p></p>
-
-<dl>
-<dt>Antivirus detection</dt>
-<dd style="margin-left: 8">
-<br>link, comment, text, hex, attachment, other, anonymised</dd>
-<dt>Artifacts dropped</dt>
-<dd style="margin-left: 8">
-<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Attribution</dt>
-<dd style="margin-left: 8">
-<br>threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email</dd>
-<dt>External analysis</dt>
-<dd style="margin-left: 8">
-<br>md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id</dd>
-<dt>Financial fraud</dt>
-<dd style="margin-left: 8">
-<br>btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
-<dt>Internal reference</dt>
-<dd style="margin-left: 8">
-<br>text, link, comment, other, hex, anonymised, git-commit-id</dd>
-<dt>Network activity</dt>
-<dd style="margin-left: 8">
-<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
-<dt>Other</dt>
-<dd style="margin-left: 8">
-<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Payload delivery</dt>
-<dd style="margin-left: 8">
-<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
-<dt>Payload installation</dt>
-<dd style="margin-left: 8">
-<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
-<dt>Payload type</dt>
-<dd style="margin-left: 8">
-<br>comment, text, other, anonymised</dd>
-<dt>Persistence mechanism</dt>
-<dd style="margin-left: 8">
-<br>filename, regkey, regkey|value, comment, text, other, hex, anonymised</dd>
-<dt>Person</dt>
-<dd style="margin-left: 8">
-<br>first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key</dd>
-<dt>Social network</dt>
-<dd style="margin-left: 8">
-<br>github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key</dd>
-<dt>Support Tool</dt>
-<dd style="margin-left: 8">
-<br>link, text, attachment, comment, other, hex, anonymised</dd>
-<dt>Targeting data</dt>
-<dd style="margin-left: 8">
-<br>target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised</dd>
+</pre><a href="#section-2.5.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="shadowattribute-attributes">
+<section id="section-2.5.2">
+          <h4 id="name-shadowattribute-attributes">
+<a href="#section-2.5.2" class="section-number selfRef">2.5.2. </a><a href="#name-shadowattribute-attributes" class="section-name selfRef">ShadowAttribute Attributes</a>
+          </h4>
+<div id="uuid-2">
+<section id="section-2.5.2.1">
+            <h5 id="name-uuid-3">
+<a href="#section-2.5.2.1" class="section-number selfRef">2.5.2.1. </a><a href="#name-uuid-3" class="section-name selfRef">uuid</a>
+            </h5>
+<p id="section-2.5.2.1-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the event. The uuid <span class="bcp14">MUST</span> be preserved
+for any updates or transfer of the same event. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new event.<a href="#section-2.5.2.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.1-2">uuid is represented as a JSON string. uuid <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="id-2">
+<section id="section-2.5.2.2">
+            <h5 id="name-id-3">
+<a href="#section-2.5.2.2" class="section-number selfRef">2.5.2.2. </a><a href="#name-id-3" class="section-name selfRef">id</a>
+            </h5>
+<p id="section-2.5.2.2-1">id represents the human-readable identifier associated to the event for a specific MISP instance. human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.
+id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.5.2.2-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="type-1">
+<section id="section-2.5.2.3">
+            <h5 id="name-type-2">
+<a href="#section-2.5.2.3" class="section-number selfRef">2.5.2.3. </a><a href="#name-type-2" class="section-name selfRef">type</a>
+            </h5>
+<p id="section-2.5.2.3-1">type represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of pre-defined attribute types.<a href="#section-2.5.2.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.3-2">type is represented as a JSON string. type <span class="bcp14">MUST</span> be present and it <span class="bcp14">MUST</span> be a valid selection for the chosen category. The list of valid category-type combinations is as follows:<a href="#section-2.5.2.3-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlParallel" id="section-2.5.2.3-3">
+              <dt id="section-2.5.2.3-3.1">Antivirus detection</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.2">link, comment, text, hex, attachment, other, anonymised<a href="#section-2.5.2.3-3.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.3">Artifacts dropped</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.4">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, process-state, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.5.2.3-3.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.5">Attribution</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.6">threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised, email<a href="#section-2.5.2.3-3.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.7">External analysis</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.8">md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, filename, filename|md5, filename|sha1, filename|sha256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, vulnerability, cpe, weakness, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, github-repository, other, cortex, anonymised, community-id<a href="#section-2.5.2.3-3.8" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.9">Financial fraud</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.10">btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised<a href="#section-2.5.2.3-3.10" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.11">Internal reference</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.12">text, link, comment, other, hex, anonymised, git-commit-id<a href="#section-2.5.2.3-3.12" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.13">Network activity</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.14">ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject, favicon-mmh3, dkim, dkim-signature, ssh-fingerprint<a href="#section-2.5.2.3-3.14" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.15">Other</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.16">comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.5.2.3-3.16" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.17">Payload delivery</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.5.2.3-3.18" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.19">Payload installation</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.5.2.3-3.20" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.21">Payload type</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.22">comment, text, other, anonymised<a href="#section-2.5.2.3-3.22" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.23">Persistence mechanism</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.24">filename, regkey, regkey|value, comment, text, other, hex, anonymised<a href="#section-2.5.2.3-3.24" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.25">Person</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.26">first-name, middle-name, last-name, full-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised, email, pgp-public-key, pgp-private-key<a href="#section-2.5.2.3-3.26" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.27">Social network</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.28">github-username, github-repository, github-organisation, jabber-id, twitter-id, email, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised, pgp-public-key, pgp-private-key<a href="#section-2.5.2.3-3.28" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.29">Support Tool</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.30">link, text, attachment, comment, other, hex, anonymised<a href="#section-2.5.2.3-3.30" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.5.2.3-3.31">Targeting data</dt>
+              <dd style="margin-left: 1.5em" id="section-2.5.2.3-3.32">target-user, target-email, target-machine, target-org, target-location, target-external, comment, anonymised<a href="#section-2.5.2.3-3.32" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<p id="rfc.section.2.5.2.3.p.4">Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.</p>
-<h1 id="rfc.section.2.5.2.4">
-<a href="#rfc.section.2.5.2.4">2.5.2.4.</a> <a href="#category-1" id="category-1">category</a>
-</h1>
-<p id="rfc.section.2.5.2.4.p.1">category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.</p>
-<p id="rfc.section.2.5.2.4.p.2">category is represented as a JSON string. category MUST be present and it MUST be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.</p>
-<h1 id="rfc.section.2.5.2.5">
-<a href="#rfc.section.2.5.2.5">2.5.2.5.</a> <a href="#to-ids-1" id="to-ids-1">to_ids</a>
-</h1>
-<p id="rfc.section.2.5.2.5.p.1">to_ids represents whether the Attribute to be created if the ShadowAttribute is accepted is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.</p>
-<p id="rfc.section.2.5.2.5.p.2">to_ids is represented as a JSON boolean. to_ids MUST be present.</p>
-<h1 id="rfc.section.2.5.2.6">
-<a href="#rfc.section.2.5.2.6">2.5.2.6.</a> <a href="#event-id-1" id="event-id-1">event_id</a>
-</h1>
-<p id="rfc.section.2.5.2.6.p.1">event_id represents a human-readable identifier referencing the Event object that the ShadowAttribute belongs to.</p>
-<p id="rfc.section.2.5.2.6.p.2">The event_id SHOULD be updated when the event is imported to reflect the newly created event's id on the instance.</p>
-<p id="rfc.section.2.5.2.6.p.3">event_id is represented as a JSON string. event_id MUST be present.</p>
-<h1 id="rfc.section.2.5.2.7">
-<a href="#rfc.section.2.5.2.7">2.5.2.7.</a> <a href="#old-id" id="old-id">old_id</a>
-</h1>
-<p id="rfc.section.2.5.2.7.p.1">old_id represents a human-readable identifier referencing the Attribute object that the ShadowAttribute belongs to. A ShadowAttribute can this way target an existing Attribute, implying that it is a proposal to modify an existing Attribute, or alternatively it can be a proposal to create a new Attribute for the containing Event.</p>
-<p id="rfc.section.2.5.2.7.p.2">The old_id SHOULD be updated when the event is imported to reflect the newly created Attribute's id on the instance. Alternatively, if the ShadowAttribute proposes the creation of a new Attribute, it should be set to 0.</p>
-<p id="rfc.section.2.5.2.7.p.3">old_id is represented as a JSON string. old_id MUST be present.</p>
-<h1 id="rfc.section.2.5.2.8">
-<a href="#rfc.section.2.5.2.8">2.5.2.8.</a> <a href="#timestamp-2" id="timestamp-2">timestamp</a>
-</h1>
-<p id="rfc.section.2.5.2.8.p.1">timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.</p>
-<p id="rfc.section.2.5.2.8.p.2">timestamp is represented as a JSON string. timestamp MUST be present.</p>
-<h1 id="rfc.section.2.5.2.9">
-<a href="#rfc.section.2.5.2.9">2.5.2.9.</a> <a href="#comment-1" id="comment-1">comment</a>
-</h1>
-<p id="rfc.section.2.5.2.9.p.1">comment is a contextual comment field.</p>
-<p id="rfc.section.2.5.2.9.p.2">comment is represented by a JSON string. comment MAY be present.</p>
-<h1 id="rfc.section.2.5.2.10">
-<a href="#rfc.section.2.5.2.10">2.5.2.10.</a> <a href="#org-id-1" id="org-id-1">org_id</a>
-</h1>
-<p id="rfc.section.2.5.2.10.p.1">org_id represents a human-readable identifier referencing the proposal creator's Organisation object. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.5.2.10.p.2">Whilst attributes can only be created by the event creator organisation, shadow attributes can be created by third parties. org_id tracks the creator organisation.</p>
-<p id="rfc.section.2.5.2.10.p.3">org_id is represented by a JSON string and MUST be present.</p>
-<h1 id="rfc.section.2.5.2.11">
-<a href="#rfc.section.2.5.2.11">2.5.2.11.</a> <a href="#proposal-to-delete" id="proposal-to-delete">proposal_to_delete</a>
-</h1>
-<p id="rfc.section.2.5.2.11.p.1">proposal_to_delete is a boolean flag that sets whether the shadow attribute proposes to alter an attribute, or whether it proposes to remove it completely.</p>
-<p id="rfc.section.2.5.2.11.p.2">Accepting a shadow attribute with this flag set will remove the target attribute.</p>
-<p id="rfc.section.2.5.2.11.p.3">proposal_to_delete is a JSON boolean and it MUST be present. If proposal_to_delete is set to true, old_id MUST NOT be 0.</p>
-<h1 id="rfc.section.2.5.2.12">
-<a href="#rfc.section.2.5.2.12">2.5.2.12.</a> <a href="#deleted-1" id="deleted-1">deleted</a>
-</h1>
-<p id="rfc.section.2.5.2.12.p.1">deleted represents a setting that allows shadow attributes to be revoked. Revoked shadow attributes only serve to inform other instances that the shadow attribute is no longer active.</p>
-<p id="rfc.section.2.5.2.12.p.2">deleted is represented by a JSON boolean. deleted SHOULD be present.</p>
-<h1 id="rfc.section.2.5.2.13">
-<a href="#rfc.section.2.5.2.13">2.5.2.13.</a> <a href="#data-1" id="data-1">data</a>
-</h1>
-<p id="rfc.section.2.5.2.13.p.1">data contains the base64 encoded contents of an attachment or a malware sample. For malware samples, the sample MUST be encrypted using a password protected zip archive, with the password being "infected".</p>
-<p id="rfc.section.2.5.2.13.p.2">data is represented by a JSON string in base64 encoding. data MUST be set for shadow attributes of type malware-sample and attachment.</p>
-<h1 id="rfc.section.2.5.2.14">
-<a href="#rfc.section.2.5.2.14">2.5.2.14.</a> <a href="#first-seen-1" id="first-seen-1">first_seen</a>
-</h1>
-<p id="rfc.section.2.5.2.14.p.1">first<em>seen represents a reference time when the attribute was first seen. first</em>seen as an ISO 8601 datetime up to the micro-second with time zone support.</p>
-<p id="rfc.section.2.5.2.14.p.2">first<em>seen is represented as a JSON string. first</em>seen MAY be present.</p>
-<h1 id="rfc.section.2.5.2.15">
-<a href="#rfc.section.2.5.2.15">2.5.2.15.</a> <a href="#last-seen-1" id="last-seen-1">last_seen</a>
-</h1>
-<p id="rfc.section.2.5.2.15.p.1">last<em>seen represents a reference time when the attribute was last seen. last</em>seen as an ISO 8601 datetime up to the micro-second with time zone support.</p>
-<p id="rfc.section.2.5.2.15.p.2">last<em>seen is represented as a JSON string. last</em>seen MAY be present.</p>
-<h1 id="rfc.section.2.5.3">
-<a href="#rfc.section.2.5.3">2.5.3.</a> <a href="#org-1" id="org-1">Org</a>
-</h1>
-<p id="rfc.section.2.5.3.p.1">An Org object is composed of an uuid, name and id.</p>
-<p id="rfc.section.2.5.3.p.2">The uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the organization.  The organization UUID is globally assigned to an organization and SHALL be kept overtime.</p>
-<p id="rfc.section.2.5.3.p.3">The name is a readable description of the organization and SHOULD be present.  The id is a human-readable identifier generated by the instance and used as reference in the event.  A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.5.3.p.4">uuid, name and id are represented as a JSON string. uuid, name and id MUST be present.</p>
-<h1 id="rfc.section.2.5.3.1">
-<a href="#rfc.section.2.5.3.1">2.5.3.1.</a> <a href="#sample-org-object-1" id="sample-org-object-1">Sample Org Object</a>
-</h1>
+<p id="section-2.5.2.3-4">Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.<a href="#section-2.5.2.3-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="category-1">
+<section id="section-2.5.2.4">
+            <h5 id="name-category-2">
+<a href="#section-2.5.2.4" class="section-number selfRef">2.5.2.4. </a><a href="#name-category-2" class="section-name selfRef">category</a>
+            </h5>
+<p id="section-2.5.2.4-1">category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of pre-defined attribute categories.<a href="#section-2.5.2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.4-2">category is represented as a JSON string. category <span class="bcp14">MUST</span> be present and it <span class="bcp14">MUST</span> be a valid selection for the chosen type. The list of valid category-type combinations is mentioned above.<a href="#section-2.5.2.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="to-ids-1">
+<section id="section-2.5.2.5">
+            <h5 id="name-to_ids-2">
+<a href="#section-2.5.2.5" class="section-number selfRef">2.5.2.5. </a><a href="#name-to_ids-2" class="section-name selfRef">to_ids</a>
+            </h5>
+<p id="section-2.5.2.5-1">to_ids represents whether the Attribute to be created if the ShadowAttribute is accepted is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.<a href="#section-2.5.2.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.5-2">to_ids is represented as a JSON boolean. to_ids <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.5-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event-id-1">
+<section id="section-2.5.2.6">
+            <h5 id="name-event_id-2">
+<a href="#section-2.5.2.6" class="section-number selfRef">2.5.2.6. </a><a href="#name-event_id-2" class="section-name selfRef">event_id</a>
+            </h5>
+<p id="section-2.5.2.6-1">event_id represents a human-readable identifier referencing the Event object that the ShadowAttribute belongs to.<a href="#section-2.5.2.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.6-2">The event_id <span class="bcp14">SHOULD</span> be updated when the event is imported to reflect the newly created event's id on the instance.<a href="#section-2.5.2.6-2" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.6-3">event_id is represented as a JSON string. event_id <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.6-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="old-id">
+<section id="section-2.5.2.7">
+            <h5 id="name-old_id">
+<a href="#section-2.5.2.7" class="section-number selfRef">2.5.2.7. </a><a href="#name-old_id" class="section-name selfRef">old_id</a>
+            </h5>
+<p id="section-2.5.2.7-1">old_id represents a human-readable identifier referencing the Attribute object that the ShadowAttribute belongs to. A ShadowAttribute can this way target an existing Attribute, implying that it is a proposal to modify an existing Attribute, or alternatively it can be a proposal to create a new Attribute for the containing Event.<a href="#section-2.5.2.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.7-2">The old_id <span class="bcp14">SHOULD</span> be updated when the event is imported to reflect the newly created Attribute's id on the instance. Alternatively, if the ShadowAttribute proposes the creation of a new Attribute, it should be set to 0.<a href="#section-2.5.2.7-2" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.7-3">old_id is represented as a JSON string. old_id <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.7-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="timestamp-2">
+<section id="section-2.5.2.8">
+            <h5 id="name-timestamp-3">
+<a href="#section-2.5.2.8" class="section-number selfRef">2.5.2.8. </a><a href="#name-timestamp-3" class="section-name selfRef">timestamp</a>
+            </h5>
+<p id="section-2.5.2.8-1">timestamp represents a reference time when the attribute was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.5.2.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.8-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="comment-1">
+<section id="section-2.5.2.9">
+            <h5 id="name-comment-2">
+<a href="#section-2.5.2.9" class="section-number selfRef">2.5.2.9. </a><a href="#name-comment-2" class="section-name selfRef">comment</a>
+            </h5>
+<p id="section-2.5.2.9-1">comment is a contextual comment field.<a href="#section-2.5.2.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.9-2">comment is represented by a JSON string. comment <span class="bcp14">MAY</span> be present.<a href="#section-2.5.2.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="org-id-1">
+<section id="section-2.5.2.10">
+            <h5 id="name-org_id-2">
+<a href="#section-2.5.2.10" class="section-number selfRef">2.5.2.10. </a><a href="#name-org_id-2" class="section-name selfRef">org_id</a>
+            </h5>
+<p id="section-2.5.2.10-1">org_id represents a human-readable identifier referencing the proposal creator's Organisation object. A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.5.2.10-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.10-2">Whilst attributes can only be created by the event creator organisation, shadow attributes can be created by third parties. org_id tracks the creator organisation.<a href="#section-2.5.2.10-2" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.10-3">org_id is represented by a JSON string and <span class="bcp14">MUST</span> be present.<a href="#section-2.5.2.10-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="proposal-to-delete">
+<section id="section-2.5.2.11">
+            <h5 id="name-proposal_to_delete">
+<a href="#section-2.5.2.11" class="section-number selfRef">2.5.2.11. </a><a href="#name-proposal_to_delete" class="section-name selfRef">proposal_to_delete</a>
+            </h5>
+<p id="section-2.5.2.11-1">proposal_to_delete is a boolean flag that sets whether the shadow attribute proposes to alter an attribute, or whether it proposes to remove it completely.<a href="#section-2.5.2.11-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.11-2">Accepting a shadow attribute with this flag set will remove the target attribute.<a href="#section-2.5.2.11-2" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.11-3">proposal_to_delete is a JSON boolean and it <span class="bcp14">MUST</span> be present. If proposal_to_delete is set to true, old_id <span class="bcp14">MUST NOT</span> be 0.<a href="#section-2.5.2.11-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="deleted-1">
+<section id="section-2.5.2.12">
+            <h5 id="name-deleted-2">
+<a href="#section-2.5.2.12" class="section-number selfRef">2.5.2.12. </a><a href="#name-deleted-2" class="section-name selfRef">deleted</a>
+            </h5>
+<p id="section-2.5.2.12-1">deleted represents a setting that allows shadow attributes to be revoked. Revoked shadow attributes only serve to inform other instances that the shadow attribute is no longer active.<a href="#section-2.5.2.12-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.12-2">deleted is represented by a JSON boolean. deleted <span class="bcp14">SHOULD</span> be present.<a href="#section-2.5.2.12-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="data-1">
+<section id="section-2.5.2.13">
+            <h5 id="name-data-2">
+<a href="#section-2.5.2.13" class="section-number selfRef">2.5.2.13. </a><a href="#name-data-2" class="section-name selfRef">data</a>
+            </h5>
+<p id="section-2.5.2.13-1">data contains the base64 encoded contents of an attachment or a malware sample. For malware samples,
+the sample <span class="bcp14">MUST</span> be encrypted using a password protected zip archive, with the password being "infected".<a href="#section-2.5.2.13-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.13-2">data is represented by a JSON string in base64 encoding. data <span class="bcp14">MUST</span> be set for shadow attributes of type malware-sample and attachment.<a href="#section-2.5.2.13-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="first-seen-1">
+<section id="section-2.5.2.14">
+            <h5 id="name-first_seen-2">
+<a href="#section-2.5.2.14" class="section-number selfRef">2.5.2.14. </a><a href="#name-first_seen-2" class="section-name selfRef">first_seen</a>
+            </h5>
+<p id="section-2.5.2.14-1">first<em>seen represents a reference time when the attribute was first seen. first</em>seen as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.5.2.14-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.14-2">first<em>seen is represented as a JSON string. first</em>seen <span class="bcp14">MAY</span> be present.<a href="#section-2.5.2.14-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="last-seen-1">
+<section id="section-2.5.2.15">
+            <h5 id="name-last_seen-2">
+<a href="#section-2.5.2.15" class="section-number selfRef">2.5.2.15. </a><a href="#name-last_seen-2" class="section-name selfRef">last_seen</a>
+            </h5>
+<p id="section-2.5.2.15-1">last<em>seen represents a reference time when the attribute was last seen. last</em>seen as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.5.2.15-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.2.15-2">last<em>seen is represented as a JSON string. last</em>seen <span class="bcp14">MAY</span> be present.<a href="#section-2.5.2.15-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="org-1">
+<section id="section-2.5.3">
+          <h4 id="name-org-2">
+<a href="#section-2.5.3" class="section-number selfRef">2.5.3. </a><a href="#name-org-2" class="section-name selfRef">Org</a>
+          </h4>
+<p id="section-2.5.3-1">An Org object is composed of an uuid, name and id.<a href="#section-2.5.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.3-2">The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the organization.
+The organization UUID is globally assigned to an organization and <span class="bcp14">SHALL</span> be kept overtime.<a href="#section-2.5.3-2" class="pilcrow">¶</a></p>
+<p id="section-2.5.3-3">The name is a readable description of the organization and <span class="bcp14">SHOULD</span> be present.
+The id is a human-readable identifier generated by the instance and used as reference in the event.
+A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.5.3-3" class="pilcrow">¶</a></p>
+<p id="section-2.5.3-4">uuid, name and id are represented as a JSON string. uuid, name and id <span class="bcp14">MUST</span> be present.<a href="#section-2.5.3-4" class="pilcrow">¶</a></p>
+<div id="sample-org-object-1">
+<section id="section-2.5.3.1">
+            <h5 id="name-sample-org-object-2">
+<a href="#section-2.5.3.1" class="section-number selfRef">2.5.3.1. </a><a href="#name-sample-org-object-2" class="section-name selfRef">Sample Org Object</a>
+            </h5>
+<div class="artwork art-text alignLeft" id="section-2.5.3.1-1">
 <pre>"Org": {
         "id": "2",
         "name": "CIRCL",
         "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
        }
-</pre>
-<h1 id="rfc.section.2.5.3.2">
-<a href="#rfc.section.2.5.3.2">2.5.3.2.</a> <a href="#value-1" id="value-1">value</a>
-</h1>
-<p id="rfc.section.2.5.3.2.p.1">value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.</p>
-<p id="rfc.section.2.5.3.2.p.2">value is represented by a JSON string. value MUST be present.</p>
-<h1 id="rfc.section.2.6">
-<a href="#rfc.section.2.6">2.6.</a> <a href="#object" id="object">Object</a>
-</h1>
-<p id="rfc.section.2.6.p.1">Objects serve as a contextual bond between a list of attributes within an event. Their main purpose is to describe more complex structures than can be described by a single attribute Each object is created using an Object Template and carries the meta-data of the template used for its creation within. Objects belong to a meta-category and are defined by a name.</p>
-<p id="rfc.section.2.6.p.2">The schema used is described by the template<em>uuid and template</em>version fields.</p>
-<p id="rfc.section.2.6.p.3">A MISP document containing an Object MUST contain a name, a meta-category, a description, a template<em>uuid and a template</em>version as described in the "Object Attributes" section.</p>
-<h1 id="rfc.section.2.6.1">
-<a href="#rfc.section.2.6.1">2.6.1.</a> <a href="#sample-object" id="sample-object">Sample Object</a>
-</h1>
-<div id="rfc.figure.1"></div>
-<div id="fig-sample-object"></div>
+</pre><a href="#section-2.5.3.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="value-1">
+<section id="section-2.5.3.2">
+            <h5 id="name-value-2">
+<a href="#section-2.5.3.2" class="section-number selfRef">2.5.3.2. </a><a href="#name-value-2" class="section-name selfRef">value</a>
+            </h5>
+<p id="section-2.5.3.2-1">value represents the payload of an attribute. The format of the value is dependent on the type of the attribute.<a href="#section-2.5.3.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.5.3.2-2">value is represented by a JSON string. value <span class="bcp14">MUST</span> be present.<a href="#section-2.5.3.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="object">
+<section id="section-2.6">
+        <h3 id="name-object">
+<a href="#section-2.6" class="section-number selfRef">2.6. </a><a href="#name-object" class="section-name selfRef">Object</a>
+        </h3>
+<p id="section-2.6-1">Objects serve as a contextual bond between a list of attributes within an event. Their main purpose is to describe more complex structures than can be described by a single attribute
+Each object is created using an Object Template and carries the meta-data of the template used for its creation within. Objects belong to a meta-category and are defined by a name.<a href="#section-2.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.6-2">The schema used is described by the template<em>uuid and template</em>version fields.<a href="#section-2.6-2" class="pilcrow">¶</a></p>
+<p id="section-2.6-3">A MISP document containing an Object <span class="bcp14">MUST</span> contain a name, a meta-category, a description, a template<em>uuid and a template</em>version as described in the "Object Attributes" section.<a href="#section-2.6-3" class="pilcrow">¶</a></p>
+<div id="sample-object">
+<section id="section-2.6.1">
+          <h4 id="name-sample-object">
+<a href="#section-2.6.1" class="section-number selfRef">2.6.1. </a><a href="#name-sample-object" class="section-name selfRef">Sample Object</a>
+          </h4>
+<div id="fig-sample-object">
+<div class="artwork art-text alignLeft" id="section-2.6.1-1">
 <pre>"Object": {
    "id": "588",
    "name": "file",
@@ -1203,119 +2404,204 @@
      "last_seen": null
    ]
 }
-</pre>
-<p class="figure">Figure 1</p>
-<h1 id="rfc.section.2.6.2">
-<a href="#rfc.section.2.6.2">2.6.2.</a> <a href="#object-attributes" id="object-attributes">Object Attributes</a>
-</h1>
-<h1 id="rfc.section.2.6.2.1">
-<a href="#rfc.section.2.6.2.1">2.6.2.1.</a> <a href="#uuid-3" id="uuid-3">uuid</a>
-</h1>
-<p id="rfc.section.2.6.2.1.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the object. The uuid MUST be preserved for any updates or transfer of the same object. UUID version 4 is RECOMMENDED when assigning it to a new object.</p>
-<h1 id="rfc.section.2.6.2.2">
-<a href="#rfc.section.2.6.2.2">2.6.2.2.</a> <a href="#id-3" id="id-3">id</a>
-</h1>
-<p id="rfc.section.2.6.2.2.p.1">id represents the human-readable identifier associated to the object for a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.6.2.2.p.2">id is represented as a JSON string. id SHALL be present.</p>
-<h1 id="rfc.section.2.6.2.3">
-<a href="#rfc.section.2.6.2.3">2.6.2.3.</a> <a href="#name" id="name">name</a>
-</h1>
-<p id="rfc.section.2.6.2.3.p.1">name represents the human-readable name of the object describing the intent of the object package.</p>
-<p id="rfc.section.2.6.2.3.p.2">name is represented as a JSON string. name MUST be present</p>
-<h1 id="rfc.section.2.6.2.4">
-<a href="#rfc.section.2.6.2.4">2.6.2.4.</a> <a href="#meta-category" id="meta-category">meta-category</a>
-</h1>
-<p id="rfc.section.2.6.2.4.p.1">meta-category represents the sub-category of objects that the given object belongs to. meta-categories are not tied to a fixed list of options but can be created on the fly.</p>
-<p id="rfc.section.2.6.2.4.p.2">meta-category is represented as a JSON string. meta-category MUST be present</p>
-<h1 id="rfc.section.2.6.2.5">
-<a href="#rfc.section.2.6.2.5">2.6.2.5.</a> <a href="#description" id="description">description</a>
-</h1>
-<p id="rfc.section.2.6.2.5.p.1">description is a human-readable description of the given object type, as derived from the template used for creation.</p>
-<p id="rfc.section.2.6.2.5.p.2">description is represented as a JSON string. id SHALL be present.</p>
-<h1 id="rfc.section.2.6.2.6">
-<a href="#rfc.section.2.6.2.6">2.6.2.6.</a> <a href="#template-uuid" id="template-uuid">template_uuid</a>
-</h1>
-<p id="rfc.section.2.6.2.6.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the template used to create the object. The uuid MUST be preserved to preserve the object's association with the correct template used for creation. UUID version 4 is RECOMMENDED when assigning it to a new object.</p>
-<h1 id="rfc.section.2.6.2.7">
-<a href="#rfc.section.2.6.2.7">2.6.2.7.</a> <a href="#template-version" id="template-version">template_version</a>
-</h1>
-<p id="rfc.section.2.6.2.7.p.1">template<em>version represents a numeric incrementing version of the template used to create the object. It is used to associate the object to the correct version of the template and together with the template</em>uuid forms an association to the correct template type and version.</p>
-<p id="rfc.section.2.6.2.7.p.2">version is represented as a JSON string. version MUST be present.</p>
-<h1 id="rfc.section.2.6.2.8">
-<a href="#rfc.section.2.6.2.8">2.6.2.8.</a> <a href="#event-id-2" id="event-id-2">event_id</a>
-</h1>
-<p id="rfc.section.2.6.2.8.p.1">event_id represents the human-readable identifier of the event that the object belongs to on a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.6.2.8.p.2">event<em>id is represented as a JSON string. event</em>id SHALL be present.</p>
-<h1 id="rfc.section.2.6.2.9">
-<a href="#rfc.section.2.6.2.9">2.6.2.9.</a> <a href="#timestamp-3" id="timestamp-3">timestamp</a>
-</h1>
-<p id="rfc.section.2.6.2.9.p.1">timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.</p>
-<p id="rfc.section.2.6.2.9.p.2">timestamp is represented as a JSON string. timestamp MUST be present.</p>
-<h1 id="rfc.section.2.6.2.10">
-<a href="#rfc.section.2.6.2.10">2.6.2.10.</a> <a href="#distribution-2" id="distribution-2">distribution</a>
-</h1>
-<p id="rfc.section.2.6.2.10.p.1">distribution represents the basic distribution rules of the object. The system must adhere to the distribution setting for access control and for dissemination of the object.</p>
-<p id="rfc.section.2.6.2.10.p.2">distribution is represented by a JSON string. distribution MUST be present and be one of the following options:</p>
-<p></p>
-
-<dl>
-<dt>0</dt>
-<dd style="margin-left: 8">
-<br>Your Organisation Only</dd>
-<dt>1</dt>
-<dd style="margin-left: 8">
-<br>This Community Only</dd>
-<dt>2</dt>
-<dd style="margin-left: 8">
-<br>Connected Communities</dd>
-<dt>3</dt>
-<dd style="margin-left: 8">
-<br>All Communities</dd>
-<dt>4</dt>
-<dd style="margin-left: 8">
-<br>Sharing Group</dd>
+</pre><a href="#section-2.6.1-1" class="pilcrow">¶</a>
+</div>
+</div>
+</section>
+</div>
+<div id="object-attributes">
+<section id="section-2.6.2">
+          <h4 id="name-object-attributes">
+<a href="#section-2.6.2" class="section-number selfRef">2.6.2. </a><a href="#name-object-attributes" class="section-name selfRef">Object Attributes</a>
+          </h4>
+<div id="uuid-3">
+<section id="section-2.6.2.1">
+            <h5 id="name-uuid-4">
+<a href="#section-2.6.2.1" class="section-number selfRef">2.6.2.1. </a><a href="#name-uuid-4" class="section-name selfRef">uuid</a>
+            </h5>
+<p id="section-2.6.2.1-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the object. The uuid <span class="bcp14">MUST</span> be preserved
+for any updates or transfer of the same object. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new object.<a href="#section-2.6.2.1-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="id-3">
+<section id="section-2.6.2.2">
+            <h5 id="name-id-4">
+<a href="#section-2.6.2.2" class="section-number selfRef">2.6.2.2. </a><a href="#name-id-4" class="section-name selfRef">id</a>
+            </h5>
+<p id="section-2.6.2.2-1">id represents the human-readable identifier associated to the object for a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.6.2.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.2-2">id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.6.2.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="name">
+<section id="section-2.6.2.3">
+            <h5 id="name-name">
+<a href="#section-2.6.2.3" class="section-number selfRef">2.6.2.3. </a><a href="#name-name" class="section-name selfRef">name</a>
+            </h5>
+<p id="section-2.6.2.3-1">name represents the human-readable name of the object describing the intent of the object package.<a href="#section-2.6.2.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.3-2">name is represented as a JSON string. name <span class="bcp14">MUST</span> be present<a href="#section-2.6.2.3-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="meta-category">
+<section id="section-2.6.2.4">
+            <h5 id="name-meta-category">
+<a href="#section-2.6.2.4" class="section-number selfRef">2.6.2.4. </a><a href="#name-meta-category" class="section-name selfRef">meta-category</a>
+            </h5>
+<p id="section-2.6.2.4-1">meta-category represents the sub-category of objects that the given object belongs to. meta-categories are not
+tied to a fixed list of options but can be created on the fly.<a href="#section-2.6.2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.4-2">meta-category is represented as a JSON string. meta-category <span class="bcp14">MUST</span> be present<a href="#section-2.6.2.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="description">
+<section id="section-2.6.2.5">
+            <h5 id="name-description">
+<a href="#section-2.6.2.5" class="section-number selfRef">2.6.2.5. </a><a href="#name-description" class="section-name selfRef">description</a>
+            </h5>
+<p id="section-2.6.2.5-1">description is a human-readable description of the given object type, as derived from the template used for creation.<a href="#section-2.6.2.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.5-2">description is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.6.2.5-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="template-uuid">
+<section id="section-2.6.2.6">
+            <h5 id="name-template_uuid">
+<a href="#section-2.6.2.6" class="section-number selfRef">2.6.2.6. </a><a href="#name-template_uuid" class="section-name selfRef">template_uuid</a>
+            </h5>
+<p id="section-2.6.2.6-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the template used to create the object. The uuid <span class="bcp14">MUST</span> be preserved
+to preserve the object's association with the correct template used for creation. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new object.<a href="#section-2.6.2.6-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="template-version">
+<section id="section-2.6.2.7">
+            <h5 id="name-template_version">
+<a href="#section-2.6.2.7" class="section-number selfRef">2.6.2.7. </a><a href="#name-template_version" class="section-name selfRef">template_version</a>
+            </h5>
+<p id="section-2.6.2.7-1">template<em>version represents a numeric incrementing version of the template used to create the object. It is used to associate the object to the
+correct version of the template and together with the template</em>uuid forms an association to the correct template type and version.<a href="#section-2.6.2.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.7-2">version is represented as a JSON string. version <span class="bcp14">MUST</span> be present.<a href="#section-2.6.2.7-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event-id-2">
+<section id="section-2.6.2.8">
+            <h5 id="name-event_id-3">
+<a href="#section-2.6.2.8" class="section-number selfRef">2.6.2.8. </a><a href="#name-event_id-3" class="section-name selfRef">event_id</a>
+            </h5>
+<p id="section-2.6.2.8-1">event_id represents the human-readable identifier of the event that the object belongs to on a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.6.2.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.8-2">event<em>id is represented as a JSON string. event</em>id <span class="bcp14">SHALL</span> be present.<a href="#section-2.6.2.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="timestamp-3">
+<section id="section-2.6.2.9">
+            <h5 id="name-timestamp-4">
+<a href="#section-2.6.2.9" class="section-number selfRef">2.6.2.9. </a><a href="#name-timestamp-4" class="section-name selfRef">timestamp</a>
+            </h5>
+<p id="section-2.6.2.9-1">timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.6.2.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.9-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.6.2.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="distribution-2">
+<section id="section-2.6.2.10">
+            <h5 id="name-distribution-3">
+<a href="#section-2.6.2.10" class="section-number selfRef">2.6.2.10. </a><a href="#name-distribution-3" class="section-name selfRef">distribution</a>
+            </h5>
+<p id="section-2.6.2.10-1">distribution represents the basic distribution rules of the object. The system must adhere to the distribution setting for access control and for dissemination of the object.<a href="#section-2.6.2.10-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.10-2">distribution is represented by a JSON string. distribution <span class="bcp14">MUST</span> be present and be one of the following options:<a href="#section-2.6.2.10-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlParallel" id="section-2.6.2.10-3">
+              <dt id="section-2.6.2.10-3.1">0</dt>
+              <dd style="margin-left: 1.5em" id="section-2.6.2.10-3.2">Your Organisation Only<a href="#section-2.6.2.10-3.2" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.6.2.10-3.3">1</dt>
+              <dd style="margin-left: 1.5em" id="section-2.6.2.10-3.4">This Community Only<a href="#section-2.6.2.10-3.4" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.6.2.10-3.5">2</dt>
+              <dd style="margin-left: 1.5em" id="section-2.6.2.10-3.6">Connected Communities<a href="#section-2.6.2.10-3.6" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.6.2.10-3.7">3</dt>
+              <dd style="margin-left: 1.5em" id="section-2.6.2.10-3.8">All Communities<a href="#section-2.6.2.10-3.8" class="pilcrow">¶</a>
+</dd>
+              <dd class="break"></dd>
+<dt id="section-2.6.2.10-3.9">4</dt>
+              <dd style="margin-left: 1.5em" id="section-2.6.2.10-3.10">Sharing Group<a href="#section-2.6.2.10-3.10" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<h1 id="rfc.section.2.6.2.11">
-<a href="#rfc.section.2.6.2.11">2.6.2.11.</a> <a href="#sharing-group-id-2" id="sharing-group-id-2">sharing_group_id</a>
-</h1>
-<p id="rfc.section.2.6.2.11.p.1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the object, if distribution level "4" is set. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.6.2.11.p.2">sharing_group_id is represented by a JSON string and SHOULD be present. If a distribution level other than "4" is chosen the sharing_group_id MUST be set to "0".</p>
-<h1 id="rfc.section.2.6.2.12">
-<a href="#rfc.section.2.6.2.12">2.6.2.12.</a> <a href="#comment-2" id="comment-2">comment</a>
-</h1>
-<p id="rfc.section.2.6.2.12.p.1">comment is a contextual comment field.</p>
-<p id="rfc.section.2.6.2.12.p.2">comment is represented by a JSON string. comment MAY be present.</p>
-<h1 id="rfc.section.2.6.2.13">
-<a href="#rfc.section.2.6.2.13">2.6.2.13.</a> <a href="#deleted-2" id="deleted-2">deleted</a>
-</h1>
-<p id="rfc.section.2.6.2.13.p.1">deleted represents a setting that allows attributes to be revoked. Revoked attributes are not actionable and exist merely to inform other instances of a revocation.</p>
-<p id="rfc.section.2.6.2.13.p.2">deleted is represented by a JSON boolean. deleted MUST be present.</p>
-<h1 id="rfc.section.2.6.2.14">
-<a href="#rfc.section.2.6.2.14">2.6.2.14.</a> <a href="#attribute-1" id="attribute-1">Attribute</a>
-</h1>
-<p id="rfc.section.2.6.2.14.p.1">Attribute is an array of attributes that describe the object with data.</p>
-<p id="rfc.section.2.6.2.14.p.2">Each attribute in an object MUST contain the parent event's ID in the event<em>id field and the parent object's ID in the object</em>id field.</p>
-<h1 id="rfc.section.2.6.2.15">
-<a href="#rfc.section.2.6.2.15">2.6.2.15.</a> <a href="#first-seen-2" id="first-seen-2">first_seen</a>
-</h1>
-<p id="rfc.section.2.6.2.15.p.1">first<em>seen represents a reference time when the object was first seen. first</em>seen as an ISO 8601 datetime up to the micro-second with time zone support.</p>
-<p id="rfc.section.2.6.2.15.p.2">first<em>seen is represented as a JSON string. first</em>seen MAY be present.</p>
-<h1 id="rfc.section.2.6.2.16">
-<a href="#rfc.section.2.6.2.16">2.6.2.16.</a> <a href="#last-seen-2" id="last-seen-2">last_seen</a>
-</h1>
-<p id="rfc.section.2.6.2.16.p.1">last<em>seen represents a reference time when the object was last seen. last</em>seen as an ISO 8601 datetime up to the micro-second with time zone support.</p>
-<p id="rfc.section.2.6.2.16.p.2">last<em>seen is represented as a JSON string. last</em>seen MAY be present.</p>
-<h1 id="rfc.section.2.7">
-<a href="#rfc.section.2.7">2.7.</a> <a href="#object-references" id="object-references">Object References</a>
-</h1>
-<p id="rfc.section.2.7.p.1">Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary.</p>
-<p id="rfc.section.2.7.p.2">The relationship_type is recommended to be taken from the MISP object relationship list [<a href="#MISP-R" class="xref">[MISP-R]</a>] is RECOMMENDED to ensure a coherent naming of the tags</p>
-<p id="rfc.section.2.7.p.3">All Object References MUST contain an object_uuid, a referenced_uuid and a relationship type.</p>
-<h1 id="rfc.section.2.7.1">
-<a href="#rfc.section.2.7.1">2.7.1.</a> <a href="#sample-objectreference-object" id="sample-objectreference-object">Sample ObjectReference object</a>
-</h1>
+</section>
+</div>
+<div id="sharing-group-id-2">
+<section id="section-2.6.2.11">
+            <h5 id="name-sharing_group_id-3">
+<a href="#section-2.6.2.11" class="section-number selfRef">2.6.2.11. </a><a href="#name-sharing_group_id-3" class="section-name selfRef">sharing_group_id</a>
+            </h5>
+<p id="section-2.6.2.11-1">sharing_group_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the object, if distribution level "4" is set. A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.6.2.11-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.11-2">sharing_group_id is represented by a JSON string and <span class="bcp14">SHOULD</span> be present. If a distribution level other than "4" is chosen the sharing_group_id <span class="bcp14">MUST</span> be set to "0".<a href="#section-2.6.2.11-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="comment-2">
+<section id="section-2.6.2.12">
+            <h5 id="name-comment-3">
+<a href="#section-2.6.2.12" class="section-number selfRef">2.6.2.12. </a><a href="#name-comment-3" class="section-name selfRef">comment</a>
+            </h5>
+<p id="section-2.6.2.12-1">comment is a contextual comment field.<a href="#section-2.6.2.12-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.12-2">comment is represented by a JSON string. comment <span class="bcp14">MAY</span> be present.<a href="#section-2.6.2.12-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="deleted-2">
+<section id="section-2.6.2.13">
+            <h5 id="name-deleted-3">
+<a href="#section-2.6.2.13" class="section-number selfRef">2.6.2.13. </a><a href="#name-deleted-3" class="section-name selfRef">deleted</a>
+            </h5>
+<p id="section-2.6.2.13-1">deleted represents a setting that allows attributes to be revoked. Revoked attributes are not actionable and exist merely to inform other instances of a revocation.<a href="#section-2.6.2.13-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.13-2">deleted is represented by a JSON boolean. deleted <span class="bcp14">MUST</span> be present.<a href="#section-2.6.2.13-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="attribute-1">
+<section id="section-2.6.2.14">
+            <h5 id="name-attribute-2">
+<a href="#section-2.6.2.14" class="section-number selfRef">2.6.2.14. </a><a href="#name-attribute-2" class="section-name selfRef">Attribute</a>
+            </h5>
+<p id="section-2.6.2.14-1">Attribute is an array of attributes that describe the object with data.<a href="#section-2.6.2.14-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.14-2">Each attribute in an object <span class="bcp14">MUST</span> contain the parent event's ID in the event<em>id field and the parent object's ID in the object</em>id field.<a href="#section-2.6.2.14-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="first-seen-2">
+<section id="section-2.6.2.15">
+            <h5 id="name-first_seen-3">
+<a href="#section-2.6.2.15" class="section-number selfRef">2.6.2.15. </a><a href="#name-first_seen-3" class="section-name selfRef">first_seen</a>
+            </h5>
+<p id="section-2.6.2.15-1">first<em>seen represents a reference time when the object was first seen. first</em>seen as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.6.2.15-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.15-2">first<em>seen is represented as a JSON string. first</em>seen <span class="bcp14">MAY</span> be present.<a href="#section-2.6.2.15-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="last-seen-2">
+<section id="section-2.6.2.16">
+            <h5 id="name-last_seen-3">
+<a href="#section-2.6.2.16" class="section-number selfRef">2.6.2.16. </a><a href="#name-last_seen-3" class="section-name selfRef">last_seen</a>
+            </h5>
+<p id="section-2.6.2.16-1">last<em>seen represents a reference time when the object was last seen. last</em>seen as an ISO 8601 datetime up to the micro-second with time zone support.<a href="#section-2.6.2.16-1" class="pilcrow">¶</a></p>
+<p id="section-2.6.2.16-2">last<em>seen is represented as a JSON string. last</em>seen <span class="bcp14">MAY</span> be present.<a href="#section-2.6.2.16-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="object-references">
+<section id="section-2.7">
+        <h3 id="name-object-references">
+<a href="#section-2.7" class="section-number selfRef">2.7. </a><a href="#name-object-references" class="section-name selfRef">Object References</a>
+        </h3>
+<p id="section-2.7-1">Object References serve as a logical link between an Object and another referenced Object or Attribute. The relationship is categorised by an enumerated value from a fixed vocabulary.<a href="#section-2.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.7-2">The relationship_type is recommended to be taken from the MISP object relationship list [<span>[<a href="#MISP-R" class="xref">MISP-R</a>]</span>] is <span class="bcp14">RECOMMENDED</span> to ensure a coherent naming of the tags<a href="#section-2.7-2" class="pilcrow">¶</a></p>
+<p id="section-2.7-3">All Object References <span class="bcp14">MUST</span> contain an object_uuid, a referenced_uuid and a relationship type.<a href="#section-2.7-3" class="pilcrow">¶</a></p>
+<div id="sample-objectreference-object">
+<section id="section-2.7.1">
+          <h4 id="name-sample-objectreference-obje">
+<a href="#section-2.7.1" class="section-number selfRef">2.7.1. </a><a href="#name-sample-objectreference-obje" class="section-name selfRef">Sample ObjectReference object</a>
+          </h4>
+<div class="artwork art-text alignLeft" id="section-2.7.1-1">
 <pre>"ObjectReference": {
                     "id": "195",
                     "uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1",
@@ -1330,232 +2616,371 @@
                     "object_uuid": "59c1134d-8a40-4c14-ad94-0f7ba07724d1",
                     "referenced_uuid": "59c1133c-9adc-4d06-a34b-0f7ca07724d1",
                    }
-</pre>
-<h1 id="rfc.section.2.7.2">
-<a href="#rfc.section.2.7.2">2.7.2.</a> <a href="#objectreference-attributes" id="objectreference-attributes">ObjectReference Attributes</a>
-</h1>
-<h1 id="rfc.section.2.7.2.1">
-<a href="#rfc.section.2.7.2.1">2.7.2.1.</a> <a href="#uuid-4" id="uuid-4">uuid</a>
-</h1>
-<p id="rfc.section.2.7.2.1.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the object reference. The uuid MUST be preserved for any updates or transfer of the same object reference. UUID version 4 is RECOMMENDED when assigning it to a new object reference.</p>
-<h1 id="rfc.section.2.7.2.2">
-<a href="#rfc.section.2.7.2.2">2.7.2.2.</a> <a href="#id-4" id="id-4">id</a>
-</h1>
-<p id="rfc.section.2.7.2.2.p.1">id represents the human-readable identifier associated to the object reference for a specific MISP instance.</p>
-<p id="rfc.section.2.7.2.2.p.2">id is represented as a JSON string. id SHALL be present.</p>
-<h1 id="rfc.section.2.7.2.3">
-<a href="#rfc.section.2.7.2.3">2.7.2.3.</a> <a href="#timestamp-4" id="timestamp-4">timestamp</a>
-</h1>
-<p id="rfc.section.2.7.2.3.p.1">timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.</p>
-<p id="rfc.section.2.7.2.3.p.2">timestamp is represented as a JSON string. timestamp MUST be present.</p>
-<h1 id="rfc.section.2.7.2.4">
-<a href="#rfc.section.2.7.2.4">2.7.2.4.</a> <a href="#object-id" id="object-id">object_id</a>
-</h1>
-<p id="rfc.section.2.7.2.4.p.1">object_id represents the human-readable identifier of the object that the object reference belongs to on a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.7.2.4.p.2">event<em>id is represented as a JSON string. event</em>id SHALL be present.</p>
-<h1 id="rfc.section.2.7.2.5">
-<a href="#rfc.section.2.7.2.5">2.7.2.5.</a> <a href="#event-id-3" id="event-id-3">event_id</a>
-</h1>
-<p id="rfc.section.2.7.2.5.p.1">event_id represents the human-readable identifier of the event that the object reference belongs to on a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.7.2.5.p.2">event<em>id is represented as a JSON string. event</em>id SHALL be present.</p>
-<h1 id="rfc.section.2.7.2.6">
-<a href="#rfc.section.2.7.2.6">2.7.2.6.</a> <a href="#referenced-id" id="referenced-id">referenced_id</a>
-</h1>
-<p id="rfc.section.2.7.2.6.p.1">referenced_id represents the human-readable identifier of the object or attribute that the parent object  of the object reference points to on a specific MISP instance.</p>
-<p id="rfc.section.2.7.2.6.p.2">referenced<em>id is represented as a JSON string. referenced</em>id MAY be present.</p>
-<h1 id="rfc.section.2.7.2.7">
-<a href="#rfc.section.2.7.2.7">2.7.2.7.</a> <a href="#referenced-type" id="referenced-type">referenced_type</a>
-</h1>
-<p id="rfc.section.2.7.2.7.p.1">referenced_type represents the numeric value describing what the object reference points to, "0" representing an attribute and "1" representing an object</p>
-<p id="rfc.section.2.7.2.7.p.2">referenced<em>type is represented as a JSON string. referenced</em>type MAY be present.</p>
-<h1 id="rfc.section.2.7.2.8">
-<a href="#rfc.section.2.7.2.8">2.7.2.8.</a> <a href="#relationship-type" id="relationship-type">relationship_type</a>
-</h1>
-<p id="rfc.section.2.7.2.8.p.1">relationship<em>type represents the human-readable context of the relationship between an object and another object or attribute as described by the object</em>reference.</p>
-<p id="rfc.section.2.7.2.8.p.2">referenced<em>type is represented as a JSON string. relationship</em>type MUST be present.</p>
-<h1 id="rfc.section.2.7.2.9">
-<a href="#rfc.section.2.7.2.9">2.7.2.9.</a> <a href="#comment-3" id="comment-3">comment</a>
-</h1>
-<p id="rfc.section.2.7.2.9.p.1">comment is a contextual comment field.</p>
-<p id="rfc.section.2.7.2.9.p.2">comment is represented by a JSON string. comment MAY be present.</p>
-<h1 id="rfc.section.2.7.2.10">
-<a href="#rfc.section.2.7.2.10">2.7.2.10.</a> <a href="#deleted-3" id="deleted-3">deleted</a>
-</h1>
-<p id="rfc.section.2.7.2.10.p.1">deleted represents a setting that allows object references to be revoked. Revoked object references are not actionable and exist merely to inform other instances of a revocation.</p>
-<p id="rfc.section.2.7.2.10.p.2">deleted is represented by a JSON boolean. deleted MUST be present.</p>
-<h1 id="rfc.section.2.7.2.11">
-<a href="#rfc.section.2.7.2.11">2.7.2.11.</a> <a href="#object-uuid" id="object-uuid">object_uuid</a>
-</h1>
-<p id="rfc.section.2.7.2.11.p.1">object_uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the object that the given object reference belongs to. The object_uuid MUST be preserved to preserve the object reference's association with the object.</p>
-<h1 id="rfc.section.2.7.2.12">
-<a href="#rfc.section.2.7.2.12">2.7.2.12.</a> <a href="#referenced-uuid" id="referenced-uuid">referenced_uuid</a>
-</h1>
-<p id="rfc.section.2.7.2.12.p.1">referenced_uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the object or attribute that is being referenced by the object reference. The referenced_uuid MUST be preserved to preserve the object reference's association with the object or attribute.</p>
-<h1 id="rfc.section.2.8">
-<a href="#rfc.section.2.8">2.8.</a> <a href="#eventreport" id="eventreport">EventReport</a>
-</h1>
-<p id="rfc.section.2.8.p.1">EventReport are used to complement an event with one or more report in Markdown format. The EventReport contains unstructured information which can be linked to Attributes, Objects, Tags or Galaxy with an extension to the Markdown marking language.</p>
-<h1 id="rfc.section.2.8.1">
-<a href="#rfc.section.2.8.1">2.8.1.</a> <a href="#id-5" id="id-5">id</a>
-</h1>
-<p id="rfc.section.2.8.1.p.1">id represents the human-readable identifier associated to the EventReport for a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.8.1.p.2">id is represented as a JSON string. id SHALL be present.</p>
-<h1 id="rfc.section.2.8.2">
-<a href="#rfc.section.2.8.2">2.8.2.</a> <a href="#uuid-5" id="uuid-5">UUID</a>
-</h1>
-<p id="rfc.section.2.8.2.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the EventReport. The uuid MUST be preserved for any updates or transfer of the same EventReport. UUID version 4 is RECOMMENDED when assigning it to a new EventReport.</p>
-<p id="rfc.section.2.8.2.p.2">uuid is represented as a JSON string. uuid MUST be present.</p>
-<h1 id="rfc.section.2.8.3">
-<a href="#rfc.section.2.8.3">2.8.3.</a> <a href="#event-id-4" id="event-id-4">event_id</a>
-</h1>
-<p id="rfc.section.2.8.3.p.1">event_id represents the human-readable identifier associating the EventReport to an event on a specific MISP instance. A human-readable identifier MUST be represented as an unsigned integer.</p>
-<p id="rfc.section.2.8.3.p.2">event_id is represented as a JSON string. event_id  MUST be present.</p>
-<h1 id="rfc.section.2.8.4">
-<a href="#rfc.section.2.8.4">2.8.4.</a> <a href="#name-1" id="name-1">name</a>
-</h1>
-<p id="rfc.section.2.8.4.p.1">name represents the information field of the EventReport. name is a free-text value to provide a human-readable summary of the report. name SHOULD NOT be bigger than 256 characters and SHOULD NOT include new-lines.</p>
-<p id="rfc.section.2.8.4.p.2">name is represented as a JSON string. name MUST be present.</p>
-<h1 id="rfc.section.2.8.5">
-<a href="#rfc.section.2.8.5">2.8.5.</a> <a href="#content" id="content">content</a>
-</h1>
-<p id="rfc.section.2.8.5.p.1">content includes the raw EventReport in Markdown format with or without the specific MISP Markdown markup extension.</p>
-<p id="rfc.section.2.8.5.p.2">The markdown extension for MISP is composed with a symbol as prefix then between square bracket the scope (attribute, object, tag or galaxymatrix) followed by the UUID in parenthesis.</p>
-<p id="rfc.section.2.8.5.p.3">content is represented as a JSON string. content MUST be present.</p>
-<h1 id="rfc.section.2.8.6">
-<a href="#rfc.section.2.8.6">2.8.6.</a> <a href="#distribution-3" id="distribution-3">distribution</a>
-</h1>
-<p id="rfc.section.2.8.6.p.1">distribution represents the basic distribution rules of the EventReport. The system must adhere to the distribution setting for access control and for dissemination of the EventReport.</p>
-<p id="rfc.section.2.8.6.p.2">distribution is represented by a JSON string. distribution MUST be present and be one of the following options:</p>
-<p></p>
-
-<dl>
-<dt>0</dt>
-<dd style="margin-left: 8">
-<br>Your Organisation Only</dd>
-<dt>1</dt>
-<dd style="margin-left: 8">
-<br>This Community Only</dd>
-<dt>2</dt>
-<dd style="margin-left: 8">
-<br>Connected Communities</dd>
-<dt>3</dt>
-<dd style="margin-left: 8">
-<br>All Communities</dd>
-<dt>4</dt>
-<dd style="margin-left: 8">
-<br>Sharing Group</dd>
-<dt>5</dt>
-<dd style="margin-left: 8">
-<br>Inherit Event</dd>
+</pre><a href="#section-2.7.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="objectreference-attributes">
+<section id="section-2.7.2">
+          <h4 id="name-objectreference-attributes">
+<a href="#section-2.7.2" class="section-number selfRef">2.7.2. </a><a href="#name-objectreference-attributes" class="section-name selfRef">ObjectReference Attributes</a>
+          </h4>
+<div id="uuid-4">
+<section id="section-2.7.2.1">
+            <h5 id="name-uuid-5">
+<a href="#section-2.7.2.1" class="section-number selfRef">2.7.2.1. </a><a href="#name-uuid-5" class="section-name selfRef">uuid</a>
+            </h5>
+<p id="section-2.7.2.1-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the object reference. The uuid <span class="bcp14">MUST</span> be preserved
+for any updates or transfer of the same object reference. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new object reference.<a href="#section-2.7.2.1-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="id-4">
+<section id="section-2.7.2.2">
+            <h5 id="name-id-5">
+<a href="#section-2.7.2.2" class="section-number selfRef">2.7.2.2. </a><a href="#name-id-5" class="section-name selfRef">id</a>
+            </h5>
+<p id="section-2.7.2.2-1">id represents the human-readable identifier associated to the object reference for a specific MISP instance.<a href="#section-2.7.2.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.2.2-2">id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.7.2.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="timestamp-4">
+<section id="section-2.7.2.3">
+            <h5 id="name-timestamp-5">
+<a href="#section-2.7.2.3" class="section-number selfRef">2.7.2.3. </a><a href="#name-timestamp-5" class="section-name selfRef">timestamp</a>
+            </h5>
+<p id="section-2.7.2.3-1">timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.7.2.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.2.3-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.7.2.3-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="object-id">
+<section id="section-2.7.2.4">
+            <h5 id="name-object_id">
+<a href="#section-2.7.2.4" class="section-number selfRef">2.7.2.4. </a><a href="#name-object_id" class="section-name selfRef">object_id</a>
+            </h5>
+<p id="section-2.7.2.4-1">object_id represents the human-readable identifier of the object that the object reference belongs to on a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.7.2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.2.4-2">event<em>id is represented as a JSON string. event</em>id <span class="bcp14">SHALL</span> be present.<a href="#section-2.7.2.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event-id-3">
+<section id="section-2.7.2.5">
+            <h5 id="name-event_id-4">
+<a href="#section-2.7.2.5" class="section-number selfRef">2.7.2.5. </a><a href="#name-event_id-4" class="section-name selfRef">event_id</a>
+            </h5>
+<p id="section-2.7.2.5-1">event_id represents the human-readable identifier of the event that the object reference belongs to on a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.7.2.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.2.5-2">event<em>id is represented as a JSON string. event</em>id <span class="bcp14">SHALL</span> be present.<a href="#section-2.7.2.5-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="referenced-id">
+<section id="section-2.7.2.6">
+            <h5 id="name-referenced_id">
+<a href="#section-2.7.2.6" class="section-number selfRef">2.7.2.6. </a><a href="#name-referenced_id" class="section-name selfRef">referenced_id</a>
+            </h5>
+<p id="section-2.7.2.6-1">referenced_id represents the human-readable identifier of the object or attribute that the parent object  of the object reference points to on a specific MISP instance.<a href="#section-2.7.2.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.2.6-2">referenced<em>id is represented as a JSON string. referenced</em>id <span class="bcp14">MAY</span> be present.<a href="#section-2.7.2.6-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="referenced-type">
+<section id="section-2.7.2.7">
+            <h5 id="name-referenced_type">
+<a href="#section-2.7.2.7" class="section-number selfRef">2.7.2.7. </a><a href="#name-referenced_type" class="section-name selfRef">referenced_type</a>
+            </h5>
+<p id="section-2.7.2.7-1">referenced_type represents the numeric value describing what the object reference points to, "0" representing an attribute and "1" representing an object<a href="#section-2.7.2.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.2.7-2">referenced<em>type is represented as a JSON string. referenced</em>type <span class="bcp14">MAY</span> be present.<a href="#section-2.7.2.7-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="relationship-type">
+<section id="section-2.7.2.8">
+            <h5 id="name-relationship_type">
+<a href="#section-2.7.2.8" class="section-number selfRef">2.7.2.8. </a><a href="#name-relationship_type" class="section-name selfRef">relationship_type</a>
+            </h5>
+<p id="section-2.7.2.8-1">relationship<em>type represents the human-readable context of the relationship between an object and another object or attribute as described by the object</em>reference.<a href="#section-2.7.2.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.2.8-2">referenced<em>type is represented as a JSON string. relationship</em>type <span class="bcp14">MUST</span> be present.<a href="#section-2.7.2.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="comment-3">
+<section id="section-2.7.2.9">
+            <h5 id="name-comment-4">
+<a href="#section-2.7.2.9" class="section-number selfRef">2.7.2.9. </a><a href="#name-comment-4" class="section-name selfRef">comment</a>
+            </h5>
+<p id="section-2.7.2.9-1">comment is a contextual comment field.<a href="#section-2.7.2.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.2.9-2">comment is represented by a JSON string. comment <span class="bcp14">MAY</span> be present.<a href="#section-2.7.2.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="deleted-3">
+<section id="section-2.7.2.10">
+            <h5 id="name-deleted-4">
+<a href="#section-2.7.2.10" class="section-number selfRef">2.7.2.10. </a><a href="#name-deleted-4" class="section-name selfRef">deleted</a>
+            </h5>
+<p id="section-2.7.2.10-1">deleted represents a setting that allows object references to be revoked. Revoked object references are not actionable and exist merely to inform other instances of a revocation.<a href="#section-2.7.2.10-1" class="pilcrow">¶</a></p>
+<p id="section-2.7.2.10-2">deleted is represented by a JSON boolean. deleted <span class="bcp14">MUST</span> be present.<a href="#section-2.7.2.10-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="object-uuid">
+<section id="section-2.7.2.11">
+            <h5 id="name-object_uuid">
+<a href="#section-2.7.2.11" class="section-number selfRef">2.7.2.11. </a><a href="#name-object_uuid" class="section-name selfRef">object_uuid</a>
+            </h5>
+<p id="section-2.7.2.11-1">object_uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the object that the given object reference belongs to. The object_uuid <span class="bcp14">MUST</span> be preserved
+to preserve the object reference's association with the object.<a href="#section-2.7.2.11-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="referenced-uuid">
+<section id="section-2.7.2.12">
+            <h5 id="name-referenced_uuid">
+<a href="#section-2.7.2.12" class="section-number selfRef">2.7.2.12. </a><a href="#name-referenced_uuid" class="section-name selfRef">referenced_uuid</a>
+            </h5>
+<p id="section-2.7.2.12-1">referenced_uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the object or attribute that is being referenced by the object reference. The referenced_uuid <span class="bcp14">MUST</span> be preserved
+to preserve the object reference's association with the object or attribute.<a href="#section-2.7.2.12-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="eventreport">
+<section id="section-2.8">
+        <h3 id="name-eventreport">
+<a href="#section-2.8" class="section-number selfRef">2.8. </a><a href="#name-eventreport" class="section-name selfRef">EventReport</a>
+        </h3>
+<p id="section-2.8-1">EventReport are used to complement an event with one or more report in Markdown format. The EventReport contains unstructured information which can be linked to Attributes, Objects, Tags or Galaxy with
+an extension to the Markdown marking language.<a href="#section-2.8-1" class="pilcrow">¶</a></p>
+<div id="id-5">
+<section id="section-2.8.1">
+          <h4 id="name-id-6">
+<a href="#section-2.8.1" class="section-number selfRef">2.8.1. </a><a href="#name-id-6" class="section-name selfRef">id</a>
+          </h4>
+<p id="section-2.8.1-1">id represents the human-readable identifier associated to the EventReport for a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.8.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.8.1-2">id is represented as a JSON string. id <span class="bcp14">SHALL</span> be present.<a href="#section-2.8.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="uuid-5">
+<section id="section-2.8.2">
+          <h4 id="name-uuid-6">
+<a href="#section-2.8.2" class="section-number selfRef">2.8.2. </a><a href="#name-uuid-6" class="section-name selfRef">UUID</a>
+          </h4>
+<p id="section-2.8.2-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the EventReport. The uuid <span class="bcp14">MUST</span> be preserved for any updates or transfer of the same EventReport. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new EventReport.<a href="#section-2.8.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.8.2-2">uuid is represented as a JSON string. uuid <span class="bcp14">MUST</span> be present.<a href="#section-2.8.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="event-id-4">
+<section id="section-2.8.3">
+          <h4 id="name-event_id-5">
+<a href="#section-2.8.3" class="section-number selfRef">2.8.3. </a><a href="#name-event_id-5" class="section-name selfRef">event_id</a>
+          </h4>
+<p id="section-2.8.3-1">event_id represents the human-readable identifier associating the EventReport to an event on a specific MISP instance. A human-readable identifier <span class="bcp14">MUST</span> be
+represented as an unsigned integer.<a href="#section-2.8.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.8.3-2">event_id is represented as a JSON string. event_id  <span class="bcp14">MUST</span> be present.<a href="#section-2.8.3-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="name-1">
+<section id="section-2.8.4">
+          <h4 id="name-name-2">
+<a href="#section-2.8.4" class="section-number selfRef">2.8.4. </a><a href="#name-name-2" class="section-name selfRef">name</a>
+          </h4>
+<p id="section-2.8.4-1">name represents the information field of the EventReport. name is a free-text value to provide a human-readable summary
+of the report. name <span class="bcp14">SHOULD</span> NOT be bigger than 256 characters and <span class="bcp14">SHOULD</span> NOT include new-lines.<a href="#section-2.8.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.8.4-2">name is represented as a JSON string. name <span class="bcp14">MUST</span> be present.<a href="#section-2.8.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="content">
+<section id="section-2.8.5">
+          <h4 id="name-content">
+<a href="#section-2.8.5" class="section-number selfRef">2.8.5. </a><a href="#name-content" class="section-name selfRef">content</a>
+          </h4>
+<p id="section-2.8.5-1">content includes the raw EventReport in Markdown format with or without the specific MISP Markdown markup extension.<a href="#section-2.8.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.8.5-2">The markdown extension for MISP is composed with a symbol as prefix then between square bracket the scope (attribute, object, tag or galaxymatrix) followed by the UUID in parenthesis.<a href="#section-2.8.5-2" class="pilcrow">¶</a></p>
+<p id="section-2.8.5-3">content is represented as a JSON string. content <span class="bcp14">MUST</span> be present.<a href="#section-2.8.5-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="distribution-3">
+<section id="section-2.8.6">
+          <h4 id="name-distribution-4">
+<a href="#section-2.8.6" class="section-number selfRef">2.8.6. </a><a href="#name-distribution-4" class="section-name selfRef">distribution</a>
+          </h4>
+<p id="section-2.8.6-1">distribution represents the basic distribution rules of the EventReport. The system must adhere to the distribution setting for access control and for dissemination of the EventReport.<a href="#section-2.8.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.8.6-2">distribution is represented by a JSON string. distribution <span class="bcp14">MUST</span> be present and be one of the following options:<a href="#section-2.8.6-2" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlParallel" id="section-2.8.6-3">
+            <dt id="section-2.8.6-3.1">0</dt>
+            <dd style="margin-left: 1.5em" id="section-2.8.6-3.2">Your Organisation Only<a href="#section-2.8.6-3.2" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+<dt id="section-2.8.6-3.3">1</dt>
+            <dd style="margin-left: 1.5em" id="section-2.8.6-3.4">This Community Only<a href="#section-2.8.6-3.4" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+<dt id="section-2.8.6-3.5">2</dt>
+            <dd style="margin-left: 1.5em" id="section-2.8.6-3.6">Connected Communities<a href="#section-2.8.6-3.6" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+<dt id="section-2.8.6-3.7">3</dt>
+            <dd style="margin-left: 1.5em" id="section-2.8.6-3.8">All Communities<a href="#section-2.8.6-3.8" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+<dt id="section-2.8.6-3.9">4</dt>
+            <dd style="margin-left: 1.5em" id="section-2.8.6-3.10">Sharing Group<a href="#section-2.8.6-3.10" class="pilcrow">¶</a>
+</dd>
+            <dd class="break"></dd>
+<dt id="section-2.8.6-3.11">5</dt>
+            <dd style="margin-left: 1.5em" id="section-2.8.6-3.12">Inherit Event<a href="#section-2.8.6-3.12" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<h1 id="rfc.section.2.8.7">
-<a href="#rfc.section.2.8.7">2.8.7.</a> <a href="#sharing-group-id-3" id="sharing-group-id-3">sharing_group_id</a>
-</h1>
-<p id="rfc.section.2.8.7.p.1">sharing_group_id represents the local id to the MISP local instance of the Sharing Group associated for the distribution.</p>
-<p id="rfc.section.2.8.7.p.2">sharing_group_id is represented by a JSON string. sharing_group_id MUST be present and set to "0" if not used.</p>
-<h1 id="rfc.section.2.8.8">
-<a href="#rfc.section.2.8.8">2.8.8.</a> <a href="#timestamp-5" id="timestamp-5">timestamp</a>
-</h1>
-<p id="rfc.section.2.8.8.p.1">timestamp represents a reference time when the EventReport was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.</p>
-<p id="rfc.section.2.8.8.p.2">timestamp is represented as a JSON string. timestamp MUST be present.</p>
-<h1 id="rfc.section.2.8.9">
-<a href="#rfc.section.2.8.9">2.8.9.</a> <a href="#deleted-4" id="deleted-4">deleted</a>
-</h1>
-<p id="rfc.section.2.8.9.p.1">deleted represents a setting that allows EventReport to be revoked. Revoked EventReport are not actionable and exist merely to inform other instances of a revocation.</p>
-<p id="rfc.section.2.8.9.p.2">deleted is represented by a JSON boolean. deleted MUST be present.</p>
-<h1 id="rfc.section.2.9">
-<a href="#rfc.section.2.9">2.9.</a> <a href="#tag" id="tag">Tag</a>
-</h1>
-<p id="rfc.section.2.9.p.1">A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[<a href="#MISP-T" class="xref">[MISP-T]</a>]. When an event is distributed outside an organisation, the use of MISP taxonomies[<a href="#MISP-T" class="xref">[MISP-T]</a>] is RECOMMENDED to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array SHALL be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.</p>
-<p id="rfc.section.2.9.p.2">exportable represents a setting if the tag is kept local or exportable to other MISP instances. exportable is represented by a JSON boolean. id is a human-readable identifier that references the tag on the local instance. colour represents an RGB value of the tag.</p>
-<p id="rfc.section.2.9.p.3">name MUST be present. colour, id and exportable SHALL be present.</p>
-<h1 id="rfc.section.2.9.1">
-<a href="#rfc.section.2.9.1">2.9.1.</a> <a href="#sample-tag" id="sample-tag">Sample Tag</a>
-</h1>
+</section>
+</div>
+<div id="sharing-group-id-3">
+<section id="section-2.8.7">
+          <h4 id="name-sharing_group_id-4">
+<a href="#section-2.8.7" class="section-number selfRef">2.8.7. </a><a href="#name-sharing_group_id-4" class="section-name selfRef">sharing_group_id</a>
+          </h4>
+<p id="section-2.8.7-1">sharing_group_id represents the local id to the MISP local instance of the Sharing Group associated for the distribution.<a href="#section-2.8.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.8.7-2">sharing_group_id is represented by a JSON string. sharing_group_id <span class="bcp14">MUST</span> be present and set to "0" if not used.<a href="#section-2.8.7-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="timestamp-5">
+<section id="section-2.8.8">
+          <h4 id="name-timestamp-6">
+<a href="#section-2.8.8" class="section-number selfRef">2.8.8. </a><a href="#name-timestamp-6" class="section-name selfRef">timestamp</a>
+          </h4>
+<p id="section-2.8.8-1">timestamp represents a reference time when the EventReport was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone <span class="bcp14">MUST</span> be UTC.<a href="#section-2.8.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.8.8-2">timestamp is represented as a JSON string. timestamp <span class="bcp14">MUST</span> be present.<a href="#section-2.8.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="deleted-4">
+<section id="section-2.8.9">
+          <h4 id="name-deleted-5">
+<a href="#section-2.8.9" class="section-number selfRef">2.8.9. </a><a href="#name-deleted-5" class="section-name selfRef">deleted</a>
+          </h4>
+<p id="section-2.8.9-1">deleted represents a setting that allows EventReport to be revoked. Revoked EventReport are not actionable and exist merely to inform other instances of a revocation.<a href="#section-2.8.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.8.9-2">deleted is represented by a JSON boolean. deleted <span class="bcp14">MUST</span> be present.<a href="#section-2.8.9-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="tag">
+<section id="section-2.9">
+        <h3 id="name-tag">
+<a href="#section-2.9" class="section-number selfRef">2.9. </a><a href="#name-tag" class="section-name selfRef">Tag</a>
+        </h3>
+<p id="section-2.9-1">A tag is a simple method to classify an event with a simple string. The tag name can be freely chosen. The tag name can be also chosen from a fixed machine-tag vocabulary called MISP taxonomies[<span>[<a href="#MISP-T" class="xref">MISP-T</a>]</span>]. When an event is distributed outside an organisation, the use of MISP taxonomies[<span>[<a href="#MISP-T" class="xref">MISP-T</a>]</span>] is <span class="bcp14">RECOMMENDED</span> to ensure a coherent naming of the tags. A tag is represented as a JSON array where each element describes each tag associated. A tag array <span class="bcp14">SHALL</span> be at event level or attribute level. A tag element is described with a name, id, colour and exportable flag.<a href="#section-2.9-1" class="pilcrow">¶</a></p>
+<p id="section-2.9-2">exportable represents a setting if the tag is kept local or exportable to other MISP instances. exportable is represented by a JSON boolean. id is a human-readable identifier that references the tag on the local instance. colour represents an RGB value of the tag.<a href="#section-2.9-2" class="pilcrow">¶</a></p>
+<p id="section-2.9-3">name <span class="bcp14">MUST</span> be present. colour, id and exportable <span class="bcp14">SHALL</span> be present.<a href="#section-2.9-3" class="pilcrow">¶</a></p>
+<div id="sample-tag">
+<section id="section-2.9.1">
+          <h4 id="name-sample-tag">
+<a href="#section-2.9.1" class="section-number selfRef">2.9.1. </a><a href="#name-sample-tag" class="section-name selfRef">Sample Tag</a>
+          </h4>
+<div class="artwork art-text alignLeft" id="section-2.9.1-1">
 <pre>"Tag": [{
         "exportable": true,
         "colour": "#ffffff",
         "name": "tlp:white",
         "id": "2" }]
-</pre>
-<h1 id="rfc.section.2.10">
-<a href="#rfc.section.2.10">2.10.</a> <a href="#sighting" id="sighting">Sighting</a>
-</h1>
-<p id="rfc.section.2.10.p.1">A sighting is an ascertainment which describes whether an attribute has been seen under a given set of conditions. The sighting can include the organisation who sighted the attribute or can be anonymised. Sighting is composed of a JSON array in which each element describes one singular instance of a sighting. A sighting element is a JSON object composed of the following values:</p>
-<p id="rfc.section.2.10.p.2">type MUST be present. type describes the type of a sighting. MISP allows 3 default types:</p>
-<table cellpadding="3" cellspacing="0" class="tt full center">
-<thead><tr>
-<th class="left">Sighting type</th>
-<th class="center">Description</th>
-</tr></thead>
-<tbody>
-<tr>
-<td class="left">0</td>
-<td class="center">denotes an attribute which has been seen</td>
-</tr>
-<tr>
-<td class="left">1</td>
-<td class="center">denotes an attribute which has been seen and confirmed as false-positive</td>
-</tr>
-<tr>
-<td class="left">2</td>
-<td class="center">denotes an attribute which will be expired at the time of the sighting</td>
-</tr>
-</tbody>
-</table>
-<p id="rfc.section.2.10.p.3">uuid MUST be present. uuid references the uuid of the sighted attribute.</p>
-<p id="rfc.section.2.10.p.4">date<em>sighting MUST be present. date</em>sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.</p>
-<p id="rfc.section.2.10.p.5">source MAY be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.</p>
-<p id="rfc.section.2.10.p.6">id, event<em>id and attribute</em>id MAY be present.</p>
-<p id="rfc.section.2.10.p.7">id represents the human-readable identifier of the sighting reference which belongs to a specific MISP instance.  event<em>id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance.  attribute</em>id represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.</p>
-<p id="rfc.section.2.10.p.8">org<em>id MAY be present along the JSON object describing the organisation. If the org</em>id is not present, the sighting is considered as anonymised.</p>
-<p id="rfc.section.2.10.p.9">org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.</p>
-<p id="rfc.section.2.10.p.10">A human-readable identifier MUST be represented as an unsigned integer.</p>
-<h1 id="rfc.section.2.10.1">
-<a href="#rfc.section.2.10.1">2.10.1.</a> <a href="#sample-sighting" id="sample-sighting">Sample Sighting</a>
-</h1>
+</pre><a href="#section-2.9.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="sighting">
+<section id="section-2.10">
+        <h3 id="name-sighting">
+<a href="#section-2.10" class="section-number selfRef">2.10. </a><a href="#name-sighting" class="section-name selfRef">Sighting</a>
+        </h3>
+<p id="section-2.10-1">A sighting is an ascertainment which describes whether an attribute has been seen under a given set of conditions. The sighting can include the organisation who sighted the attribute or can
+be anonymised. Sighting is composed of a JSON array in which each element describes one singular instance of a sighting. A sighting element is a JSON object composed of the following values:<a href="#section-2.10-1" class="pilcrow">¶</a></p>
+<p id="section-2.10-2">type <span class="bcp14">MUST</span> be present. type describes the type of a sighting. MISP allows 3 default types:<a href="#section-2.10-2" class="pilcrow">¶</a></p>
+<table class="center" id="table-1">
+          <caption><a href="#table-1" class="selfRef">Table 1</a></caption>
+<thead>
+            <tr>
+              <th class="text-left" rowspan="1" colspan="1">Sighting type</th>
+              <th class="text-center" rowspan="1" colspan="1">Description</th>
+            </tr>
+          </thead>
+          <tbody>
+            <tr>
+              <td class="text-left" rowspan="1" colspan="1">0</td>
+              <td class="text-center" rowspan="1" colspan="1">denotes an attribute which has been seen</td>
+            </tr>
+            <tr>
+              <td class="text-left" rowspan="1" colspan="1">1</td>
+              <td class="text-center" rowspan="1" colspan="1">denotes an attribute which has been seen and confirmed as false-positive</td>
+            </tr>
+            <tr>
+              <td class="text-left" rowspan="1" colspan="1">2</td>
+              <td class="text-center" rowspan="1" colspan="1">denotes an attribute which will be expired at the time of the sighting</td>
+            </tr>
+          </tbody>
+        </table>
+<p id="section-2.10-4">uuid <span class="bcp14">MUST</span> be present. uuid references the uuid of the sighted attribute.<a href="#section-2.10-4" class="pilcrow">¶</a></p>
+<p id="section-2.10-5">date<em>sighting <span class="bcp14">MUST</span> be present. date</em>sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.<a href="#section-2.10-5" class="pilcrow">¶</a></p>
+<p id="section-2.10-6">source <span class="bcp14">MAY</span> be present. source is represented as a JSON string and represents the human-readable version of the sighting source, which can be a given piece of software (e.g. SIEM), device or a specific analytical process.<a href="#section-2.10-6" class="pilcrow">¶</a></p>
+<p id="section-2.10-7">id, event<em>id and attribute</em>id <span class="bcp14">MAY</span> be present.<a href="#section-2.10-7" class="pilcrow">¶</a></p>
+<p id="section-2.10-8">id represents the human-readable identifier of the sighting reference which belongs to a specific MISP instance.
+event<em>id represents the human-readable identifier of the event referenced by the sighting and belongs to a specific MISP instance.
+attribute</em>id represents the human-readable identifier of the attribute referenced by the sighting and belongs to a specific MISP instance.<a href="#section-2.10-8" class="pilcrow">¶</a></p>
+<p id="section-2.10-9">org<em>id <span class="bcp14">MAY</span> be present along the JSON object describing the organisation. If the org</em>id is not present, the sighting is considered as anonymised.<a href="#section-2.10-9" class="pilcrow">¶</a></p>
+<p id="section-2.10-10">org_id represents the human-readable identifier of the organisation which did the sighting and belongs to a specific MISP instance.<a href="#section-2.10-10" class="pilcrow">¶</a></p>
+<p id="section-2.10-11">A human-readable identifier <span class="bcp14">MUST</span> be represented as an unsigned integer.<a href="#section-2.10-11" class="pilcrow">¶</a></p>
+<div id="sample-sighting">
+<section id="section-2.10.1">
+          <h4 id="name-sample-sighting">
+<a href="#section-2.10.1" class="section-number selfRef">2.10.1. </a><a href="#name-sample-sighting" class="section-name selfRef">Sample Sighting</a>
+          </h4>
+<div class="artwork art-text alignLeft" id="section-2.10.1-1">
 <pre>"Sighting": [
-		   {
-				"id": "13599",
-				"attribute_id": "1201615",
-				"event_id": "10164",
-				"org_id": "2",
-				"date_sighting": "1517581400",
-				"uuid": "5a747459-41b4-4826-9b29-42dd950d210f",
-				"source": "M2M-CIRCL",
-				"type": "0",
-				"Organisation": {
-					"id": "2",
-					"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
-					"name": "CIRCL"
-				}
-			},
-			{
-				"id": "13601",
-				"attribute_id": "1201615",
-				"event_id": "10164",
-				"org_id": "2",
-				"date_sighting": "1517581401",
-				"uuid": "5a74745a-a190-4d04-b719-4916950d210f",
-				"source": "M2M-CIRCL",
-				"type": "0",
-				"Organisation": {
-					"id": "2",
-					"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
-					"name": "CIRCL"
-				}
-			}
-		]
-</pre>
-<h1 id="rfc.section.2.11">
-<a href="#rfc.section.2.11">2.11.</a> <a href="#galaxy" id="galaxy">Galaxy</a>
-</h1>
-<p id="rfc.section.2.11.p.1">A galaxy is a simple method to express a large object called cluster that can be attached to MISP events. A cluster can be composed of one or more elements. Elements are expressed as key-values.</p>
-<h1 id="rfc.section.2.11.1">
-<a href="#rfc.section.2.11.1">2.11.1.</a> <a href="#sample-galaxy" id="sample-galaxy">Sample Galaxy</a>
-</h1>
+                   {
+                                "id": "13599",
+                                "attribute_id": "1201615",
+                                "event_id": "10164",
+                                "org_id": "2",
+                                "date_sighting": "1517581400",
+                                "uuid": "5a747459-41b4-4826-9b29-42dd950d210f",
+                                "source": "M2M-CIRCL",
+                                "type": "0",
+                                "Organisation": {
+                                        "id": "2",
+                                        "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
+                                        "name": "CIRCL"
+                                }
+                        },
+                        {
+                                "id": "13601",
+                                "attribute_id": "1201615",
+                                "event_id": "10164",
+                                "org_id": "2",
+                                "date_sighting": "1517581401",
+                                "uuid": "5a74745a-a190-4d04-b719-4916950d210f",
+                                "source": "M2M-CIRCL",
+                                "type": "0",
+                                "Organisation": {
+                                        "id": "2",
+                                        "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
+                                        "name": "CIRCL"
+                                }
+                        }
+                ]
+</pre><a href="#section-2.10.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="galaxy">
+<section id="section-2.11">
+        <h3 id="name-galaxy">
+<a href="#section-2.11" class="section-number selfRef">2.11. </a><a href="#name-galaxy" class="section-name selfRef">Galaxy</a>
+        </h3>
+<p id="section-2.11-1">A galaxy is a simple method to express a large object called cluster that can be attached to MISP events. A cluster can be composed of one or more elements. Elements are expressed as key-values.<a href="#section-2.11-1" class="pilcrow">¶</a></p>
+<div id="sample-galaxy">
+<section id="section-2.11.1">
+          <h4 id="name-sample-galaxy">
+<a href="#section-2.11.1" class="section-number selfRef">2.11.1. </a><a href="#name-sample-galaxy" class="section-name selfRef">Sample Galaxy</a>
+          </h4>
+<div class="artwork art-text alignLeft" id="section-2.11.1-1">
 <pre>"Galaxy": [ {
            "id": "18",
            "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3",
@@ -1600,11 +3025,23 @@
                 ]
             }
         ]
-</pre>
-<h1 id="rfc.section.3">
-<a href="#rfc.section.3">3.</a> <a href="#json-schema" id="json-schema">JSON Schema</a>
-</h1>
-<p id="rfc.section.3.p.1">The JSON Schema <a href="#JSON-SCHEMA" class="xref">[JSON-SCHEMA]</a> below defines the structure of the MISP core format as literally described before. The JSON Schema is used to validate MISP events at creation time or parsing.</p>
+</pre><a href="#section-2.11.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="json-schema">
+<section id="section-3">
+      <h2 id="name-json-schema">
+<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-json-schema" class="section-name selfRef">JSON Schema</a>
+      </h2>
+<p id="section-3-1">The JSON Schema <span>[<a href="#JSON-SCHEMA" class="xref">JSON-SCHEMA</a>]</span> below defines the structure of the MISP core format
+as literally described before. The JSON Schema is used to validate MISP events at creation time
+or parsing.<a href="#section-3-1" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-3-2">
 <pre>{
   "$schema": "http://json-schema.org/draft-04/schema#",
   "title": "Validator for misp events",
@@ -2279,42 +3716,57 @@
     "Event"
   ]
 }
-</pre>
-<h1 id="rfc.section.4">
-<a href="#rfc.section.4">4.</a> <a href="#manifest" id="manifest">Manifest</a>
-</h1>
-<p id="rfc.section.4.p.1">MISP events can be shared over an HTTP repository, a file package or USB key. A manifest file is used to provide an index of MISP events allowing to only fetch the recently updated files without the need to parse each json file.</p>
-<h1 id="rfc.section.4.1">
-<a href="#rfc.section.4.1">4.1.</a> <a href="#format-1" id="format-1">Format</a>
-</h1>
-<p id="rfc.section.4.1.p.1">A manifest file is a simple JSON file named manifest.json in a directory where the MISP events are located.  Each MISP event is a file located in the same directory with the event uuid as filename with the json extension.</p>
-<p id="rfc.section.4.1.p.2">The manifest format is a JSON object composed of a dictionary where the field is the uuid of the event.</p>
-<p id="rfc.section.4.1.p.3">Each uuid is composed of a JSON object with the following fields which came from the original event referenced by the same uuid:</p>
-<p></p>
-
-<ul>
-<li>info (MUST)</li>
-<li>Orgc object (MUST)</li>
-<li>analysis (SHALL)</li>
-<li>timestamp (MUST)</li>
-<li>date (MUST)</li>
-<li>threat<em>level</em>id (SHALL)</li>
-</ul>
-
-<p> </p>
-<p id="rfc.section.4.1.p.5">In addition to the fields originating from the event, the following fields can be added:</p>
-<p></p>
-
-<ul>
-<li>integrity:sha256 represents the SHA256 value in hexadecimal representation of the associated MISP event file to ensure integrity of the file. (SHOULD)</li>
-<li>integrity:pgp represents a detached PGP signature <a href="#RFC4880" class="xref">[RFC4880]</a> of the associated MISP event file to ensure integrity of the file. (SHOULD)</li>
-</ul>
-
-<p> </p>
-<p id="rfc.section.4.1.p.7">If a detached PGP signature is used for each MISP event, a detached PGP signature is a MUST to ensure integrity of the manifest file.  A detached PGP signature for a manifest file is a manifest.json.asc file containing the PGP signature.</p>
-<h1 id="rfc.section.4.1.1">
-<a href="#rfc.section.4.1.1">4.1.1.</a> <a href="#sample-manifest" id="sample-manifest">Sample Manifest</a>
-</h1>
+</pre><a href="#section-3-2" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="manifest">
+<section id="section-4">
+      <h2 id="name-manifest">
+<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-manifest" class="section-name selfRef">Manifest</a>
+      </h2>
+<p id="section-4-1">MISP events can be shared over an HTTP repository, a file package or USB key. A manifest file is used to
+provide an index of MISP events allowing to only fetch the recently updated files without the need to parse
+each json file.<a href="#section-4-1" class="pilcrow">¶</a></p>
+<div id="format-1">
+<section id="section-4.1">
+        <h3 id="name-format-2">
+<a href="#section-4.1" class="section-number selfRef">4.1. </a><a href="#name-format-2" class="section-name selfRef">Format</a>
+        </h3>
+<p id="section-4.1-1">A manifest file is a simple JSON file named manifest.json in a directory where the MISP events are located.
+Each MISP event is a file located in the same directory with the event uuid as filename with the json extension.<a href="#section-4.1-1" class="pilcrow">¶</a></p>
+<p id="section-4.1-2">The manifest format is a JSON object composed of a dictionary where the field is the uuid of the event.<a href="#section-4.1-2" class="pilcrow">¶</a></p>
+<p id="section-4.1-3">Each uuid is composed of a JSON object with the following fields which came from the original event referenced
+by the same uuid:<a href="#section-4.1-3" class="pilcrow">¶</a></p>
+<ul class="normal">
+<li class="normal" id="section-4.1-4.1">info (<span class="bcp14">MUST</span>)<a href="#section-4.1-4.1" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-4.1-4.2">Orgc object (<span class="bcp14">MUST</span>)<a href="#section-4.1-4.2" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-4.1-4.3">analysis (<span class="bcp14">SHALL</span>)<a href="#section-4.1-4.3" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-4.1-4.4">timestamp (<span class="bcp14">MUST</span>)<a href="#section-4.1-4.4" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-4.1-4.5">date (<span class="bcp14">MUST</span>)<a href="#section-4.1-4.5" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-4.1-4.6">threat<em>level</em>id (<span class="bcp14">SHALL</span>)<a href="#section-4.1-4.6" class="pilcrow">¶</a>
+</li>
+        </ul>
+<p id="section-4.1-5">In addition to the fields originating from the event, the following fields can be added:<a href="#section-4.1-5" class="pilcrow">¶</a></p>
+<ul class="normal">
+<li class="normal" id="section-4.1-6.1">integrity:sha256 represents the SHA256 value in hexadecimal representation of the associated MISP event file to ensure integrity of the file. (<span class="bcp14">SHOULD</span>)<a href="#section-4.1-6.1" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-4.1-6.2">integrity:pgp represents a detached PGP signature <span>[<a href="#RFC4880" class="xref">RFC4880</a>]</span> of the associated MISP event file to ensure integrity of the file. (<span class="bcp14">SHOULD</span>)<a href="#section-4.1-6.2" class="pilcrow">¶</a>
+</li>
+        </ul>
+<p id="section-4.1-7">If a detached PGP signature is used for each MISP event, a detached PGP signature is a <span class="bcp14">MUST</span> to ensure integrity of the manifest file.
+A detached PGP signature for a manifest file is a manifest.json.asc file containing the PGP signature.<a href="#section-4.1-7" class="pilcrow">¶</a></p>
+<div id="sample-manifest">
+<section id="section-4.1.1">
+          <h4 id="name-sample-manifest">
+<a href="#section-4.1.1" class="section-number selfRef">4.1.1. </a><a href="#name-sample-manifest" class="section-name selfRef">Sample Manifest</a>
+          </h4>
+<div class="artwork art-text alignLeft" id="section-4.1.1-1">
 <pre>{
   "57c6ac4c-c60c-4f79-a38f-b666950d210f": {
     "info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo",
@@ -2364,123 +3816,148 @@
     "threat_level_id": "3"
   }
 }
-</pre>
-<h1 id="rfc.section.5">
-<a href="#rfc.section.5">5.</a> <a href="#implementation" id="implementation">Implementation</a>
-</h1>
-<p id="rfc.section.5.p.1">MISP format is implemented by different software including the MISP threat sharing platform and libraries like PyMISP <a href="#MISP-P" class="xref">[MISP-P]</a>. Implementations use the format as an export/import mechanism, staging transport format or synchronisation format as used in the MISP core platform. MISP format doesn't impose any restriction on the data representation of the format in data-structure of other implementations.</p>
-<h1 id="rfc.section.6">
-<a href="#rfc.section.6">6.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>
-</h1>
-<p id="rfc.section.6.p.1">MISP events might contain sensitive or confidential information. Adequate access control and encryption measures shall be implemented to ensure the confidentiality of the MISP events.</p>
-<p id="rfc.section.6.p.2">Adversaries might include malicious content in MISP events and attributes.  Implementation MUST consider the input of malicious inputs beside the standard threat information that might already include malicious intended inputs.</p>
-<h1 id="rfc.section.7">
-<a href="#rfc.section.7">7.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
-</h1>
-<p id="rfc.section.7.p.1">The authors wish to thank all the MISP community who are supporting the creation of open standards in threat intelligence sharing. A special thank to Nicolas Bareil for the review of the JSON Schema.</p>
-<h1 id="rfc.section.8">
-<a href="#rfc.section.8">8.</a> <a href="#references" id="references">References</a>
-</h1>
-<h1 id="rfc.references">
-<a href="#rfc.references">9.</a> References</h1>
-<h1 id="rfc.references.1">
-<a href="#rfc.references.1">9.1.</a> Normative References</h1>
-<table><tbody>
-<tr>
-<td class="reference"><b id="RFC2119">[RFC2119]</b></td>
-<td class="top">
-<a>Bradner, S.</a>, "<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
-</tr>
-<tr>
-<td class="reference"><b id="RFC4122">[RFC4122]</b></td>
-<td class="top">
-<a>Leach, P.</a>, <a>Mealling, M.</a> and <a>R. Salz</a>, "<a href="https://tools.ietf.org/html/rfc4122">A Universally Unique IDentifier (UUID) URN Namespace</a>", RFC 4122, DOI 10.17487/RFC4122, July 2005.</td>
-</tr>
-<tr>
-<td class="reference"><b id="RFC4880">[RFC4880]</b></td>
-<td class="top">
-<a>Callas, J.</a>, <a>Donnerhacke, L.</a>, <a>Finney, H.</a>, <a>Shaw, D.</a> and <a>R. Thayer</a>, "<a href="https://tools.ietf.org/html/rfc4880">OpenPGP Message Format</a>", RFC 4880, DOI 10.17487/RFC4880, November 2007.</td>
-</tr>
-<tr>
-<td class="reference"><b id="RFC8259">[RFC8259]</b></td>
-<td class="top">
-<a>Bray, T.</a>, "<a href="https://tools.ietf.org/html/rfc8259">The JavaScript Object Notation (JSON) Data Interchange Format</a>", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017.</td>
-</tr>
-</tbody></table>
-<h1 id="rfc.references.2">
-<a href="#rfc.references.2">9.2.</a> Informative References</h1>
-<table><tbody>
-<tr>
-<td class="reference"><b id="JSON-SCHEMA">[JSON-SCHEMA]</b></td>
-<td class="top">
-<a>Wright, A.</a>, "<a href="https://tools.ietf.org/html/draft-wright-json-schema">JSON Schema: A Media Type for Describing JSON Documents</a>", 2016.</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-P">[MISP-P]</b></td>
-<td class="top">
-<a>Community, M.</a>, "<a href="https://github.com/MISP">MISP Project - Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing</a>"</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-R">[MISP-R]</b></td>
-<td class="top">
-<a>Community, M.</a>, "<a href="https://github.com/MISP/misp-objects/tree/master/relationships">MISP Object Relationship Types - common vocabulary of relationships</a>"</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-T">[MISP-T]</b></td>
-<td class="top">
-<a>Community, M.</a>, "<a href="https://github.com/MISP/misp-taxonomies">MISP Taxonomies - shared and common vocabularies of tags</a>"</td>
-</tr>
-</tbody></table>
-<h1 id="rfc.authors"><a href="#rfc.authors">Authors' Addresses</a></h1>
-<div class="avoidbreak">
-  <address class="vcard">
-	<span class="vcardline">
-	  <span class="fn">Alexandre Dulaunoy</span> 
-	  <span class="n hidden">
-		<span class="family-name">Dulaunoy</span>
-	  </span>
-	</span>
-	<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
-	<span class="adr">
-	  <span class="vcardline">16, bd d'Avranches</span>
-
-	  <span class="vcardline">
-		<span class="locality">Luxembourg</span>,  
-		<span class="region"></span>
-		<span class="code">L-1160</span>
-	  </span>
-	  <span class="country-name vcardline">Luxembourg</span>
-	</span>
-	<span class="vcardline">Phone: +352 247 88444</span>
-
-<span class="vcardline">EMail: <a href="mailto:alexandre.dulaunoy@circl.lu">alexandre.dulaunoy@circl.lu</a></span>
-
-  </address>
-</div><div class="avoidbreak">
-  <address class="vcard">
-	<span class="vcardline">
-	  <span class="fn">Andras Iklody</span> 
-	  <span class="n hidden">
-		<span class="family-name">Iklody</span>
-	  </span>
-	</span>
-	<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
-	<span class="adr">
-	  <span class="vcardline">16, bd d'Avranches</span>
-
-	  <span class="vcardline">
-		<span class="locality">Luxembourg</span>,  
-		<span class="region"></span>
-		<span class="code">L-1160</span>
-	  </span>
-	  <span class="country-name vcardline">Luxembourg</span>
-	</span>
-	<span class="vcardline">Phone: +352 247 88444</span>
-
-<span class="vcardline">EMail: <a href="mailto:andras.iklody@circl.lu">andras.iklody@circl.lu</a></span>
-
-  </address>
+</pre><a href="#section-4.1.1-1" class="pilcrow">¶</a>
 </div>
-
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="implementation">
+<section id="section-5">
+      <h2 id="name-implementation">
+<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-implementation" class="section-name selfRef">Implementation</a>
+      </h2>
+<p id="section-5-1">MISP format is implemented by different software including the MISP threat sharing
+platform and libraries like PyMISP <span>[<a href="#MISP-P" class="xref">MISP-P</a>]</span>. Implementations use the format
+as an export/import mechanism, staging transport format or synchronisation format
+as used in the MISP core platform. MISP format doesn't impose any restriction on
+the data representation of the format in data-structure of other implementations.<a href="#section-5-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="security-considerations">
+<section id="section-6">
+      <h2 id="name-security-considerations">
+<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
+      </h2>
+<p id="section-6-1">MISP events might contain sensitive or confidential information. Adequate
+access control and encryption measures shall be implemented to ensure
+the confidentiality of the MISP events.<a href="#section-6-1" class="pilcrow">¶</a></p>
+<p id="section-6-2">Adversaries might include malicious content in MISP events and attributes.
+Implementation <span class="bcp14">MUST</span> consider the input of malicious inputs beside the
+standard threat information that might already include malicious intended inputs.<a href="#section-6-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="acknowledgements">
+<section id="section-7">
+      <h2 id="name-acknowledgements">
+<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
+      </h2>
+<p id="section-7-1">The authors wish to thank all the MISP community who are supporting the creation
+of open standards in threat intelligence sharing. A special thank to Nicolas Bareil
+for the review of the JSON Schema.<a href="#section-7-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="references">
+<section id="section-8">
+      <h2 id="name-references">
+<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-references" class="section-name selfRef">References</a>
+    </h2>
+</section>
+</div>
+<section id="section-9">
+      <h2 id="name-normative-references">
+<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
+      </h2>
+<dl class="references">
+<dt id="RFC2119">[RFC2119]</dt>
+      <dd>
+<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC4122">[RFC4122]</dt>
+      <dd>
+<span class="refAuthor">Leach, P.</span>, <span class="refAuthor">Mealling, M.</span>, and <span class="refAuthor">R. Salz</span>, <span class="refTitle">"A Universally Unique IDentifier (UUID) URN Namespace"</span>, <span class="seriesInfo">RFC 4122</span>, <span class="seriesInfo">DOI 10.17487/RFC4122</span>, <time datetime="2005-07" class="refDate">July 2005</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc4122">https://www.rfc-editor.org/info/rfc4122</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC4880">[RFC4880]</dt>
+      <dd>
+<span class="refAuthor">Callas, J.</span>, <span class="refAuthor">Donnerhacke, L.</span>, <span class="refAuthor">Finney, H.</span>, <span class="refAuthor">Shaw, D.</span>, and <span class="refAuthor">R. Thayer</span>, <span class="refTitle">"OpenPGP Message Format"</span>, <span class="seriesInfo">RFC 4880</span>, <span class="seriesInfo">DOI 10.17487/RFC4880</span>, <time datetime="2007-11" class="refDate">November 2007</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc4880">https://www.rfc-editor.org/info/rfc4880</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC8259">[RFC8259]</dt>
+    <dd>
+<span class="refAuthor">Bray, T., Ed.</span>, <span class="refTitle">"The JavaScript Object Notation (JSON) Data Interchange Format"</span>, <span class="seriesInfo">STD 90</span>, <span class="seriesInfo">RFC 8259</span>, <span class="seriesInfo">DOI 10.17487/RFC8259</span>, <time datetime="2017-12" class="refDate">December 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8259">https://www.rfc-editor.org/info/rfc8259</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+</dl>
+</section>
+<section id="section-10">
+      <h2 id="name-informative-references">
+<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
+      </h2>
+<dl class="references">
+<dt id="JSON-SCHEMA">[JSON-SCHEMA]</dt>
+      <dd>
+<span class="refAuthor">Wright, A.</span>, <span class="refTitle">"JSON Schema: A Media Type for Describing JSON Documents"</span>, <span class="refContent"></span>, <time datetime="2016" class="refDate">2016</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-wright-json-schema">https://tools.ietf.org/html/draft-wright-json-schema</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-P">[MISP-P]</dt>
+      <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Project - Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP">https://github.com/MISP</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-R">[MISP-R]</dt>
+      <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Object Relationship Types - common vocabulary of relationships"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP/misp-objects/tree/master/relationships">https://github.com/MISP/misp-objects/tree/master/relationships</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-T">[MISP-T]</dt>
+    <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Taxonomies - shared and common vocabularies of tags"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP/misp-taxonomies">https://github.com/MISP/misp-taxonomies</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+</dl>
+</section>
+<div id="authors-addresses">
+<section id="appendix-A">
+      <h2 id="name-authors-addresses">
+<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
+      </h2>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">Alexandre Dulaunoy</span></div>
+<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
+<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
+</div>
+<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
+<div class="tel">
+<span>Phone:</span>
+<a href="tel:+352%20247%2088444" class="tel">+352 247 88444</a>
+</div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:alexandre.dulaunoy@circl.lu" class="email">alexandre.dulaunoy@circl.lu</a>
+</div>
+</address>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">Andras Iklody</span></div>
+<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
+<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
+</div>
+<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
+<div class="tel">
+<span>Phone:</span>
+<a href="tel:+352%20247%2088444" class="tel">+352 247 88444</a>
+</div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:andras.iklody@circl.lu" class="email">andras.iklody@circl.lu</a>
+</div>
+</address>
+</section>
+</div>
+<script>const toc = document.getElementById("toc");
+toc.querySelector("h2").addEventListener("click", e => {
+  toc.classList.toggle("active");
+});
+toc.querySelector("nav").addEventListener("click", e => {
+  toc.classList.remove("active");
+});
+</script>
 </body>
 </html>
diff --git a/rfc/misp-standard-core.txt b/rfc/misp-standard-core.txt
index 6dbbdc6..b2a6c8c 100644
--- a/rfc/misp-standard-core.txt
+++ b/rfc/misp-standard-core.txt
@@ -4,11 +4,12 @@
 
 Network Working Group                                        A. Dulaunoy
 Internet-Draft                                                 A. Iklody
-Expires: April 24, 2021                                            CIRCL
-                                                        October 21, 2020
+Intended status: Informational                                     CIRCL
+Expires: 1 May 2022                                      28 October 2021
 
 
                             MISP core format
+                                draft-00
 
 Abstract
 
@@ -36,31 +37,27 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on April 24, 2021.
+   This Internet-Draft will expire on 1 May 2022.
 
 Copyright Notice
 
-   Copyright (c) 2020 IETF Trust and the persons identified as the
+   Copyright (c) 2021 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents
-   (https://trustee.ietf.org/license-info) in effect on the date of
-   publication of this document.  Please review these documents
-   carefully, as they describe your rights and restrictions with respect
-   to this document.  Code Components extracted from this document must
-   include Simplified BSD License text as described in Section 4.e of
+   Provisions Relating to IETF Documents (https://trustee.ietf.org/
+   license-info) in effect on the date of publication of this document.
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 1]
+
+Dulaunoy & Iklody          Expires 1 May 2022                   [Page 1]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
-   the Trust Legal Provisions and are provided without warranty as
-   described in the Simplified BSD License.
-
 Table of Contents
 
    1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
@@ -68,14 +65,14 @@ Table of Contents
    2.  Format  . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
      2.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   3
      2.2.  Event . . . . . . . . . . . . . . . . . . . . . . . . . .   3
-       2.2.1.  Event Attributes  . . . . . . . . . . . . . . . . . .   4
+       2.2.1.  Event Attributes  . . . . . . . . . . . . . . . . . .   3
      2.3.  Objects . . . . . . . . . . . . . . . . . . . . . . . . .   7
        2.3.1.  Org . . . . . . . . . . . . . . . . . . . . . . . . .   7
        2.3.2.  Orgc  . . . . . . . . . . . . . . . . . . . . . . . .   8
      2.4.  Attribute . . . . . . . . . . . . . . . . . . . . . . . .   8
-       2.4.1.  Sample Attribute Object . . . . . . . . . . . . . . .   9
+       2.4.1.  Sample Attribute Object . . . . . . . . . . . . . . .   8
        2.4.2.  Attribute Attributes  . . . . . . . . . . . . . . . .   9
-     2.5.  ShadowAttribute . . . . . . . . . . . . . . . . . . . . .  16
+     2.5.  ShadowAttribute . . . . . . . . . . . . . . . . . . . . .  15
        2.5.1.  Sample Attribute Object . . . . . . . . . . . . . . .  16
        2.5.2.  ShadowAttribute Attributes  . . . . . . . . . . . . .  16
        2.5.3.  Org . . . . . . . . . . . . . . . . . . . . . . . . .  22
@@ -86,16 +83,16 @@ Table of Contents
        2.7.1.  Sample ObjectReference object . . . . . . . . . . . .  28
        2.7.2.  ObjectReference Attributes  . . . . . . . . . . . . .  28
      2.8.  EventReport . . . . . . . . . . . . . . . . . . . . . . .  30
-       2.8.1.  id  . . . . . . . . . . . . . . . . . . . . . . . . .  31
+       2.8.1.  id  . . . . . . . . . . . . . . . . . . . . . . . . .  30
        2.8.2.  UUID  . . . . . . . . . . . . . . . . . . . . . . . .  31
        2.8.3.  event_id  . . . . . . . . . . . . . . . . . . . . . .  31
        2.8.4.  name  . . . . . . . . . . . . . . . . . . . . . . . .  31
        2.8.5.  content . . . . . . . . . . . . . . . . . . . . . . .  31
-       2.8.6.  distribution  . . . . . . . . . . . . . . . . . . . .  32
+       2.8.6.  distribution  . . . . . . . . . . . . . . . . . . . .  31
        2.8.7.  sharing_group_id  . . . . . . . . . . . . . . . . . .  32
        2.8.8.  timestamp . . . . . . . . . . . . . . . . . . . . . .  32
-       2.8.9.  deleted . . . . . . . . . . . . . . . . . . . . . . .  33
-     2.9.  Tag . . . . . . . . . . . . . . . . . . . . . . . . . . .  33
+       2.8.9.  deleted . . . . . . . . . . . . . . . . . . . . . . .  32
+     2.9.  Tag . . . . . . . . . . . . . . . . . . . . . . . . . . .  32
        2.9.1.  Sample Tag  . . . . . . . . . . . . . . . . . . . . .  33
      2.10. Sighting  . . . . . . . . . . . . . . . . . . . . . . . .  33
        2.10.1.  Sample Sighting  . . . . . . . . . . . . . . . . . .  34
@@ -106,20 +103,19 @@ Table of Contents
      4.1.  Format  . . . . . . . . . . . . . . . . . . . . . . . . .  51
        4.1.1.  Sample Manifest . . . . . . . . . . . . . . . . . . .  52
    5.  Implementation  . . . . . . . . . . . . . . . . . . . . . . .  53
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 2]
-
-Internet-Draft              MISP core format                October 2020
-
-
    6.  Security Considerations . . . . . . . . . . . . . . . . . . .  53
    7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  53
    8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  53
-   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  53
-     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  54
-     9.2.  Informative References  . . . . . . . . . . . . . . . . .  54
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                   [Page 2]
+
+Internet-Draft              MISP core format                October 2021
+
+
+   9.  Normative References  . . . . . . . . . . . . . . . . . . . .  53
+   10. Informative References  . . . . . . . . . . . . . . . . . . .  54
    Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  54
 
 1.  Introduction
@@ -160,18 +156,20 @@ Internet-Draft              MISP core format                October 2020
    specific threat actor analysis.  The meaning of an event only depends
    of the information embedded in the event.
 
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 3]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.2.1.  Event Attributes
 
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                   [Page 3]
+
+Internet-Draft              MISP core format                October 2021
+
+
 2.2.1.1.  uuid
 
    uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
@@ -211,26 +209,23 @@ Internet-Draft              MISP core format                October 2020
 
    threat_level_id represents the threat level.
 
-   4:
-      Undefined
+   4:  Undefined
 
-   3:
-      Low
+   3:  Low
 
-   2:
+   2:  Medium
+
+   1:  High
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 4]
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                   [Page 4]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
-      Medium
-
-   1:
-      High
-
    If a higher granularity is required, a MISP taxonomy applied as a Tag
    SHOULD be preferred.
 
@@ -241,14 +236,11 @@ Internet-Draft              MISP core format                October 2020
 
    analysis represents the analysis level.
 
-   0:
-      Initial
+   0:  Initial
 
-   1:
-      Ongoing
+   1:  Ongoing
 
-   2:
-      Complete
+   2:  Complete
 
    If a higher granularity is required, a MISP taxonomy applied as a Tag
    SHOULD be preferred.
@@ -272,16 +264,6 @@ Internet-Draft              MISP core format                October 2020
 
    timestamp is represented as a JSON string. timestamp MUST be present.
 
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 5]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.2.1.9.  publish_timestamp
 
    publish_timestamp represents a reference time when the event was
@@ -293,6 +275,13 @@ Internet-Draft              MISP core format                October 2020
    previous publication timestamp.  If the event was never published,
    the published_timestamp MUST be set to 0.
 
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                   [Page 5]
+
+Internet-Draft              MISP core format                October 2021
+
+
    publish_timestamp is represented as a JSON string. publish_timestamp
    MUST be present.
 
@@ -331,30 +320,25 @@ Internet-Draft              MISP core format                October 2020
    The system must adhere to the distribution setting for access control
    and for dissemination of the event.
 
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 6]
-
-Internet-Draft              MISP core format                October 2020
-
-
    distribution is represented by a JSON string. distribution MUST be
    present and be one of the following options:
 
-   0
-      Your Organisation Only
+   0  Your Organisation Only
 
-   1
-      This Community Only
+   1  This Community Only
 
-   2
-      Connected Communities
+   2  Connected Communities
 
-   3
-      All Communities
+   3  All Communities
 
-   4
-      Sharing Group
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                   [Page 6]
+
+Internet-Draft              MISP core format                October 2021
+
+
+   4  Sharing Group
 
 2.2.1.14.  sharing_group_id
 
@@ -386,14 +370,6 @@ Internet-Draft              MISP core format                October 2020
    [RFC4122] of the organisation.  The organisation UUID is globally
    assigned to an organisation and SHALL be kept overtime.
 
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 7]
-
-Internet-Draft              MISP core format                October 2020
-
-
    The name is a readable description of the organisation and SHOULD be
    present.  The id is a human-readable identifier generated by the
    instance and used as reference in the event.  A human-readable
@@ -410,6 +386,14 @@ Internet-Draft              MISP core format                October 2020
            "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
           }
 
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                   [Page 7]
+
+Internet-Draft              MISP core format                October 2021
+
+
 2.3.2.  Orgc
 
    An Orgc object is composed of an uuid, name and id.
@@ -438,20 +422,34 @@ Internet-Draft              MISP core format                October 2020
    A MISP document MUST at least includes category-type-value triplet
    described in section "Attribute Attributes".
 
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 8]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.4.1.  Sample Attribute Object
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                   [Page 8]
+
+Internet-Draft              MISP core format                October 2021
+
+
    "Attribute": {
                  "id": "346056",
                  "type": "comment",
@@ -497,50 +495,46 @@ Internet-Draft              MISP core format                October 2020
    describe the intent of the attribute creator, using a list of pre-
    defined attribute types.
 
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                 [Page 9]
-
-Internet-Draft              MISP core format                October 2020
-
-
    type is represented as a JSON string. type MUST be present and it
    MUST be a valid selection for the chosen category.  The list of valid
    category-type combinations is as follows:
 
-   Antivirus detection
-      link, comment, text, hex, attachment, other, anonymised
 
-   Artifacts dropped
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, cdhash, filename, filename|md5,
-      filename|sha1, filename|sha224, filename|sha256, filename|sha384,
-      filename|sha512, filename|sha512/224, filename|sha512/256,
-      filename|sha3-224, filename|sha3-256, filename|sha3-384,
-      filename|sha3-512, filename|authentihash, filename|vhash,
-      filename|ssdeep, filename|tlsh, filename|imphash,
-      filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-
-      in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern,
-      yara, sigma, attachment, malware-sample, named pipe, mutex,
+
+Dulaunoy & Iklody          Expires 1 May 2022                   [Page 9]
+
+Internet-Draft              MISP core format                October 2021
+
+
+   Antivirus detection  link, comment, text, hex, attachment, other,
+      anonymised
+
+   Artifacts dropped  md5, sha1, sha224, sha256, sha384, sha512,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash,
+      filename, filename|md5, filename|sha1, filename|sha224,
+      filename|sha256, filename|sha384, filename|sha512,
+      filename|sha512/224, filename|sha512/256, filename|sha3-224,
+      filename|sha3-256, filename|sha3-384, filename|sha3-512,
+      filename|authentihash, filename|vhash, filename|ssdeep,
+      filename|tlsh, filename|imphash, filename|impfuzzy,
+      filename|pehash, regkey, regkey|value, pattern-in-file, pattern-
+      in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma,
+      attachment, malware-sample, named pipe, mutex, process-state,
       windows-scheduled-task, windows-service-name, windows-service-
       displayname, comment, text, hex, x509-fingerprint-sha1, x509-
       fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene,
       kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-
       key
 
-   Attribution
-      threat-actor, campaign-name, campaign-id, whois-registrant-phone,
-      whois-registrant-email, whois-registrant-name, whois-registrant-
-      org, whois-registrar, whois-creation-date, comment, text, x509-
-      fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
-      other, dns-soa-email, anonymised, email
+   Attribution  threat-actor, campaign-name, campaign-id, whois-
+      registrant-phone, whois-registrant-email, whois-registrant-name,
+      whois-registrant-org, whois-registrar, whois-creation-date,
+      comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-
+      fingerprint-sha256, other, dns-soa-email, anonymised, email
 
-   External analysis
-      md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512,
-      filename, filename|md5, filename|sha1, filename|sha256,
+   External analysis  md5, sha1, sha256, sha3-224, sha3-256, sha3-384,
+      sha3-512, filename, filename|md5, filename|sha1, filename|sha256,
       filename|sha3-224, filename|sha3-256, filename|sha3-384,
       filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
       address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
@@ -548,47 +542,48 @@ Internet-Draft              MISP core format                October 2020
       pattern-in-traffic, pattern-in-memory, filename-pattern,
       vulnerability, cpe, weakness, attachment, malware-sample, link,
       comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-
-      fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-
-      md5, github-repository, other, cortex, anonymised, community-id
+      fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-
+      md5, hasshserver-md5, github-repository, other, cortex,
+      anonymised, community-id
 
-   Financial fraud
-      btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-
-      number, prtn, phone-number, comment, text, other, hex, anonymised
+   Financial fraud  btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn,
+      bin, cc-number, prtn, phone-number, comment, text, other, hex,
+      anonymised
+
+   Internal reference  text, link, comment, other, hex, anonymised, git-
+      commit-id
+
+   Network activity  ip-src, ip-dst, ip-dst|port, ip-src|port, port,
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 10]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 10]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
-   Internal reference
-      text, link, comment, other, hex, anonymised, git-commit-id
+      hostname, domain, domain|ip, mac-address, mac-eui-64, email,
+      email-dst, email-src, eppn, url, uri, user-agent, http-method, AS,
+      snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-
+      in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-
+      fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5,
+      jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie,
+      hostname|port, bro, zeek, anonymised, community-id, email-subject,
+      favicon-mmh3, dkim, dkim-signature, ssh-fingerprint
 
-   Network activity
-      ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
-      domain|ip, mac-address, mac-eui-64, email, email-dst, email-src,
-      eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-
-      file, filename-pattern, stix2-pattern, pattern-in-traffic,
-      attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-
-      sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5,
-      hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek,
-      anonymised, community-id, email-subject
+   Other  comment, text, other, size-in-bytes, counter, datetime, cpe,
+      port, float, hex, phone-number, boolean, anonymised, pgp-public-
+      key, pgp-private-key
 
-   Other
-      comment, text, other, size-in-bytes, counter, datetime, cpe, port,
-      float, hex, phone-number, boolean, anonymised, pgp-public-key,
-      pgp-private-key
-
-   Payload delivery
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename,
-      filename|md5, filename|sha1, filename|sha224, filename|sha256,
-      filename|sha384, filename|sha512, filename|sha512/224,
-      filename|sha512/256, filename|sha3-224, filename|sha3-256,
-      filename|sha3-384, filename|sha3-512, filename|authentihash,
-      filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash,
+   Payload delivery  md5, sha1, sha224, sha256, sha384, sha512,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
+      tlsh, cdhash, filename, filename|md5, filename|sha1,
+      filename|sha224, filename|sha256, filename|sha384,
+      filename|sha512, filename|sha512/224, filename|sha512/256,
+      filename|sha3-224, filename|sha3-256, filename|sha3-384,
+      filename|sha3-512, filename|authentihash, filename|vhash,
+      filename|ssdeep, filename|tlsh, filename|imphash,
       filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-
       src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email,
       email-src, email-dst, email-subject, email-attachment, email-body,
@@ -597,83 +592,66 @@ Internet-Draft              MISP core format                October 2020
       attachment, malware-sample, link, malware-type, comment, text,
       hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-
       fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5,
-      hassh-md5, hasshserver-md5, other, hostname|port, email-dst-
-      display-name, email-src-display-name, email-header, email-reply-
-      to, email-x-mailer, email-mime-boundary, email-thread-index,
-      email-message-id, mobile-application-id, chrome-extension-id,
-      whois-registrant-email, anonymised
+      jarm-fingerprint, hassh-md5, hasshserver-md5, other,
+      hostname|port, email-dst-display-name, email-src-display-name,
+      email-header, email-reply-to, email-x-mailer, email-mime-boundary,
+      email-thread-index, email-message-id, mobile-application-id,
+      chrome-extension-id, whois-registrant-email, anonymised
 
-   Payload installation
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename,
-      filename|md5, filename|sha1, filename|sha224, filename|sha256,
-      filename|sha384, filename|sha512, filename|sha512/224,
-      filename|sha512/256, filename|sha3-224, filename|sha3-256,
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 11]
-
-Internet-Draft              MISP core format                October 2020
-
-
-      filename|sha3-384, filename|sha3-512, filename|authentihash,
-      filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash,
+   Payload installation  md5, sha1, sha224, sha256, sha384, sha512,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
+      tlsh, cdhash, filename, filename|md5, filename|sha1,
+      filename|sha224, filename|sha256, filename|sha384,
+      filename|sha512, filename|sha512/224, filename|sha512/256,
+      filename|sha3-224, filename|sha3-256, filename|sha3-384,
+      filename|sha3-512, filename|authentihash, filename|vhash,
+      filename|ssdeep, filename|tlsh, filename|imphash,
       filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-
       traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
       sigma, vulnerability, cpe, weakness, attachment, malware-sample,
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 11]
+
+Internet-Draft              MISP core format                October 2021
+
+
       malware-type, comment, text, hex, x509-fingerprint-sha1, x509-
       fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
       chrome-extension-id, other, mime-type, anonymised
 
-   Payload type
-      comment, text, other, anonymised
+   Payload type  comment, text, other, anonymised
 
-   Persistence mechanism
-      filename, regkey, regkey|value, comment, text, other, hex,
-      anonymised
+   Persistence mechanism  filename, regkey, regkey|value, comment, text,
+      other, hex, anonymised
 
-   Person
-      first-name, middle-name, last-name, date-of-birth, place-of-birth,
-      gender, passport-number, passport-country, passport-expiration,
-      redress-number, nationality, visa-number, issue-date-of-the-visa,
-      primary-residence, country-of-residence, special-service-request,
-      frequent-flyer-number, travel-details, payment-details, place-
-      port-of-original-embarkation, place-port-of-clearance, place-port-
-      of-onward-foreign-destination, passenger-name-record-locator-
-      number, comment, text, other, phone-number, identity-card-number,
-      anonymised, email, pgp-public-key, pgp-private-key
-
-   Social network
-      github-username, github-repository, github-organisation, jabber-
-      id, twitter-id, email, email-src, email-dst, eppn, comment, text,
-      other, whois-registrant-email, anonymised, pgp-public-key, pgp-
+   Person  first-name, middle-name, last-name, full-name, date-of-birth,
+      place-of-birth, gender, passport-number, passport-country,
+      passport-expiration, redress-number, nationality, visa-number,
+      issue-date-of-the-visa, primary-residence, country-of-residence,
+      special-service-request, frequent-flyer-number, travel-details,
+      payment-details, place-port-of-original-embarkation, place-port-
+      of-clearance, place-port-of-onward-foreign-destination, passenger-
+      name-record-locator-number, comment, text, other, phone-number,
+      identity-card-number, anonymised, email, pgp-public-key, pgp-
       private-key
 
-   Support Tool
-      link, text, attachment, comment, other, hex, anonymised
+   Social network  github-username, github-repository, github-
+      organisation, jabber-id, twitter-id, email, email-src, email-dst,
+      eppn, comment, text, other, whois-registrant-email, anonymised,
+      pgp-public-key, pgp-private-key
 
-   Targeting data
-      target-user, target-email, target-machine, target-org, target-
-      location, target-external, comment, anonymised
+   Support Tool  link, text, attachment, comment, other, hex, anonymised
+
+   Targeting data  target-user, target-email, target-machine, target-
+      org, target-location, target-external, comment, anonymised
 
    Attributes are based on the usage within their different communities.
    Attributes can be extended on a regular basis and this reference
    document is updated accordingly.
 
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 12]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.4.2.4.  category
 
    category represents the intent of what the attribute is describing as
@@ -684,6 +662,18 @@ Internet-Draft              MISP core format                October 2020
    and it MUST be a valid selection for the chosen type.  The list of
    valid category-type combinations is mentioned above.
 
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 12]
+
+Internet-Draft              MISP core format                October 2021
+
+
 2.4.2.5.  to_ids
 
    to_ids represents whether the attribute is meant to be actionable.
@@ -713,31 +703,17 @@ Internet-Draft              MISP core format                October 2020
    distribution is represented by a JSON string. distribution MUST be
    present and be one of the following options:
 
-   0
-      Your Organisation Only
+   0  Your Organisation Only
 
-   1
-      This Community Only
+   1  This Community Only
 
-   2
-      Connected Communities
+   2  Connected Communities
 
+   3  All Communities
 
+   4  Sharing Group
 
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 13]
-
-Internet-Draft              MISP core format                October 2020
-
-
-   3
-      All Communities
-
-   4
-      Sharing Group
-
-   5
-      Inherit Event
+   5  Inherit Event
 
 2.4.2.8.  timestamp
 
@@ -747,6 +723,13 @@ Internet-Draft              MISP core format                October 2020
 
    timestamp is represented as a JSON string. timestamp MUST be present.
 
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 13]
+
+Internet-Draft              MISP core format                October 2021
+
+
 2.4.2.9.  comment
 
    comment is a contextual comment field.
@@ -779,13 +762,6 @@ Internet-Draft              MISP core format                October 2020
    using a password protected zip archive, with the password being
    "infected".
 
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 14]
-
-Internet-Draft              MISP core format                October 2020
-
-
    data is represented by a JSON string in base64 encoding. data MUST be
    set for attributes of type malware-sample and attachment.
 
@@ -800,6 +776,16 @@ Internet-Draft              MISP core format                October 2020
 
    RelatedAttribute MAY be present.
 
+
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 14]
+
+Internet-Draft              MISP core format                October 2021
+
+
 2.4.2.14.  ShadowAttribute
 
    ShadowAttribute is an array of shadow attributes that serve as
@@ -835,13 +821,6 @@ Internet-Draft              MISP core format                October 2020
    seen. last_seen is expressed as an ISO 8601 datetime up to the micro-
    second with time zone support.
 
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 15]
-
-Internet-Draft              MISP core format                October 2020
-
-
    last_seen is represented as a JSON string. last_seen MAY be present.
 
 2.5.  ShadowAttribute
@@ -856,6 +835,13 @@ Internet-Draft              MISP core format                October 2020
    reference to the creator of the ShadowAttribute as well as a
    revocation flag.
 
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 15]
+
+Internet-Draft              MISP core format                October 2021
+
+
 2.5.1.  Sample Attribute Object
 
 "ShadowAttribute":  {
@@ -890,21 +876,13 @@ Internet-Draft              MISP core format                October 2020
    the same event.  UUID version 4 is RECOMMENDED when assigning it to a
    new event.
 
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 16]
-
-Internet-Draft              MISP core format                October 2020
-
-
    uuid is represented as a JSON string. uuid MUST be present.
 
 2.5.2.2.  id
 
    id represents the human-readable identifier associated to the event
    for a specific MISP instance. human-readable identifier MUST be
-   represented as an unsigned integer.  id is represented as a JSON
+   represented as an unsigned integer. id is represented as a JSON
    string. id SHALL be present.
 
 2.5.2.3.  type
@@ -913,49 +891,46 @@ Internet-Draft              MISP core format                October 2020
    describe the intent of the attribute creator, using a list of pre-
    defined attribute types.
 
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 16]
+
+Internet-Draft              MISP core format                October 2021
+
+
    type is represented as a JSON string. type MUST be present and it
    MUST be a valid selection for the chosen category.  The list of valid
    category-type combinations is as follows:
 
-   Antivirus detection
-      link, comment, text, hex, attachment, other, anonymised
+   Antivirus detection  link, comment, text, hex, attachment, other,
+      anonymised
 
-   Artifacts dropped
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, cdhash, filename, filename|md5,
-      filename|sha1, filename|sha224, filename|sha256, filename|sha384,
-      filename|sha512, filename|sha512/224, filename|sha512/256,
-      filename|sha3-224, filename|sha3-256, filename|sha3-384,
-      filename|sha3-512, filename|authentihash, filename|vhash,
-      filename|ssdeep, filename|tlsh, filename|imphash,
-      filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-
-      in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern,
-      yara, sigma, attachment, malware-sample, named pipe, mutex,
+   Artifacts dropped  md5, sha1, sha224, sha256, sha384, sha512,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash,
+      filename, filename|md5, filename|sha1, filename|sha224,
+      filename|sha256, filename|sha384, filename|sha512,
+      filename|sha512/224, filename|sha512/256, filename|sha3-224,
+      filename|sha3-256, filename|sha3-384, filename|sha3-512,
+      filename|authentihash, filename|vhash, filename|ssdeep,
+      filename|tlsh, filename|imphash, filename|impfuzzy,
+      filename|pehash, regkey, regkey|value, pattern-in-file, pattern-
+      in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma,
+      attachment, malware-sample, named pipe, mutex, process-state,
       windows-scheduled-task, windows-service-name, windows-service-
       displayname, comment, text, hex, x509-fingerprint-sha1, x509-
       fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene,
       kusto-query, mime-type, anonymised, pgp-public-key, pgp-private-
       key
 
-   Attribution
-      threat-actor, campaign-name, campaign-id, whois-registrant-phone,
-      whois-registrant-email, whois-registrant-name, whois-registrant-
-      org, whois-registrar, whois-creation-date, comment, text, x509-
-      fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
-      other, dns-soa-email, anonymised, email
+   Attribution  threat-actor, campaign-name, campaign-id, whois-
+      registrant-phone, whois-registrant-email, whois-registrant-name,
+      whois-registrant-org, whois-registrar, whois-creation-date,
+      comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-
+      fingerprint-sha256, other, dns-soa-email, anonymised, email
 
-   External analysis
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 17]
-
-Internet-Draft              MISP core format                October 2020
-
-
-      md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512,
-      filename, filename|md5, filename|sha1, filename|sha256,
+   External analysis  md5, sha1, sha256, sha3-224, sha3-256, sha3-384,
+      sha3-512, filename, filename|md5, filename|sha1, filename|sha256,
       filename|sha3-224, filename|sha3-256, filename|sha3-384,
       filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
       address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
@@ -963,71 +938,79 @@ Internet-Draft              MISP core format                October 2020
       pattern-in-traffic, pattern-in-memory, filename-pattern,
       vulnerability, cpe, weakness, attachment, malware-sample, link,
       comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-
-      fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-
-      md5, github-repository, other, cortex, anonymised, community-id
+      fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-
+      md5, hasshserver-md5, github-repository, other, cortex,
+      anonymised, community-id
 
-   Financial fraud
-      btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-
-      number, prtn, phone-number, comment, text, other, hex, anonymised
+   Financial fraud  btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn,
+      bin, cc-number, prtn, phone-number, comment, text, other, hex,
+      anonymised
 
-   Internal reference
-      text, link, comment, other, hex, anonymised, git-commit-id
 
-   Network activity
-      ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
-      domain|ip, mac-address, mac-eui-64, email, email-dst, email-src,
-      eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-
-      file, filename-pattern, stix2-pattern, pattern-in-traffic,
-      attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-
-      sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5,
-      hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek,
-      anonymised, community-id, email-subject
 
-   Other
-      comment, text, other, size-in-bytes, counter, datetime, cpe, port,
-      float, hex, phone-number, boolean, anonymised, pgp-public-key,
-      pgp-private-key
 
-   Payload delivery
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename,
-      filename|md5, filename|sha1, filename|sha224, filename|sha256,
-      filename|sha384, filename|sha512, filename|sha512/224,
-      filename|sha512/256, filename|sha3-224, filename|sha3-256,
-      filename|sha3-384, filename|sha3-512, filename|authentihash,
-      filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash,
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 17]
+
+Internet-Draft              MISP core format                October 2021
+
+
+   Internal reference  text, link, comment, other, hex, anonymised, git-
+      commit-id
+
+   Network activity  ip-src, ip-dst, ip-dst|port, ip-src|port, port,
+      hostname, domain, domain|ip, mac-address, mac-eui-64, email,
+      email-dst, email-src, eppn, url, uri, user-agent, http-method, AS,
+      snort, pattern-in-file, filename-pattern, stix2-pattern, pattern-
+      in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-
+      fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5,
+      jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie,
+      hostname|port, bro, zeek, anonymised, community-id, email-subject,
+      favicon-mmh3, dkim, dkim-signature, ssh-fingerprint
+
+   Other  comment, text, other, size-in-bytes, counter, datetime, cpe,
+      port, float, hex, phone-number, boolean, anonymised, pgp-public-
+      key, pgp-private-key
+
+   Payload delivery  md5, sha1, sha224, sha256, sha384, sha512,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
+      tlsh, cdhash, filename, filename|md5, filename|sha1,
+      filename|sha224, filename|sha256, filename|sha384,
+      filename|sha512, filename|sha512/224, filename|sha512/256,
+      filename|sha3-224, filename|sha3-256, filename|sha3-384,
+      filename|sha3-512, filename|authentihash, filename|vhash,
+      filename|ssdeep, filename|tlsh, filename|imphash,
       filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-
       src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email,
       email-src, email-dst, email-subject, email-attachment, email-body,
       url, user-agent, AS, pattern-in-file, pattern-in-traffic,
       filename-pattern, stix2-pattern, yara, sigma, mime-type,
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 18]
-
-Internet-Draft              MISP core format                October 2020
-
-
       attachment, malware-sample, link, malware-type, comment, text,
       hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-
       fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5,
-      hassh-md5, hasshserver-md5, other, hostname|port, email-dst-
-      display-name, email-src-display-name, email-header, email-reply-
-      to, email-x-mailer, email-mime-boundary, email-thread-index,
-      email-message-id, mobile-application-id, chrome-extension-id,
-      whois-registrant-email, anonymised
+      jarm-fingerprint, hassh-md5, hasshserver-md5, other,
+      hostname|port, email-dst-display-name, email-src-display-name,
+      email-header, email-reply-to, email-x-mailer, email-mime-boundary,
+      email-thread-index, email-message-id, mobile-application-id,
+      chrome-extension-id, whois-registrant-email, anonymised
 
-   Payload installation
-      md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
-      sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash,
-      impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename,
-      filename|md5, filename|sha1, filename|sha224, filename|sha256,
-      filename|sha384, filename|sha512, filename|sha512/224,
-      filename|sha512/256, filename|sha3-224, filename|sha3-256,
-      filename|sha3-384, filename|sha3-512, filename|authentihash,
-      filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash,
+   Payload installation  md5, sha1, sha224, sha256, sha384, sha512,
+      sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
+      ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
+      tlsh, cdhash, filename, filename|md5, filename|sha1,
+      filename|sha224, filename|sha256, filename|sha384,
+      filename|sha512, filename|sha512/224, filename|sha512/256,
+      filename|sha3-224, filename|sha3-256, filename|sha3-384,
+      filename|sha3-512, filename|authentihash, filename|vhash,
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 18]
+
+Internet-Draft              MISP core format                October 2021
+
+
+      filename|ssdeep, filename|tlsh, filename|imphash,
       filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-
       traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
       sigma, vulnerability, cpe, weakness, attachment, malware-sample,
@@ -1035,43 +1018,31 @@ Internet-Draft              MISP core format                October 2020
       fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
       chrome-extension-id, other, mime-type, anonymised
 
-   Payload type
-      comment, text, other, anonymised
+   Payload type  comment, text, other, anonymised
 
-   Persistence mechanism
-      filename, regkey, regkey|value, comment, text, other, hex,
-      anonymised
+   Persistence mechanism  filename, regkey, regkey|value, comment, text,
+      other, hex, anonymised
 
-   Person
-      first-name, middle-name, last-name, date-of-birth, place-of-birth,
-      gender, passport-number, passport-country, passport-expiration,
-      redress-number, nationality, visa-number, issue-date-of-the-visa,
-      primary-residence, country-of-residence, special-service-request,
-      frequent-flyer-number, travel-details, payment-details, place-
-      port-of-original-embarkation, place-port-of-clearance, place-port-
-      of-onward-foreign-destination, passenger-name-record-locator-
-      number, comment, text, other, phone-number, identity-card-number,
-      anonymised, email, pgp-public-key, pgp-private-key
-
-   Social network
-      github-username, github-repository, github-organisation, jabber-
-      id, twitter-id, email, email-src, email-dst, eppn, comment, text,
-      other, whois-registrant-email, anonymised, pgp-public-key, pgp-
+   Person  first-name, middle-name, last-name, full-name, date-of-birth,
+      place-of-birth, gender, passport-number, passport-country,
+      passport-expiration, redress-number, nationality, visa-number,
+      issue-date-of-the-visa, primary-residence, country-of-residence,
+      special-service-request, frequent-flyer-number, travel-details,
+      payment-details, place-port-of-original-embarkation, place-port-
+      of-clearance, place-port-of-onward-foreign-destination, passenger-
+      name-record-locator-number, comment, text, other, phone-number,
+      identity-card-number, anonymised, email, pgp-public-key, pgp-
       private-key
 
+   Social network  github-username, github-repository, github-
+      organisation, jabber-id, twitter-id, email, email-src, email-dst,
+      eppn, comment, text, other, whois-registrant-email, anonymised,
+      pgp-public-key, pgp-private-key
 
+   Support Tool  link, text, attachment, comment, other, hex, anonymised
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 19]
-
-Internet-Draft              MISP core format                October 2020
-
-
-   Support Tool
-      link, text, attachment, comment, other, hex, anonymised
-
-   Targeting data
-      target-user, target-email, target-machine, target-org, target-
-      location, target-external, comment, anonymised
+   Targeting data  target-user, target-email, target-machine, target-
+      org, target-location, target-external, comment, anonymised
 
    Attributes are based on the usage within their different communities.
    Attributes can be extended on a regular basis and this reference
@@ -1087,6 +1058,14 @@ Internet-Draft              MISP core format                October 2020
    and it MUST be a valid selection for the chosen type.  The list of
    valid category-type combinations is mentioned above.
 
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 19]
+
+Internet-Draft              MISP core format                October 2021
+
+
 2.5.2.5.  to_ids
 
    to_ids represents whether the Attribute to be created if the
@@ -1113,15 +1092,6 @@ Internet-Draft              MISP core format                October 2020
    Attribute object that the ShadowAttribute belongs to.  A
    ShadowAttribute can this way target an existing Attribute, implying
    that it is a proposal to modify an existing Attribute, or
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 20]
-
-Internet-Draft              MISP core format                October 2020
-
-
    alternatively it can be a proposal to create a new Attribute for the
    containing Event.
 
@@ -1144,6 +1114,14 @@ Internet-Draft              MISP core format                October 2020
 
    comment is a contextual comment field.
 
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 20]
+
+Internet-Draft              MISP core format                October 2021
+
+
    comment is represented by a JSON string. comment MAY be present.
 
 2.5.2.10.  org_id
@@ -1170,14 +1148,6 @@ Internet-Draft              MISP core format                October 2020
    proposal_to_delete is a JSON boolean and it MUST be present.  If
    proposal_to_delete is set to true, old_id MUST NOT be 0.
 
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 21]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.5.2.12.  deleted
 
    deleted represents a setting that allows shadow attributes to be
@@ -1196,6 +1166,18 @@ Internet-Draft              MISP core format                October 2020
    data is represented by a JSON string in base64 encoding. data MUST be
    set for shadow attributes of type malware-sample and attachment.
 
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 21]
+
+Internet-Draft              MISP core format                October 2021
+
+
 2.5.2.14.  first_seen
 
    first_seen represents a reference time when the attribute was first
@@ -1226,14 +1208,6 @@ Internet-Draft              MISP core format                October 2020
    instance and used as reference in the event.  A human-readable
    identifier MUST be represented as an unsigned integer.
 
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 22]
-
-Internet-Draft              MISP core format                October 2020
-
-
    uuid, name and id are represented as a JSON string. uuid, name and id
    MUST be present.
 
@@ -1252,6 +1226,14 @@ Internet-Draft              MISP core format                October 2020
 
    value is represented by a JSON string. value MUST be present.
 
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 22]
+
+Internet-Draft              MISP core format                October 2021
+
+
 2.6.  Object
 
    Objects serve as a contextual bond between a list of attributes
@@ -1285,9 +1267,27 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 23]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 23]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
 "Object": {
@@ -1331,8 +1331,6 @@ Internet-Draft              MISP core format                October 2020
    ]
 }
 
-                                 Figure 1
-
 2.6.2.  Object Attributes
 
 
@@ -1341,9 +1339,11 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 24]
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 24]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
 2.6.2.1.  uuid
@@ -1397,9 +1397,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 25]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 25]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
 2.6.2.7.  template_version
@@ -1437,29 +1437,27 @@ Internet-Draft              MISP core format                October 2020
    distribution is represented by a JSON string. distribution MUST be
    present and be one of the following options:
 
-   0
-      Your Organisation Only
+   0  Your Organisation Only
 
-   1
-      This Community Only
+   1  This Community Only
 
-   2
-      Connected Communities
+   2  Connected Communities
 
-   3
-      All Communities
+   3  All Communities
 
-   4
+   4  Sharing Group
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 26]
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 26]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
-      Sharing Group
-
 2.6.2.11.  sharing_group_id
 
    sharing_group_id represents a human-readable identifier referencing a
@@ -1502,24 +1500,20 @@ Internet-Draft              MISP core format                October 2020
    first_seen is represented as a JSON string. first_seen MAY be
    present.
 
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 27]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.6.2.16.  last_seen
 
    last_seen represents a reference time when the object was last seen.
    last_seen as an ISO 8601 datetime up to the micro-second with time
    zone support.
 
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 27]
+
+Internet-Draft              MISP core format                October 2021
+
+
    last_seen is represented as a JSON string. last_seen MAY be present.
 
 2.7.  Object References
@@ -1561,15 +1555,6 @@ Internet-Draft              MISP core format                October 2020
    transfer of the same object reference.  UUID version 4 is RECOMMENDED
    when assigning it to a new object reference.
 
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 28]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.7.2.2.  id
 
    id represents the human-readable identifier associated to the object
@@ -1577,6 +1562,14 @@ Internet-Draft              MISP core format                October 2020
 
    id is represented as a JSON string. id SHALL be present.
 
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 28]
+
+Internet-Draft              MISP core format                October 2021
+
+
 2.7.2.3.  timestamp
 
    timestamp represents a reference time when the object was created or
@@ -1619,19 +1612,20 @@ Internet-Draft              MISP core format                October 2020
    referenced_type is represented as a JSON string. referenced_type MAY
    be present.
 
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 29]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.7.2.8.  relationship_type
 
    relationship_type represents the human-readable context of the
    relationship between an object and another object or attribute as
    described by the object_reference.
 
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 29]
+
+Internet-Draft              MISP core format                October 2021
+
+
    referenced_type is represented as a JSON string. relationship_type
    MUST be present.
 
@@ -1670,18 +1664,6 @@ Internet-Draft              MISP core format                October 2020
    information which can be linked to Attributes, Objects, Tags or
    Galaxy with an extension to the Markdown marking language.
 
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 30]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.8.1.  id
 
    id represents the human-readable identifier associated to the
@@ -1690,6 +1672,16 @@ Internet-Draft              MISP core format                October 2020
 
    id is represented as a JSON string. id SHALL be present.
 
+
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 30]
+
+Internet-Draft              MISP core format                October 2021
+
+
 2.8.2.  UUID
 
    uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
@@ -1727,17 +1719,6 @@ Internet-Draft              MISP core format                October 2020
 
    content is represented as a JSON string. content MUST be present.
 
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 31]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.8.6.  distribution
 
    distribution represents the basic distribution rules of the
@@ -1747,23 +1728,25 @@ Internet-Draft              MISP core format                October 2020
    distribution is represented by a JSON string. distribution MUST be
    present and be one of the following options:
 
-   0
-      Your Organisation Only
+   0  Your Organisation Only
 
-   1
-      This Community Only
 
-   2
-      Connected Communities
 
-   3
-      All Communities
 
-   4
-      Sharing Group
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 31]
+
+Internet-Draft              MISP core format                October 2021
 
-   5
-      Inherit Event
+
+   1  This Community Only
+
+   2  Connected Communities
+
+   3  All Communities
+
+   4  Sharing Group
+
+   5  Inherit Event
 
 2.8.7.  sharing_group_id
 
@@ -1782,18 +1765,6 @@ Internet-Draft              MISP core format                October 2020
 
    timestamp is represented as a JSON string. timestamp MUST be present.
 
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 32]
-
-Internet-Draft              MISP core format                October 2020
-
-
 2.8.9.  deleted
 
    deleted represents a setting that allows EventReport to be revoked.
@@ -1814,6 +1785,15 @@ Internet-Draft              MISP core format                October 2020
    or attribute level.  A tag element is described with a name, id,
    colour and exportable flag.
 
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 32]
+
+Internet-Draft              MISP core format                October 2021
+
+
    exportable represents a setting if the tag is kept local or
    exportable to other MISP instances. exportable is represented by a
    JSON boolean. id is a human-readable identifier that references the
@@ -1841,25 +1821,19 @@ Internet-Draft              MISP core format                October 2020
    type MUST be present. type describes the type of a sighting.  MISP
    allows 3 default types:
 
+       +===============+==========================================+
+       | Sighting type |               Description                |
+       +===============+==========================================+
+       | 0             | denotes an attribute which has been seen |
+       +---------------+------------------------------------------+
+       | 1             | denotes an attribute which has been seen |
+       |               |     and confirmed as false-positive      |
+       +---------------+------------------------------------------+
+       | 2             |    denotes an attribute which will be    |
+       |               |   expired at the time of the sighting    |
+       +---------------+------------------------------------------+
 
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 33]
-
-Internet-Draft              MISP core format                October 2020
-
-
-   +------------+------------------------------------------------------+
-   | Sighting   |                     Description                      |
-   | type       |                                                      |
-   +------------+------------------------------------------------------+
-   | 0          |       denotes an attribute which has been seen       |
-   | 1          |     denotes an attribute which has been seen and     |
-   |            |             confirmed as false-positive              |
-   | 2          |  denotes an attribute which will be expired at the   |
-   |            |                 time of the sighting                 |
-   +------------+------------------------------------------------------+
+                                 Table 1
 
    uuid MUST be present. uuid references the uuid of the sighted
    attribute.
@@ -1869,6 +1843,13 @@ Internet-Draft              MISP core format                October 2020
    date_sighting represents when the referenced attribute, designated by
    its uuid, is sighted.
 
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 33]
+
+Internet-Draft              MISP core format                October 2021
+
+
    source MAY be present. source is represented as a JSON string and
    represents the human-readable version of the sighting source, which
    can be a given piece of software (e.g.  SIEM), device or a specific
@@ -1877,9 +1858,9 @@ Internet-Draft              MISP core format                October 2020
    id, event_id and attribute_id MAY be present.
 
    id represents the human-readable identifier of the sighting reference
-   which belongs to a specific MISP instance.  event_id represents the
+   which belongs to a specific MISP instance. event_id represents the
    human-readable identifier of the event referenced by the sighting and
-   belongs to a specific MISP instance.  attribute_id represents the
+   belongs to a specific MISP instance. attribute_id represents the
    human-readable identifier of the attribute referenced by the sighting
    and belongs to a specific MISP instance.
 
@@ -1901,9 +1882,28 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 34]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 34]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
 "Sighting": [
@@ -1957,9 +1957,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 35]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 35]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
 "Galaxy": [ {
@@ -2013,9 +2013,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 36]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 36]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
 3.  JSON Schema
@@ -2069,9 +2069,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 37]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 37]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
        "type": "object",
@@ -2125,9 +2125,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 38]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 38]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
            "items": {
@@ -2181,9 +2181,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 39]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 39]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
            "type": "string"
@@ -2237,9 +2237,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 40]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 40]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
            "type": "string"
@@ -2293,9 +2293,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 41]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 41]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
        "properties": {
@@ -2349,9 +2349,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 42]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 42]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
        "properties": {
@@ -2405,9 +2405,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 43]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 43]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
        "properties": {
@@ -2461,9 +2461,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 44]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 44]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
          },
@@ -2517,9 +2517,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 45]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 45]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
          },
@@ -2573,9 +2573,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 46]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 46]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
            "type": "string"
@@ -2629,9 +2629,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 47]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 47]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
            "uniqueItems": true,
@@ -2685,9 +2685,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 48]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 48]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
            "type": "boolean"
@@ -2741,9 +2741,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 49]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 49]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
        "type": "object",
@@ -2797,9 +2797,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 50]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 50]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
      "Event": {
@@ -2831,34 +2831,34 @@ Internet-Draft              MISP core format                October 2020
    Each uuid is composed of a JSON object with the following fields
    which came from the original event referenced by the same uuid:
 
-   o  info (MUST)
+   *  info (MUST)
 
-   o  Orgc object (MUST)
+   *  Orgc object (MUST)
 
-   o  analysis (SHALL)
+   *  analysis (SHALL)
 
-   o  timestamp (MUST)
+   *  timestamp (MUST)
 
-   o  date (MUST)
+   *  date (MUST)
 
-   o  threat_level_id (SHALL)
+   *  threat_level_id (SHALL)
 
    In addition to the fields originating from the event, the following
    fields can be added:
 
-   o  integrity:sha256 represents the SHA256 value in hexadecimal
+   *  integrity:sha256 represents the SHA256 value in hexadecimal
       representation of the associated MISP event file to ensure
       integrity of the file.  (SHOULD)
 
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 51]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 51]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
-   o  integrity:pgp represents a detached PGP signature [RFC4880] of the
+   *  integrity:pgp represents a detached PGP signature [RFC4880] of the
       associated MISP event file to ensure integrity of the file.
       (SHOULD)
 
@@ -2909,9 +2909,9 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 52]
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 52]
 
-Internet-Draft              MISP core format                October 2020
+Internet-Draft              MISP core format                October 2021
 
 
         "name": "circl:incident-classification=\"malware\""
@@ -2956,27 +2956,20 @@ Internet-Draft              MISP core format                October 2020
 
 8.  References
 
-9.  References
-
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 53]
-
-Internet-Draft              MISP core format                October 2020
-
-
-9.1.  Normative References
+9.  Normative References
 
    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119,
               DOI 10.17487/RFC2119, March 1997,
               <https://www.rfc-editor.org/info/rfc2119>.
 
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 53]
+
+Internet-Draft              MISP core format                October 2021
+
+
    [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
               Unique IDentifier (UUID) URN Namespace", RFC 4122,
               DOI 10.17487/RFC4122, July 2005,
@@ -2992,7 +2985,7 @@ Internet-Draft              MISP core format                October 2020
               DOI 10.17487/RFC8259, December 2017,
               <https://www.rfc-editor.org/info/rfc8259>.
 
-9.2.  Informative References
+10.  Informative References
 
    [JSON-SCHEMA]
               Wright, A., "JSON Schema: A Media Type for Describing JSON
@@ -3013,33 +3006,30 @@ Internet-Draft              MISP core format                October 2020
 
 Authors' Addresses
 
-
-
-
-
-
-
-
-
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 54]
-
-Internet-Draft              MISP core format                October 2020
-
-
    Alexandre Dulaunoy
    Computer Incident Response Center Luxembourg
    16, bd d'Avranches
-   Luxembourg  L-1160
+   L-L-1160 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
    Email: alexandre.dulaunoy@circl.lu
 
 
+
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 54]
+
+Internet-Draft              MISP core format                October 2021
+
+
    Andras Iklody
    Computer Incident Response Center Luxembourg
    16, bd d'Avranches
-   Luxembourg  L-1160
+   L-L-1160 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
@@ -3077,4 +3067,14 @@ Internet-Draft              MISP core format                October 2020
 
 
 
-Dulaunoy & Iklody        Expires April 24, 2021                [Page 55]
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 1 May 2022                  [Page 55]
diff --git a/rfc/misp-standard-galaxy-format.html b/rfc/misp-standard-galaxy-format.html
index 2d64b23..d4921bc 100644
--- a/rfc/misp-standard-galaxy-format.html
+++ b/rfc/misp-standard-galaxy-format.html
@@ -1,533 +1,1403 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
-  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<!DOCTYPE html>
+<html lang="en" class="Internet-Draft">
+<head>
+<meta charset="utf-8">
+<meta content="Common,Latin" name="scripts">
+<meta content="initial-scale=1.0" name="viewport">
+<title>MISP galaxy format</title>
+<meta content="Alexandre Dulaunoy" name="author">
+<meta content="Andras Iklody" name="author">
+<meta content="Deborah Servili" name="author">
+<meta content="
+       This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository     of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing. 
+    " name="description">
+<meta content="xml2rfc 3.9.1" name="generator">
+<meta content="draft-00" name="ietf.draft">
+<!-- Generator version information:
+  xml2rfc 3.9.1
+    Python 3.6.9
+    appdirs 1.4.4
+    ConfigArgParse 1.5.2
+    google-i18n-address 2.3.5
+    html5lib 1.0.1
+    intervaltree 2.1.0
+    Jinja2 2.11.2
+    kitchen 1.2.6
+    lxml 4.6.3
+    pycairo 1.16.2
+    pycountry 18.12.8
+    pyflakes 2.1.1
+    PyYAML 5.4.1
+    requests 2.25.1
+    setuptools 57.1.0
+    six 1.15.0
+    WeasyPrint 48
+-->
+<link href="misp-standard-galaxy-format.xml" rel="alternate" type="application/rfc+xml">
+<link href="#copyright" rel="license">
+<style type="text/css">/*
 
-<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
-  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
+  NOTE: Changes at the bottom of this file overrides some earlier settings.
 
-  <title>MISP galaxy format</title>
+  Once the style has stabilized and has been adopted as an official RFC style,
+  this can be consolidated so that style settings occur only in one place, but
+  for now the contents of this file consists first of the initial CSS work as
+  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
+  commented changes found necssary during the development of the v3
+  formatters.
 
-  <style type="text/css" title="Xml2Rfc (sans serif)">
-  /*<![CDATA[*/
-	  a {
-	  text-decoration: none;
-	  }
-      /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
-      a.info {
-          /* This is the key. */
-          position: relative;
-          z-index: 24;
-          text-decoration: none;
-      }
-      a.info:hover {
-          z-index: 25;
-          color: #FFF; background-color: #900;
-      }
-      a.info span { display: none; }
-      a.info:hover span.info {
-          /* The span will display just on :hover state. */
-          display: block;
-          position: absolute;
-          font-size: smaller;
-          top: 2em; left: -5em; width: 15em;
-          padding: 2px; border: 1px solid #333;
-          color: #900; background-color: #EEE;
-          text-align: left;
-      }
-	  a.smpl {
-	  color: black;
-	  }
-	  a:hover {
-	  text-decoration: underline;
-	  }
-	  a:active {
-	  text-decoration: underline;
-	  }
-	  address {
-	  margin-top: 1em;
-	  margin-left: 2em;
-	  font-style: normal;
-	  }
-	  body {
-	  color: black;
-	  font-family: verdana, helvetica, arial, sans-serif;
-	  font-size: 10pt;
-	  max-width: 55em;
-	  
-	  }
-	  cite {
-	  font-style: normal;
-	  }
-	  dd {
-	  margin-right: 2em;
-	  }
-	  dl {
-	  margin-left: 2em;
-	  }
-	
-	  ul.empty {
-	  list-style-type: none;
-	  }
-	  ul.empty li {
-	  margin-top: .5em;
-	  }
-	  dl p {
-	  margin-left: 0em;
-	  }
-	  dt {
-	  margin-top: .5em;
-	  }
-	  h1 {
-	  font-size: 14pt;
-	  line-height: 21pt;
-	  page-break-after: avoid;
-	  }
-	  h1.np {
-	  page-break-before: always;
-	  }
-	  h1 a {
-	  color: #333333;
-	  }
-	  h2 {
-	  font-size: 12pt;
-	  line-height: 15pt;
-	  page-break-after: avoid;
-	  }
-	  h3, h4, h5, h6 {
-	  font-size: 10pt;
-	  page-break-after: avoid;
-	  }
-	  h2 a, h3 a, h4 a, h5 a, h6 a {
-	  color: black;
-	  }
-	  img {
-	  margin-left: 3em;
-	  }
-	  li {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  ol {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  ol p {
-	  margin-left: 0em;
-	  }
-	  p {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  pre {
-	  margin-left: 3em;
-	  background-color: lightyellow;
-	  padding: .25em;
-	  }
-	  pre.text2 {
-	  border-style: dotted;
-	  border-width: 1px;
-	  background-color: #f0f0f0;
-	  width: 69em;
-	  }
-	  pre.inline {
-	  background-color: white;
-	  padding: 0em;
-	  }
-	  pre.text {
-	  border-style: dotted;
-	  border-width: 1px;
-	  background-color: #f8f8f8;
-	  width: 69em;
-	  }
-	  pre.drawing {
-	  border-style: solid;
-	  border-width: 1px;
-	  background-color: #f8f8f8;
-	  padding: 2em;
-	  }
-	  table {
-	  margin-left: 2em;
-	  }
-	  table.tt {
-	  vertical-align: top;
-	  }
-	  table.full {
-	  border-style: outset;
-	  border-width: 1px;
-	  }
-	  table.headers {
-	  border-style: outset;
-	  border-width: 1px;
-	  }
-	  table.tt td {
-	  vertical-align: top;
-	  }
-	  table.full td {
-	  border-style: inset;
-	  border-width: 1px;
-	  }
-	  table.tt th {
-	  vertical-align: top;
-	  }
-	  table.full th {
-	  border-style: inset;
-	  border-width: 1px;
-	  }
-	  table.headers th {
-	  border-style: none none inset none;
-	  border-width: 1px;
-	  }
-	  table.left {
-	  margin-right: auto;
-	  }
-	  table.right {
-	  margin-left: auto;
-	  }
-	  table.center {
-	  margin-left: auto;
-	  margin-right: auto;
-	  }
-	  caption {
-	  caption-side: bottom;
-	  font-weight: bold;
-	  font-size: 9pt;
-	  margin-top: .5em;
-	  }
-	
-	  table.header {
-	  border-spacing: 1px;
-	  width: 95%;
-	  font-size: 10pt;
-	  color: white;
-	  }
-	  td.top {
-	  vertical-align: top;
-	  }
-	  td.topnowrap {
-	  vertical-align: top;
-	  white-space: nowrap; 
-	  }
-	  table.header td {
-	  background-color: gray;
-	  width: 50%;
-	  }
-	  table.header a {
-	  color: white;
-	  }
-	  td.reference {
-	  vertical-align: top;
-	  white-space: nowrap;
-	  padding-right: 1em;
-	  }
-	  thead {
-	  display:table-header-group;
-	  }
-	  ul.toc, ul.toc ul {
-	  list-style: none;
-	  margin-left: 1.5em;
-	  margin-right: 0em;
-	  padding-left: 0em;
-	  }
-	  ul.toc li {
-	  line-height: 150%;
-	  font-weight: bold;
-	  font-size: 10pt;
-	  margin-left: 0em;
-	  margin-right: 0em;
-	  }
-	  ul.toc li li {
-	  line-height: normal;
-	  font-weight: normal;
-	  font-size: 9pt;
-	  margin-left: 0em;
-	  margin-right: 0em;
-	  }
-	  li.excluded {
-	  font-size: 0pt;
-	  }
-	  ul p {
-	  margin-left: 0em;
-	  }
-	
-	  .comment {
-	  background-color: yellow;
-	  }
-	  .center {
-	  text-align: center;
-	  }
-	  .error {
-	  color: red;
-	  font-style: italic;
-	  font-weight: bold;
-	  }
-	  .figure {
-	  font-weight: bold;
-	  text-align: center;
-	  font-size: 9pt;
-	  }
-	  .filename {
-	  color: #333333;
-	  font-weight: bold;
-	  font-size: 12pt;
-	  line-height: 21pt;
-	  text-align: center;
-	  }
-	  .fn {
-	  font-weight: bold;
-	  }
-	  .hidden {
-	  display: none;
-	  }
-	  .left {
-	  text-align: left;
-	  }
-	  .right {
-	  text-align: right;
-	  }
-	  .title {
-	  color: #990000;
-	  font-size: 18pt;
-	  line-height: 18pt;
-	  font-weight: bold;
-	  text-align: center;
-	  margin-top: 36pt;
-	  }
-	  .vcardline {
-	  display: block;
-	  }
-	  .warning {
-	  font-size: 14pt;
-	  background-color: yellow;
-	  }
-	
-	
-	  @media print {
-	  .noprint {
-		display: none;
-	  }
-	
-	  a {
-		color: black;
-		text-decoration: none;
-	  }
-	
-	  table.header {
-		width: 90%;
-	  }
-	
-	  td.header {
-		width: 50%;
-		color: black;
-		background-color: white;
-		vertical-align: top;
-		font-size: 12pt;
-	  }
-	
-	  ul.toc a::after {
-		content: leader('.') target-counter(attr(href), page);
-	  }
-	
-	  ul.ind li li a {
-		content: target-counter(attr(href), page);
-	  }
-	
-	  .print2col {
-		column-count: 2;
-		-moz-column-count: 2;
-		column-fill: auto;
-	  }
-	  }
-	
-	  @page {
-	  @top-left {
-		   content: "Internet-Draft"; 
-	  } 
-	  @top-right {
-		   content: "December 2010"; 
-	  } 
-	  @top-center {
-		   content: "Abbreviated Title";
-	  } 
-	  @bottom-left {
-		   content: "Doe"; 
-	  } 
-	  @bottom-center {
-		   content: "Expires June 2011"; 
-	  } 
-	  @bottom-right {
-		   content: "[Page " counter(page) "]"; 
-	  } 
-	  }
-	
-	  @page:first { 
-		@top-left {
-		  content: normal;
-		}
-		@top-right {
-		  content: normal;
-		}
-		@top-center {
-		  content: normal;
-		}
-	  }
-  /*]]>*/
-  </style>
+*/
 
-  <link href="#rfc.toc" rel="Contents">
-<link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
-<link href="#rfc.section.1.1" rel="Chapter" title="1.1 Conventions and Terminology">
-<link href="#rfc.section.2" rel="Chapter" title="2 Format">
-<link href="#rfc.section.2.1" rel="Chapter" title="2.1 Overview">
-<link href="#rfc.section.2.2" rel="Chapter" title="2.2 values">
-<link href="#rfc.section.2.3" rel="Chapter" title="2.3 related">
-<link href="#rfc.section.2.4" rel="Chapter" title="2.4 meta">
-<link href="#rfc.section.3" rel="Chapter" title="3 JSON Schema">
-<link href="#rfc.section.3.1" rel="Chapter" title="3.1 MISP galaxy format - galaxy">
-<link href="#rfc.section.3.2" rel="Chapter" title="3.2 MISP galaxy format - clusters">
-<link href="#rfc.section.4" rel="Chapter" title="4 Acknowledgements">
-<link href="#rfc.references" rel="Chapter" title="5 References">
-<link href="#rfc.references.1" rel="Chapter" title="5.1 Normative References">
-<link href="#rfc.references.2" rel="Chapter" title="5.2 Informative References">
-<link href="#rfc.authors" rel="Chapter">
+/* fonts */
+@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
+@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
+@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */
+
+@viewport {
+  zoom: 1.0;
+  width: extend-to-zoom;
+}
+@-ms-viewport {
+  width: extend-to-zoom;
+  zoom: 1.0;
+}
+/* general and mobile first */
+html {
+}
+body {
+  max-width: 90%;
+  margin: 1.5em auto;
+  color: #222;
+  background-color: #fff;
+  font-size: 14px;
+  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
+  line-height: 1.6;
+  scroll-behavior: smooth;
+}
+.ears {
+  display: none;
+}
+
+/* headings */
+#title, h1, h2, h3, h4, h5, h6 {
+  margin: 1em 0 0.5em;
+  font-weight: bold;
+  line-height: 1.3;
+}
+#title {
+  clear: both;
+  border-bottom: 1px solid #ddd;
+  margin: 0 0 0.5em 0;
+  padding: 1em 0 0.5em;
+}
+.author {
+  padding-bottom: 4px;
+}
+h1 {
+  font-size: 26px;
+  margin: 1em 0;
+}
+h2 {
+  font-size: 22px;
+  margin-top: -20px;  /* provide offset for in-page anchors */
+  padding-top: 33px;
+}
+h3 {
+  font-size: 18px;
+  margin-top: -36px;  /* provide offset for in-page anchors */
+  padding-top: 42px;
+}
+h4 {
+  font-size: 16px;
+  margin-top: -36px;  /* provide offset for in-page anchors */
+  padding-top: 42px;
+}
+h5, h6 {
+  font-size: 14px;
+}
+#n-copyright-notice {
+  border-bottom: 1px solid #ddd;
+  padding-bottom: 1em;
+  margin-bottom: 1em;
+}
+/* general structure */
+p {
+  padding: 0;
+  margin: 0 0 1em 0;
+  text-align: left;
+}
+div, span {
+  position: relative;
+}
+div {
+  margin: 0;
+}
+.alignRight.art-text {
+  background-color: #f9f9f9;
+  border: 1px solid #eee;
+  border-radius: 3px;
+  padding: 1em 1em 0;
+  margin-bottom: 1.5em;
+}
+.alignRight.art-text pre {
+  padding: 0;
+}
+.alignRight {
+  margin: 1em 0;
+}
+.alignRight > *:first-child {
+  border: none;
+  margin: 0;
+  float: right;
+  clear: both;
+}
+.alignRight > *:nth-child(2) {
+  clear: both;
+  display: block;
+  border: none;
+}
+svg {
+  display: block;
+}
+.alignCenter.art-text {
+  background-color: #f9f9f9;
+  border: 1px solid #eee;
+  border-radius: 3px;
+  padding: 1em 1em 0;
+  margin-bottom: 1.5em;
+}
+.alignCenter.art-text pre {
+  padding: 0;
+}
+.alignCenter {
+  margin: 1em 0;
+}
+.alignCenter > *:first-child {
+  border: none;
+  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
+     support flexbox yet.
+  */
+  display: table;
+  margin: 0 auto;
+}
+
+/* lists */
+ol, ul {
+  padding: 0;
+  margin: 0 0 1em 2em;
+}
+ol ol, ul ul, ol ul, ul ol {
+  margin-left: 1em;
+}
+li {
+  margin: 0 0 0.25em 0;
+}
+.ulCompact li {
+  margin: 0;
+}
+ul.empty, .ulEmpty {
+  list-style-type: none;
+}
+ul.empty li, .ulEmpty li {
+  margin-top: 0.5em;
+}
+ul.ulBare, li.ulBare {
+  margin-left: 0em !important;
+}
+ul.compact, .ulCompact,
+ol.compact, .olCompact {
+  line-height: 100%;
+  margin: 0 0 0 2em;
+}
+
+/* definition lists */
+dl {
+}
+dl > dt {
+  float: left;
+  margin-right: 1em;
+}
+/* 
+dl.nohang > dt {
+  float: none;
+}
+*/
+dl > dd {
+  margin-bottom: .8em;
+  min-height: 1.3em;
+}
+dl.compact > dd, .dlCompact > dd {
+  margin-bottom: 0em;
+}
+dl > dd > dl {
+  margin-top: 0.5em;
+  margin-bottom: 0em;
+}
+
+/* links */
+a {
+  text-decoration: none;
+}
+a[href] {
+  color: #22e; /* Arlen: WCAG 2019 */
+}
+a[href]:hover {
+  background-color: #f2f2f2;
+}
+figcaption a[href],
+a[href].selfRef {
+  color: #222;
+}
+/* XXX probably not this:
+a.selfRef:hover {
+  background-color: transparent;
+  cursor: default;
+} */
+
+/* Figures */
+tt, code, pre, code {
+  background-color: #f9f9f9;
+  font-family: 'Roboto Mono', monospace;
+}
+pre {
+  border: 1px solid #eee;
+  margin: 0;
+  padding: 1em;
+}
+img {
+  max-width: 100%;
+}
+figure {
+  margin: 0;
+}
+figure blockquote {
+  margin: 0.8em 0.4em 0.4em;
+}
+figcaption {
+  font-style: italic;
+  margin: 0 0 1em 0;
+}
+@media screen {
+  pre {
+    overflow-x: auto;
+    max-width: 100%;
+    max-width: calc(100% - 22px);
+  }
+}
+
+/* aside, blockquote */
+aside, blockquote {
+  margin-left: 0;
+  padding: 1.2em 2em;
+}
+blockquote {
+  background-color: #f9f9f9;
+  color: #111; /* Arlen: WCAG 2019 */
+  border: 1px solid #ddd;
+  border-radius: 3px;
+  margin: 1em 0;
+}
+cite {
+  display: block;
+  text-align: right;
+  font-style: italic;
+}
+
+/* tables */
+table {
+  width: 100%;
+  margin: 0 0 1em;
+  border-collapse: collapse;
+  border: 1px solid #eee;
+}
+th, td {
+  text-align: left;
+  vertical-align: top;
+  padding: 0.5em 0.75em;
+}
+th {
+  text-align: left;
+  background-color: #e9e9e9;
+}
+tr:nth-child(2n+1) > td {
+  background-color: #f5f5f5;
+}
+table caption {
+  font-style: italic;
+  margin: 0;
+  padding: 0;
+  text-align: left;
+}
+table p {
+  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
+     be allowed within tables more generally, it would be far better to select on a class. */
+  margin: 0;
+}
+
+/* pilcrow */
+a.pilcrow {
+  color: #666; /* Arlen: AHDJ 2019 */
+  text-decoration: none;
+  visibility: hidden;
+  user-select: none;
+  -ms-user-select: none;
+  -o-user-select:none;
+  -moz-user-select: none;
+  -khtml-user-select: none;
+  -webkit-user-select: none;
+  -webkit-touch-callout: none;
+}
+@media screen {
+  aside:hover > a.pilcrow,
+  p:hover > a.pilcrow,
+  blockquote:hover > a.pilcrow,
+  div:hover > a.pilcrow,
+  li:hover > a.pilcrow,
+  pre:hover > a.pilcrow {
+    visibility: visible;
+  }
+  a.pilcrow:hover {
+    background-color: transparent;
+  }
+}
+
+/* misc */
+hr {
+  border: 0;
+  border-top: 1px solid #eee;
+}
+.bcp14 {
+  font-variant: small-caps;
+}
+
+.role {
+  font-variant: all-small-caps;
+}
+
+/* info block */
+#identifiers {
+  margin: 0;
+  font-size: 0.9em;
+}
+#identifiers dt {
+  width: 3em;
+  clear: left;
+}
+#identifiers dd {
+  float: left;
+  margin-bottom: 0;
+}
+#identifiers .authors .author {
+  display: inline-block;
+  margin-right: 1.5em;
+}
+#identifiers .authors .org {
+  font-style: italic;
+}
+
+/* The prepared/rendered info at the very bottom of the page */
+.docInfo {
+  color: #666; /* Arlen: WCAG 2019 */
+  font-size: 0.9em;
+  font-style: italic;
+  margin-top: 2em;
+}
+.docInfo .prepared {
+  float: left;
+}
+.docInfo .prepared {
+  float: right;
+}
+
+/* table of contents */
+#toc  {
+  padding: 0.75em 0 2em 0;
+  margin-bottom: 1em;
+}
+nav.toc ul {
+  margin: 0 0.5em 0 0;
+  padding: 0;
+  list-style: none;
+}
+nav.toc li {
+  line-height: 1.3em;
+  margin: 0.75em 0;
+  padding-left: 1.2em;
+  text-indent: -1.2em;
+}
+/* references */
+.references dt {
+  text-align: right;
+  font-weight: bold;
+  min-width: 7em;
+}
+.references dd {
+  margin-left: 8em;
+  overflow: auto;
+}
+
+.refInstance {
+  margin-bottom: 1.25em;
+}
+
+.references .ascii {
+  margin-bottom: 0.25em;
+}
+
+/* index */
+.index ul {
+  margin: 0 0 0 1em;
+  padding: 0;
+  list-style: none;
+}
+.index ul ul {
+  margin: 0;
+}
+.index li {
+  margin: 0;
+  text-indent: -2em;
+  padding-left: 2em;
+  padding-bottom: 5px;
+}
+.indexIndex {
+  margin: 0.5em 0 1em;
+}
+.index a {
+  font-weight: 700;
+}
+/* make the index two-column on all but the smallest screens */
+@media (min-width: 600px) {
+  .index ul {
+    -moz-column-count: 2;
+    -moz-column-gap: 20px;
+  }
+  .index ul ul {
+    -moz-column-count: 1;
+    -moz-column-gap: 0;
+  }
+}
+
+/* authors */
+address.vcard {
+  font-style: normal;
+  margin: 1em 0;
+}
+
+address.vcard .nameRole {
+  font-weight: 700;
+  margin-left: 0;
+}
+address.vcard .label {
+  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
+  margin: 0.5em 0;
+}
+address.vcard .type {
+  display: none;
+}
+.alternative-contact {
+  margin: 1.5em 0 1em;
+}
+hr.addr {
+  border-top: 1px dashed;
+  margin: 0;
+  color: #ddd;
+  max-width: calc(100% - 16px);
+}
+
+/* temporary notes */
+.rfcEditorRemove::before {
+  position: absolute;
+  top: 0.2em;
+  right: 0.2em;
+  padding: 0.2em;
+  content: "The RFC Editor will remove this note";
+  color: #9e2a00; /* Arlen: WCAG 2019 */
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+}
+.rfcEditorRemove {
+  position: relative;
+  padding-top: 1.8em;
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+  border-radius: 3px;
+}
+.cref {
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+  padding: 2px 4px;
+}
+.crefSource {
+  font-style: italic;
+}
+/* alternative layout for smaller screens */
+@media screen and (max-width: 1023px) {
+  body {
+    padding-top: 2em;
+  }
+  #title {
+    padding: 1em 0;
+  }
+  h1 {
+    font-size: 24px;
+  }
+  h2 {
+    font-size: 20px;
+    margin-top: -18px;  /* provide offset for in-page anchors */
+    padding-top: 38px;
+  }
+  #identifiers dd {
+    max-width: 60%;
+  }
+  #toc {
+    position: fixed;
+    z-index: 2;
+    top: 0;
+    right: 0;
+    padding: 0;
+    margin: 0;
+    background-color: inherit;
+    border-bottom: 1px solid #ccc;
+  }
+  #toc h2 {
+    margin: -1px 0 0 0;
+    padding: 4px 0 4px 6px;
+    padding-right: 1em;
+    min-width: 190px;
+    font-size: 1.1em;
+    text-align: right;
+    background-color: #444;
+    color: white;
+    cursor: pointer;
+  }
+  #toc h2::before { /* css hamburger */
+    float: right;
+    position: relative;
+    width: 1em;
+    height: 1px;
+    left: -164px;
+    margin: 6px 0 0 0;
+    background: white none repeat scroll 0 0;
+    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
+    content: "";
+  }
+  #toc nav {
+    display: none;
+    padding: 0.5em 1em 1em;
+    overflow: auto;
+    height: calc(100vh - 48px);
+    border-left: 1px solid #ddd;
+  }
+}
+
+/* alternative layout for wide screens */
+@media screen and (min-width: 1024px) {
+  body {
+    max-width: 724px;
+    margin: 42px auto;
+    padding-left: 1.5em;
+    padding-right: 29em;
+  }
+  #toc {
+    position: fixed;
+    top: 42px;
+    right: 42px;
+    width: 25%;
+    margin: 0;
+    padding: 0 1em;
+    z-index: 1;
+  }
+  #toc h2 {
+    border-top: none;
+    border-bottom: 1px solid #ddd;
+    font-size: 1em;
+    font-weight: normal;
+    margin: 0;
+    padding: 0.25em 1em 1em 0;
+  }
+  #toc nav {
+    display: block;
+    height: calc(90vh - 84px);
+    bottom: 0;
+    padding: 0.5em 0 0;
+    overflow: auto;
+  }
+  img { /* future proofing */
+    max-width: 100%;
+    height: auto;
+  }
+}
+
+/* pagination */
+@media print {
+  body {
+
+    width: 100%;
+  }
+  p {
+    orphans: 3;
+    widows: 3;
+  }
+  #n-copyright-notice {
+    border-bottom: none;
+  }
+  #toc, #n-introduction {
+    page-break-before: always;
+  }
+  #toc {
+    border-top: none;
+    padding-top: 0;
+  }
+  figure, pre {
+    page-break-inside: avoid;
+  }
+  figure {
+    overflow: scroll;
+  }
+  h1, h2, h3, h4, h5, h6 {
+    page-break-after: avoid;
+  }
+  h2+*, h3+*, h4+*, h5+*, h6+* {
+    page-break-before: avoid;
+  }
+  pre {
+    white-space: pre-wrap;
+    word-wrap: break-word;
+    font-size: 10pt;
+  }
+  table {
+    border: 1px solid #ddd;
+  }
+  td {
+    border-top: 1px solid #ddd;
+  }
+}
+
+/* This is commented out here, as the string-set: doesn't
+   pass W3C validation currently */
+/*
+.ears thead .left {
+  string-set: ears-top-left content();
+}
+
+.ears thead .center {
+  string-set: ears-top-center content();
+}
+
+.ears thead .right {
+  string-set: ears-top-right content();
+}
+
+.ears tfoot .left {
+  string-set: ears-bottom-left content();
+}
+
+.ears tfoot .center {
+  string-set: ears-bottom-center content();
+}
+
+.ears tfoot .right {
+  string-set: ears-bottom-right content();
+}
+*/
+
+@page :first {
+  padding-top: 0;
+  @top-left {
+    content: normal;
+    border: none;
+  }
+  @top-center {
+    content: normal;
+    border: none;
+  }
+  @top-right {
+    content: normal;
+    border: none;
+  }
+}
+
+@page {
+  size: A4;
+  margin-bottom: 45mm;
+  padding-top: 20px;
+  /* The follwing is commented out here, but set appropriately by in code, as
+     the content depends on the document */
+  /*
+  @top-left {
+    content: 'Internet-Draft';
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-left {
+    content: string(ears-top-left);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-center {
+    content: string(ears-top-center);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-right {
+    content: string(ears-top-right);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @bottom-left {
+    content: string(ears-bottom-left);
+    vertical-align: top;
+    border-top: solid 1px #ccc;
+  }
+  @bottom-center {
+    content: string(ears-bottom-center);
+    vertical-align: top;
+    border-top: solid 1px #ccc;
+  }
+  @bottom-right {
+      content: '[Page ' counter(page) ']';
+      vertical-align: top;
+      border-top: solid 1px #ccc;
+  }
+  */
+
+}
+
+/* Changes introduced to fix issues found during implementation */
+/* Make sure links are clickable even if overlapped by following H* */
+a {
+  z-index: 2;
+}
+/* Separate body from document info even without intervening H1 */
+section {
+  clear: both;
+}
 
 
-  <meta name="generator" content="xml2rfc version 2.23.1 - https://tools.ietf.org/tools/xml2rfc" />
-  <link rel="schema.dct" href="http://purl.org/dc/terms/" />
+/* Top align author divs, to avoid names without organization dropping level with org names */
+.author {
+  vertical-align: top;
+}
 
-  <meta name="dct.creator" content="Dulaunoy, A., Iklody, A., and D. Servili" />
-  <meta name="dct.identifier" content="urn:ietf:id:" />
-  <meta name="dct.issued" scheme="ISO8601" content="2019-10-04" />
-  <meta name="dct.abstract" content="This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository   of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing." />
-  <meta name="description" content="This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository   of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing." />
+/* Leave room in document info to show Internet-Draft on one line */
+#identifiers dt {
+  width: 8em;
+}
 
+/* Don't waste quite as much whitespace between label and value in doc info */
+#identifiers dd {
+  margin-left: 1em;
+}
+
+/* Give floating toc a background color (needed when it's a div inside section */
+#toc {
+  background-color: white;
+}
+
+/* Make the collapsed ToC header render white on gray also when it's a link */
+@media screen and (max-width: 1023px) {
+  #toc h2 a,
+  #toc h2 a:link,
+  #toc h2 a:focus,
+  #toc h2 a:hover,
+  #toc a.toplink,
+  #toc a.toplink:hover {
+    color: white;
+    background-color: #444;
+    text-decoration: none;
+  }
+}
+
+/* Give the bottom of the ToC some whitespace */
+@media screen and (min-width: 1024px) {
+  #toc {
+    padding: 0 0 1em 1em;
+  }
+}
+
+/* Style section numbers with more space between number and title */
+.section-number {
+  padding-right: 0.5em;
+}
+
+/* prevent monospace from becoming overly large */
+tt, code, pre, code {
+  font-size: 95%;
+}
+
+/* Fix the height/width aspect for ascii art*/
+pre.sourcecode,
+.art-text pre {
+  line-height: 1.12;
+}
+
+
+/* Add styling for a link in the ToC that points to the top of the document */
+a.toplink {
+  float: right;
+  margin-right: 0.5em;
+}
+
+/* Fix the dl styling to match the RFC 7992 attributes */
+dl > dt,
+dl.dlParallel > dt {
+  float: left;
+  margin-right: 1em;
+}
+dl.dlNewline > dt {
+  float: none;
+}
+
+/* Provide styling for table cell text alignment */
+table td.text-left,
+table th.text-left {
+  text-align: left;
+}
+table td.text-center,
+table th.text-center {
+  text-align: center;
+}
+table td.text-right,
+table th.text-right {
+  text-align: right;
+}
+
+/* Make the alternative author contact informatio look less like just another
+   author, and group it closer with the primary author contact information */
+.alternative-contact {
+  margin: 0.5em 0 0.25em 0;
+}
+address .non-ascii {
+  margin: 0 0 0 2em;
+}
+
+/* With it being possible to set tables with alignment
+  left, center, and right, { width: 100%; } does not make sense */
+table {
+  width: auto;
+}
+
+/* Avoid reference text that sits in a block with very wide left margin,
+   because of a long floating dt label.*/
+.references dd {
+  overflow: visible;
+}
+
+/* Control caption placement */
+caption {
+  caption-side: bottom;
+}
+
+/* Limit the width of the author address vcard, so names in right-to-left
+   script don't end up on the other side of the page. */
+
+address.vcard {
+  max-width: 30em;
+  margin-right: auto;
+}
+
+/* For address alignment dependent on LTR or RTL scripts */
+address div.left {
+  text-align: left;
+}
+address div.right {
+  text-align: right;
+}
+
+/* Provide table alignment support.  We can't use the alignX classes above
+   since they do unwanted things with caption and other styling. */
+table.right {
+ margin-left: auto;
+ margin-right: 0;
+}
+table.center {
+ margin-left: auto;
+ margin-right: auto;
+}
+table.left {
+ margin-left: 0;
+ margin-right: auto;
+}
+
+/* Give the table caption label the same styling as the figcaption */
+caption a[href] {
+  color: #222;
+}
+
+@media print {
+  .toplink {
+    display: none;
+  }
+
+  /* avoid overwriting the top border line with the ToC header */
+  #toc {
+    padding-top: 1px;
+  }
+
+  /* Avoid page breaks inside dl and author address entries */
+  .vcard {
+    page-break-inside: avoid;
+  }
+
+}
+/* Tweak the bcp14 keyword presentation */
+.bcp14 {
+  font-variant: small-caps;
+  font-weight: bold;
+  font-size: 0.9em;
+}
+/* Tweak the invisible space above H* in order not to overlay links in text above */
+ h2 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 31px;
+ }
+ h3 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 24px;
+ }
+ h4 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 24px;
+ }
+/* Float artwork pilcrow to the right */
+@media screen {
+  .artwork a.pilcrow {
+    display: block;
+    line-height: 0.7;
+    margin-top: 0.15em;
+  }
+}
+/* Make pilcrows on dd visible */
+@media screen {
+  dd:hover > a.pilcrow {
+    visibility: visible;
+  }
+}
+/* Make the placement of figcaption match that of a table's caption
+   by removing the figure's added bottom margin */
+.alignLeft.art-text,
+.alignCenter.art-text,
+.alignRight.art-text {
+   margin-bottom: 0;
+}
+.alignLeft,
+.alignCenter,
+.alignRight {
+  margin: 1em 0 0 0;
+}
+/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
+   possibly even requiring a new line */
+@media print {
+  a.pilcrow {
+    display: none;
+  }
+}
+/* Styling for the external metadata */
+div#external-metadata {
+  background-color: #eee;
+  padding: 0.5em;
+  margin-bottom: 0.5em;
+  display: none;
+}
+div#internal-metadata {
+  padding: 0.5em;                       /* to match the external-metadata padding */
+}
+/* Styling for title RFC Number */
+h1#rfcnum {
+  clear: both;
+  margin: 0 0 -1em;
+  padding: 1em 0 0 0;
+}
+/* Make .olPercent look the same as <ol><li> */
+dl.olPercent > dd {
+  margin-bottom: 0.25em;
+  min-height: initial;
+}
+/* Give aside some styling to set it apart */
+aside {
+  border-left: 1px solid #ddd;
+  margin: 1em 0 1em 2em;
+  padding: 0.2em 2em;
+}
+aside > dl,
+aside > ol,
+aside > ul,
+aside > table,
+aside > p {
+  margin-bottom: 0.5em;
+}
+/* Additional page break settings */
+@media print {
+  figcaption, table caption {
+    page-break-before: avoid;
+  }
+}
+/* Font size adjustments for print */
+@media print {
+  body  { font-size: 10pt;      line-height: normal; max-width: 96%; }
+  h1    { font-size: 1.72em;    padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
+  h2    { font-size: 1.44em;    padding-top: 1.5em; } /* 1*1.2*1.2 */
+  h3    { font-size: 1.2em;     padding-top: 1.5em; } /* 1*1.2 */
+  h4    { font-size: 1em;       padding-top: 1.5em; }
+  h5, h6 { font-size: 1em;      margin: initial; padding: 0.5em 0 0.3em; }
+}
+/* Sourcecode margin in print, when there's no pilcrow */
+@media print {
+  .artwork,
+  .sourcecode {
+    margin-bottom: 1em;
+  }
+}
+/* Avoid narrow tables forcing too narrow table captions, which may render badly */
+table {
+  min-width: 20em;
+}
+/* ol type a */
+ol.type-a { list-style-type: lower-alpha; }
+ol.type-A { list-style-type: upper-alpha; }
+ol.type-i { list-style-type: lower-roman; }
+ol.type-I { list-style-type: lower-roman; }
+/* Apply the print table and row borders in general, on request from the RPC,
+and increase the contrast between border and odd row background sligthtly */
+table {
+  border: 1px solid #ddd;
+}
+td {
+  border-top: 1px solid #ddd;
+}
+tr:nth-child(2n+1) > td {
+  background-color: #f8f8f8;
+}
+/* Use style rules to govern display of the TOC. */
+@media screen and (max-width: 1023px) {
+  #toc nav { display: none; }
+  #toc.active nav { display: block; }
+}
+/* Add support for keepWithNext */
+.keepWithNext {
+  break-after: avoid-page;
+  break-after: avoid-page;
+}
+/* Add support for keepWithPrevious */
+.keepWithPrevious {
+  break-before: avoid-page;
+}
+/* Change the approach to avoiding breaks inside artwork etc. */
+figure, pre, table, .artwork, .sourcecode  {
+  break-before: avoid-page;
+  break-after: auto;
+}
+/* Avoid breaks between <dt> and <dd> */
+dl {
+  break-before: auto;
+  break-inside: auto;
+}
+dt {
+  break-before: auto;
+  break-after: avoid-page;
+}
+dd {
+  break-before: avoid-page;
+  break-after: auto;
+  orphans: 3;
+  widows: 3
+}
+span.break, dd.break {
+  margin-bottom: 0;
+  min-height: 0;
+  break-before: auto;
+  break-inside: auto;
+  break-after: auto;
+}
+/* Undo break-before ToC */
+@media print {
+  #toc {
+    break-before: auto;
+  }
+}
+/* Text in compact lists should not get extra bottim margin space,
+   since that would makes the list not compact */
+ul.compact p, .ulCompact p,
+ol.compact p, .olCompact p {
+ margin: 0;
+}
+/* But the list as a whole needs the extra space at the end */
+section ul.compact,
+section .ulCompact,
+section ol.compact,
+section .olCompact {
+  margin-bottom: 1em;                    /* same as p not within ul.compact etc. */
+}
+/* The tt and code background above interferes with for instance table cell
+   backgrounds.  Changed to something a bit more selective. */
+tt, code {
+  background-color: transparent;
+}
+p tt, p code, li tt, li code {
+  background-color: #f8f8f8;
+}
+/* Tweak the pre margin -- 0px doesn't come out well */
+pre {
+   margin-top: 0.5px;
+}
+/* Tweak the comact list text */
+ul.compact, .ulCompact,
+ol.compact, .olCompact,
+dl.compact, .dlCompact {
+  line-height: normal;
+}
+/* Don't add top margin for nested lists */
+li > ul, li > ol, li > dl,
+dd > ul, dd > ol, dd > dl,
+dl > dd > dl {
+  margin-top: initial;
+}
+/* Elements that should not be rendered on the same line as a <dt> */
+/* This should match the element list in writer.text.TextWriter.render_dl() */
+dd > div.artwork:first-child,
+dd > aside:first-child,
+dd > figure:first-child,
+dd > ol:first-child,
+dd > div:first-child > pre.sourcecode,
+dd > table:first-child,
+dd > ul:first-child {
+  clear: left;
+}
+/* fix for weird browser behaviour when <dd/> is empty */
+dt+dd:empty::before{
+  content: "\00a0";
+}
+/* Make paragraph spacing inside <li> smaller than in body text, to fit better within the list */
+li > p {
+  margin-bottom: 0.5em
+}
+/* Don't let p margin spill out from inside list items */
+li > p:last-of-type {
+  margin-bottom: 0;
+}
+</style>
+<link href="rfc-local.css" rel="stylesheet" type="text/css">
+<script type="application/javascript">async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(let t=0;t<e.length;t++)if(/#identifiers/.exec(e[t].selectorText)){const a=e[t].cssText.replace("#identifiers","#external-updates");document.styleSheets[0].insertRule(a,document.styleSheets[0].cssRules.length)}}catch(e){console.log(e)}const e=document.getElementById("external-metadata");if(e)try{var t,a="",o=function(e){const t=document.getElementsByTagName("meta");for(let a=0;a<t.length;a++)if(t[a].getAttribute("name")===e)return t[a].getAttribute("content");return""}("rfc.number");if(o){t="https://www.rfc-editor.org/rfc/rfc"+o+".json";try{const e=await fetch(t);a=await e.json()}catch(e){t=document.URL.indexOf("html")>=0?document.URL.replace(/html$/,"json"):document.URL+".json";const o=await fetch(t);a=await o.json()}}if(!a)return;e.style.display="block";const s="",d="https://datatracker.ietf.org/doc",n="https://datatracker.ietf.org/ipr/search",c="https://www.rfc-editor.org/info",l=a.doc_id.toLowerCase(),i=a.doc_id.slice(0,3).toLowerCase(),f=a.doc_id.slice(3).replace(/^0+/,""),u={status:"Status",obsoletes:"Obsoletes",obsoleted_by:"Obsoleted By",updates:"Updates",updated_by:"Updated By",see_also:"See Also",errata_url:"Errata"};let h="<dl style='overflow:hidden' id='external-updates'>";["status","obsoletes","obsoleted_by","updates","updated_by","see_also","errata_url"].forEach(e=>{if("status"==e){a[e]=a[e].toLowerCase();var t=a[e].split(" "),o=t.length,w="",p=1;for(let e=0;e<o;e++)p<o?w=w+r(t[e])+" ":w+=r(t[e]),p++;a[e]=w}else if("obsoletes"==e||"obsoleted_by"==e||"updates"==e||"updated_by"==e){var g,m="",b=1;g=a[e].length;for(let t=0;t<g;t++)a[e][t]&&(a[e][t]=String(a[e][t]).toLowerCase(),m=b<g?m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>, ":m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>",b++);a[e]=m}else if("see_also"==e){var y,L="",C=1;y=a[e].length;for(let t=0;t<y;t++)if(a[e][t]){a[e][t]=String(a[e][t]);var _=a[e][t].slice(0,3),v=a[e][t].slice(3).replace(/^0+/,"");L=C<y?"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>, ":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>, ":"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>",C++}a[e]=L}else if("errata_url"==e){var R="";R=a[e]?R+"<a href='"+a[e]+"'>Errata exist</a> | <a href='"+d+"/"+l+"'>Datatracker</a>| <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>":"<a href='"+d+"/"+l+"'>Datatracker</a> | <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>",a[e]=R}""!=a[e]?"Errata"==u[e]?h+=`<dt>More info:</dt><dd>${a[e]}</dd>`:h+=`<dt>${u[e]}:</dt><dd>${a[e]}</dd>`:"Errata"==u[e]&&(h+=`<dt>More info:</dt><dd>${a[e]}</dd>`)}),h+="</dl>",e.innerHTML=h}catch(e){console.log(e)}else console.log("Could not locate metadata <div> element");function r(e){return e.charAt(0).toUpperCase()+e.slice(1)}}window.removeEventListener("load",addMetadata),window.addEventListener("load",addMetadata);</script>
 </head>
-
 <body>
-
-  <table class="header">
-    <tbody>
-    
-    	<tr>
-<td class="left">Network Working Group</td>
-<td class="right">A. Dulaunoy</td>
-</tr>
-<tr>
+<script src="metadata.min.js"></script>
+<table class="ears">
+<thead><tr>
 <td class="left">Internet-Draft</td>
-<td class="right">A. Iklody</td>
-</tr>
-<tr>
-<td class="left">Expires: April 6, 2020</td>
-<td class="right">D. Servili</td>
-</tr>
-<tr>
-<td class="left"></td>
-<td class="right">CIRCL</td>
-</tr>
-<tr>
-<td class="left"></td>
-<td class="right">October 4, 2019</td>
-</tr>
-
-    	
-    </tbody>
-  </table>
-
-  <p class="title">MISP galaxy format<br />
-  <span class="filename"></span></p>
-  
-  <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
-<p>This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository <a href="#MISP-G" class="xref">[MISP-G]</a> <a href="#MISP-G-DOC" class="xref">[MISP-G-DOC]</a> of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.</p>
-<h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1>
-<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
-<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF).  Note that other groups may also distribute working documents as Internet-Drafts.  The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
-<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.  It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
-<p>This Internet-Draft will expire on April 6, 2020.</p>
-<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
-<p>Copyright (c) 2019 IETF Trust and the persons identified as the document authors.  All rights reserved.</p>
-<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document.  Please review these documents carefully, as they describe your rights and restrictions with respect to this document.  Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
-
-  
-  <hr class="noprint" />
-  <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
-  <ul class="toc">
-
-  	<li>1.   <a href="#rfc.section.1">Introduction</a>
+<td class="center">MISP galaxy format</td>
+<td class="right">November 2021</td>
+</tr></thead>
+<tfoot><tr>
+<td class="left">Dulaunoy, et al.</td>
+<td class="center">Expires 25 May 2022</td>
+<td class="right">[Page]</td>
+</tr></tfoot>
+</table>
+<div id="external-metadata" class="document-information"></div>
+<div id="internal-metadata" class="document-information">
+<dl id="identifiers">
+<dt class="label-workgroup">Workgroup:</dt>
+<dd class="workgroup">Network Working Group</dd>
+<dt class="label-internet-draft">Internet-Draft:</dt>
+<dd class="internet-draft">draft-00</dd>
+<dt class="label-published">Published:</dt>
+<dd class="published">
+<time datetime="2021-11-21" class="published">21 November 2021</time>
+    </dd>
+<dt class="label-intended-status">Intended Status:</dt>
+<dd class="intended-status">Informational</dd>
+<dt class="label-expires">Expires:</dt>
+<dd class="expires"><time datetime="2022-05-25">25 May 2022</time></dd>
+<dt class="label-authors">Authors:</dt>
+<dd class="authors">
+<div class="author">
+      <div class="author-name">A. Dulaunoy</div>
+<div class="org">CIRCL</div>
+</div>
+<div class="author">
+      <div class="author-name">A. Iklody</div>
+<div class="org">CIRCL</div>
+</div>
+<div class="author">
+      <div class="author-name">D. Servili</div>
+<div class="org">CIRCL</div>
+</div>
+</dd>
+</dl>
+</div>
+<h1 id="title">MISP galaxy format</h1>
+<section id="section-abstract">
+      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
+<p id="section-abstract-1">This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository <span>[<a href="#MISP-G" class="xref">MISP-G</a>]</span> <span>[<a href="#MISP-G-DOC" class="xref">MISP-G-DOC</a>]</span> of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
+</section>
+<div id="status-of-memo">
+<section id="section-boilerplate.1">
+        <h2 id="name-status-of-this-memo">
+<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
+        </h2>
+<p id="section-boilerplate.1-1">
+        This Internet-Draft is submitted in full conformance with the
+        provisions of BCP 78 and BCP 79.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-2">
+        Internet-Drafts are working documents of the Internet Engineering Task
+        Force (IETF). Note that other groups may also distribute working
+        documents as Internet-Drafts. The list of current Internet-Drafts is
+        at <span><a href="https://datatracker.ietf.org/drafts/current/">https://datatracker.ietf.org/drafts/current/</a></span>.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-3">
+        Internet-Drafts are draft documents valid for a maximum of six months
+        and may be updated, replaced, or obsoleted by other documents at any
+        time. It is inappropriate to use Internet-Drafts as reference
+        material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-4">
+        This Internet-Draft will expire on 25 May 2022.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="copyright">
+<section id="section-boilerplate.2">
+        <h2 id="name-copyright-notice">
+<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
+        </h2>
+<p id="section-boilerplate.2-1">
+            Copyright (c) 2021 IETF Trust and the persons identified as the
+            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.2-2">
+            This document is subject to BCP 78 and the IETF Trust's Legal
+            Provisions Relating to IETF Documents
+            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
+            publication of this document. Please review these documents
+            carefully, as they describe your rights and restrictions with
+            respect to this document.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="toc">
+<section id="section-toc.1">
+        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
+<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
+        </h2>
+<nav class="toc"><ul class="ulEmpty ulBare compact toc">
+<li class="ulEmpty ulBare compact toc" id="section-toc.1-1.1">
+            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a></p>
+<ul class="ulEmpty compact toc ulBare">
+<li class="ulEmpty compact toc ulBare" id="section-toc.1-1.1.2.1">
+                <p id="section-toc.1-1.1.2.1.1" class="keepWithNext"><a href="#section-1.1" class="xref">1.1</a>.  <a href="#name-conventions-and-terminology" class="xref">Conventions and Terminology</a></p>
 </li>
-<ul><li>1.1.   <a href="#rfc.section.1.1">Conventions and Terminology</a>
+            </ul>
 </li>
-</ul><li>2.   <a href="#rfc.section.2">Format</a>
+          <li class="ulEmpty ulBare compact toc" id="section-toc.1-1.2">
+            <p id="section-toc.1-1.2.1"><a href="#section-2" class="xref">2</a>.  <a href="#name-format" class="xref">Format</a></p>
+<ul class="ulEmpty compact toc ulBare">
+<li class="ulEmpty compact toc ulBare" id="section-toc.1-1.2.2.1">
+                <p id="section-toc.1-1.2.2.1.1" class="keepWithNext"><a href="#section-2.1" class="xref">2.1</a>.  <a href="#name-overview" class="xref">Overview</a></p>
 </li>
-<ul><li>2.1.   <a href="#rfc.section.2.1">Overview</a>
+              <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.2.2.2">
+                <p id="section-toc.1-1.2.2.2.1"><a href="#section-2.2" class="xref">2.2</a>.  <a href="#name-values" class="xref">values</a></p>
 </li>
-<li>2.2.   <a href="#rfc.section.2.2">values</a>
+              <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.2.2.3">
+                <p id="section-toc.1-1.2.2.3.1"><a href="#section-2.3" class="xref">2.3</a>.  <a href="#name-related" class="xref">related</a></p>
 </li>
-<li>2.3.   <a href="#rfc.section.2.3">related</a>
+              <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.2.2.4">
+                <p id="section-toc.1-1.2.2.4.1"><a href="#section-2.4" class="xref">2.4</a>.  <a href="#name-meta" class="xref">meta</a></p>
 </li>
-<li>2.4.   <a href="#rfc.section.2.4">meta</a>
+            </ul>
 </li>
-</ul><li>3.   <a href="#rfc.section.3">JSON Schema</a>
+          <li class="ulEmpty ulBare compact toc" id="section-toc.1-1.3">
+            <p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>.  <a href="#name-json-schema" class="xref">JSON Schema</a></p>
+<ul class="ulEmpty compact toc ulBare">
+<li class="ulEmpty compact toc ulBare" id="section-toc.1-1.3.2.1">
+                <p id="section-toc.1-1.3.2.1.1"><a href="#section-3.1" class="xref">3.1</a>.  <a href="#name-misp-galaxy-format-galaxy" class="xref">MISP galaxy format - galaxy</a></p>
 </li>
-<ul><li>3.1.   <a href="#rfc.section.3.1">MISP galaxy format - galaxy</a>
+              <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.3.2.2">
+                <p id="section-toc.1-1.3.2.2.1"><a href="#section-3.2" class="xref">3.2</a>.  <a href="#name-misp-galaxy-format-clusters" class="xref">MISP galaxy format - clusters</a></p>
 </li>
-<li>3.2.   <a href="#rfc.section.3.2">MISP galaxy format - clusters</a>
+            </ul>
 </li>
-</ul><li>4.   <a href="#rfc.section.4">Acknowledgements</a>
+          <li class="ulEmpty ulBare compact toc" id="section-toc.1-1.4">
+            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-acknowledgements" class="xref">Acknowledgements</a></p>
 </li>
-<li>5.   <a href="#rfc.references">References</a>
+          <li class="ulEmpty ulBare compact toc" id="section-toc.1-1.5">
+            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-normative-references" class="xref">Normative References</a></p>
 </li>
-<ul><li>5.1.   <a href="#rfc.references.1">Normative References</a>
+          <li class="ulEmpty ulBare compact toc" id="section-toc.1-1.6">
+            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-informative-references" class="xref">Informative References</a></p>
 </li>
-<li>5.2.   <a href="#rfc.references.2">Informative References</a>
+          <li class="ulEmpty ulBare compact toc" id="section-toc.1-1.7">
+            <p id="section-toc.1-1.7.1"><a href="#appendix-A" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a></p>
 </li>
-</ul><li><a href="#rfc.authors">Authors' Addresses</a>
-</li>
-
-
-  </ul>
-
-  <h1 id="rfc.section.1">
-<a href="#rfc.section.1">1.</a> <a href="#introduction" id="introduction">Introduction</a>
-</h1>
-<p id="rfc.section.1.p.1">Sharing threat information became a fundamental requirements on the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. Some of these informations, such as malware or threat actors are common to several security events. MISP galaxy is a public repository <a href="#MISP-G" class="xref">[MISP-G]</a> of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.</p>
-<p id="rfc.section.1.p.2">In the MISP galaxy context, clusters help analysts to give more informations about their cybersecurity events, indicators or threats. MISP galaxies can be used for classification, filtering, triggering actions or visualisation depending on their use in threat intelligence platforms such as MISP <a href="#MISP-P" class="xref">[MISP-P]</a>.</p>
-<h1 id="rfc.section.1.1">
-<a href="#rfc.section.1.1">1.1.</a> <a href="#conventions-and-terminology" id="conventions-and-terminology">Conventions and Terminology</a>
-</h1>
-<p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 <a href="#RFC2119" class="xref">[RFC2119]</a>.</p>
-<h1 id="rfc.section.2">
-<a href="#rfc.section.2">2.</a> <a href="#format" id="format">Format</a>
-</h1>
-<p id="rfc.section.2.p.1">A cluster is composed of a value (MUST), a description (OPTIONAL) and metadata (OPTIONAL).</p>
-<p id="rfc.section.2.p.2">Clusters are represented as a JSON <a href="#RFC8259" class="xref">[RFC8259]</a> dictionary.</p>
-<h1 id="rfc.section.2.1">
-<a href="#rfc.section.2.1">2.1.</a> <a href="#overview" id="overview">Overview</a>
-</h1>
-<p id="rfc.section.2.1.p.1">The MISP galaxy format uses the JSON <a href="#RFC8259" class="xref">[RFC8259]</a> format. Each galaxy is represented as a JSON object with meta information including the following fields: name, uuid, description, version, type, authors, source, values, category.</p>
-<p id="rfc.section.2.1.p.2">name defines the name of the galaxy. The name is represented as a string and MUST be present. The uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the object reference. The uuid MUST be preserved. For any updates or transfer of the same object reference. UUID version 4 is RECOMMENDED when assigning it to a new object reference and MUST be present. The description is represented as a string and MUST be present. The uuid is represented as a string and MUST be present. The version is represented as a decimal and MUST be present. The type is represented as a string and MUST be present and MUST match the name of the galaxy file. The source is represented as a string and MUST be present. Authors are represented as an array containing one or more authors and MUST be present. The category is represented as a string and MUST be present and describes the overall category of the galaxy such as tool or actor.</p>
-<p id="rfc.section.2.1.p.3">Values are represented as an array containing one or more values and MUST be present. Values defines all values available in the galaxy.</p>
-<h1 id="rfc.section.2.2">
-<a href="#rfc.section.2.2">2.2.</a> <a href="#values" id="values">values</a>
-</h1>
-<p id="rfc.section.2.2.p.1">The values array contains one or more JSON objects which represent all the possible values in the galaxy. The JSON object contains four fields: value, description, uuid and meta.  The value is represented as a string and MUST be present. The description is represented as a string and SHOULD be present. The meta or metadata is represented as a JSON list and SHOULD be present.  The uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the value reference. The uuid SHOULD can be present and MUST be preserved.</p>
-<h1 id="rfc.section.2.3">
-<a href="#rfc.section.2.3">2.3.</a> <a href="#related" id="related">related</a>
-</h1>
-<p id="rfc.section.2.3.p.1">Related contains a list of JSON key value pairs which describe the related values in this galaxy cluster or to other galaxy clusters. The JSON object contains three fields, dest-uuid, type and tags. The dest-uuid represents the target UUID which encompasses a relation of some type. The dest-uuid is represented as a string and MUST be present. The type is represented as a string and MUST be present and SHOULD be selected from the relationship types available in MISP objects <a href="#MISP-R" class="xref">[MISP-R]</a>.  The tags is a list of string which labels the related relationship such as the level of similarities, level of certainty, trust or confidence in the relationship, false-positive. A tag is represented in machine tag format which is a string an SHOULD be present.</p>
+        </ul>
+</nav>
+</section>
+</div>
+<div id="introduction">
+<section id="section-1">
+      <h2 id="name-introduction">
+<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
+      </h2>
+<p id="section-1-1">Sharing threat information became a fundamental requirements on the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. Some of these informations, such as malware or threat actors are common to several security events. MISP galaxy is a public repository <span>[<a href="#MISP-G" class="xref">MISP-G</a>]</span> of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.<a href="#section-1-1" class="pilcrow">¶</a></p>
+<p id="section-1-2">In the MISP galaxy context, clusters help analysts to give more informations about their cybersecurity events, indicators or threats. MISP galaxies can be used for classification, filtering, triggering actions or visualisation depending on their use in threat intelligence platforms such as MISP <span>[<a href="#MISP-P" class="xref">MISP-P</a>]</span>.<a href="#section-1-2" class="pilcrow">¶</a></p>
+<div id="conventions-and-terminology">
+<section id="section-1.1">
+        <h3 id="name-conventions-and-terminology">
+<a href="#section-1.1" class="section-number selfRef">1.1. </a><a href="#name-conventions-and-terminology" class="section-name selfRef">Conventions and Terminology</a>
+        </h3>
+<p id="section-1.1-1">The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>", "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>",
+"<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>", "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this
+document are to be interpreted as described in RFC 2119 <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span>.<a href="#section-1.1-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="format">
+<section id="section-2">
+      <h2 id="name-format">
+<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-format" class="section-name selfRef">Format</a>
+      </h2>
+<p id="section-2-1">A cluster is composed of a value (<span class="bcp14">MUST</span>), a description (<span class="bcp14">OPTIONAL</span>) and metadata (<span class="bcp14">OPTIONAL</span>).<a href="#section-2-1" class="pilcrow">¶</a></p>
+<p id="section-2-2">Clusters are represented as a JSON <span>[<a href="#RFC8259" class="xref">RFC8259</a>]</span> dictionary.<a href="#section-2-2" class="pilcrow">¶</a></p>
+<div id="overview">
+<section id="section-2.1">
+        <h3 id="name-overview">
+<a href="#section-2.1" class="section-number selfRef">2.1. </a><a href="#name-overview" class="section-name selfRef">Overview</a>
+        </h3>
+<p id="section-2.1-1">The MISP galaxy format uses the JSON <span>[<a href="#RFC8259" class="xref">RFC8259</a>]</span> format. Each galaxy is represented as a JSON object with meta information including the following fields: name, uuid, description, version, type, authors, source, values, category.<a href="#section-2.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.1-2">name defines the name of the galaxy. The name is represented as a string and <span class="bcp14">MUST</span> be present. The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the object reference. The uuid <span class="bcp14">MUST</span> be preserved. For any updates or transfer of the same object reference. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new object reference and <span class="bcp14">MUST</span> be present. The description is represented as a string and <span class="bcp14">MUST</span> be present. The uuid is represented as a string and <span class="bcp14">MUST</span> be present. The version is represented as a decimal and <span class="bcp14">MUST</span> be present. The type is represented as a string and <span class="bcp14">MUST</span> be present and <span class="bcp14">MUST</span> match the name of the galaxy file. The source is represented as a string and <span class="bcp14">MUST</span> be present. Authors are represented as an array containing one or more authors and <span class="bcp14">MUST</span> be present. The category is represented as a string and <span class="bcp14">MUST</span> be present and describes the overall category of the galaxy such as tool or actor.<a href="#section-2.1-2" class="pilcrow">¶</a></p>
+<p id="section-2.1-3">Values are represented as an array containing one or more values and <span class="bcp14">MUST</span> be present. Values defines all values available in the galaxy.<a href="#section-2.1-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="values">
+<section id="section-2.2">
+        <h3 id="name-values">
+<a href="#section-2.2" class="section-number selfRef">2.2. </a><a href="#name-values" class="section-name selfRef">values</a>
+        </h3>
+<p id="section-2.2-1">The values array contains one or more JSON objects which represent all the possible values in the galaxy. The JSON object contains four fields: value, description, uuid and meta.
+The value is represented as a string and <span class="bcp14">MUST</span> be present. The description is represented as a string and <span class="bcp14">SHOULD</span> be present. The meta or metadata is represented as a JSON list and <span class="bcp14">SHOULD</span> be present.
+The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the value reference. The uuid <span class="bcp14">SHOULD</span> can be present and <span class="bcp14">MUST</span> be preserved.<a href="#section-2.2-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="related">
+<section id="section-2.3">
+        <h3 id="name-related">
+<a href="#section-2.3" class="section-number selfRef">2.3. </a><a href="#name-related" class="section-name selfRef">related</a>
+        </h3>
+<p id="section-2.3-1">Related contains a list of JSON key value pairs which describe the related values in this galaxy cluster or to other galaxy clusters. The JSON object contains three fields, dest-uuid, type and tags. The dest-uuid represents the target UUID which encompasses a relation of some type. The dest-uuid is represented as a string and <span class="bcp14">MUST</span> be present. The type is represented as a string and <span class="bcp14">MUST</span> be present and <span class="bcp14">SHOULD</span> be selected from the relationship types available in MISP objects <span>[<a href="#MISP-R" class="xref">MISP-R</a>]</span>.  The tags is a list of string which labels the related relationship such as the level of similarities, level of certainty, trust or confidence in the relationship, false-positive. A tag is represented in machine tag format which is a string an <span class="bcp14">SHOULD</span> be present.<a href="#section-2.3-1" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-2.3-2">
 <pre>"related": [ {
   "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
   "type": "similar",
   "tags": ["estimative-language:likelihood-probability=\"very-likely\""]
 } ]
-</pre>
-<h1 id="rfc.section.2.4">
-<a href="#rfc.section.2.4">2.4.</a> <a href="#meta" id="meta">meta</a>
-</h1>
-<p id="rfc.section.2.4.p.1">Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, suspected-victims, suspected-state-sponsor, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.</p>
-<p id="rfc.section.2.4.p.2">refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present. official-refs is represented as an array containing one or more strings and SHALL be present.</p>
-<p id="rfc.section.2.4.p.3">date, status MAY be used to give time information about an cluster. date is represented as a string describing a time or period and SHALL be present. status is represented as a string describing the current status of the clusters. It MAY also describe a time or period and SHALL be present.</p>
-<p id="rfc.section.2.4.p.4">colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.</p>
-<p id="rfc.section.2.4.p.5">complexity, effectiveness, impact, possible<em>issues MAY be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and SHALL be present. effectiveness is represented by an enumerated value from a fixed vocabulary and SHALL be present. impact is represented by an enumerated value from a fixed vocabulary and SHALL be present. possible</em>issues is represented as a string and SHOULD be present.</p>
-<p id="rfc.section.2.4.p.6">Example use of the complexity, effectiveness, impact, possible_issues fields in the preventive-measure galaxy:</p>
+</pre><a href="#section-2.3-2" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="meta">
+<section id="section-2.4">
+        <h3 id="name-meta">
+<a href="#section-2.4" class="section-number selfRef">2.4. </a><a href="#name-meta" class="section-name selfRef">meta</a>
+        </h3>
+<p id="section-2.4-1">Meta contains a list of custom defined JSON key value pairs. Users <span class="bcp14">SHOULD</span> reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, suspected-victims, suspected-state-sponsor, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field <span class="bcp14">MAY</span> be added without the need to be referenced or registered in advance.<a href="#section-2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.4-2">refs, synonyms, official-refs <span class="bcp14">SHALL</span> be used to give further informations. refs is represented as an array containing one or more strings and <span class="bcp14">SHALL</span> be present. synonyms is represented as an array containing one or more strings and <span class="bcp14">SHALL</span> be present. official-refs is represented as an array containing one or more strings and <span class="bcp14">SHALL</span> be present.<a href="#section-2.4-2" class="pilcrow">¶</a></p>
+<p id="section-2.4-3">date, status <span class="bcp14">MAY</span> be used to give time information about an cluster. date is represented as a string describing a time or period and <span class="bcp14">SHALL</span> be present. status is represented as a string describing the current status of the clusters. It <span class="bcp14">MAY</span> also describe a time or period and <span class="bcp14">SHALL</span> be present.<a href="#section-2.4-3" class="pilcrow">¶</a></p>
+<p id="section-2.4-4">colour fields <span class="bcp14">MAY</span> be used at predicates or values level to set a specify colour that <span class="bcp14">MAY</span> be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.<a href="#section-2.4-4" class="pilcrow">¶</a></p>
+<p id="section-2.4-5">complexity, effectiveness, impact, possible<em>issues <span class="bcp14">MAY</span> be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and <span class="bcp14">SHALL</span> be present. effectiveness is represented by an enumerated value from a fixed vocabulary and <span class="bcp14">SHALL</span> be present. impact is represented by an enumerated value from a fixed vocabulary and <span class="bcp14">SHALL</span> be present. possible</em>issues is represented as a string and <span class="bcp14">SHOULD</span> be present.<a href="#section-2.4-5" class="pilcrow">¶</a></p>
+<p id="section-2.4-6">Example use of the complexity, effectiveness, impact, possible_issues fields in the preventive-measure galaxy:<a href="#section-2.4-6" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-2.4-7">
 <pre>{
   "meta": {
     "refs": [
@@ -545,9 +1415,11 @@
   "description": "Disable Windows Script Host",
   "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
 }
-</pre>
-<p id="rfc.section.2.4.p.7">country, motive, spoken-language MAY be used to give further information in threat-actor galaxy. country is represented as a string and SHOULD be present. motive is represented as a string and SHOULD be present. spoken-language is represented as an array containing one or more strings describing a language using ISO 639-2 code and SHALL be present.</p>
-<p id="rfc.section.2.4.p.8">Example use of the country, motive fields in the threat-actor galaxy:</p>
+</pre><a href="#section-2.4-7" class="pilcrow">¶</a>
+</div>
+<p id="section-2.4-8">country, motive, spoken-language <span class="bcp14">MAY</span> be used to give further information in threat-actor galaxy. country is represented as a string and <span class="bcp14">SHOULD</span> be present. motive is represented as a string and <span class="bcp14">SHOULD</span> be present. spoken-language is represented as an array containing one or more strings describing a language using ISO 639-2 code and <span class="bcp14">SHALL</span> be present.<a href="#section-2.4-8" class="pilcrow">¶</a></p>
+<p id="section-2.4-9">Example use of the country, motive fields in the threat-actor galaxy:<a href="#section-2.4-9" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-2.4-10">
 <pre>{
   "meta": {
     "country": "CN",
@@ -567,11 +1439,13 @@
   "description": "PLA Navy",
   "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104"
 }
-</pre>
-<p id="rfc.section.2.4.p.9">encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, payment-method, price MAY be used to give further information in ransomware galaxy. encryption is represented as a string and SHALL be present. extensions is represented as an array containing one or more strings and SHALL be present. ransomnotes is represented as an array containing one or more strings ans SHALL be present. ransomnotes-filenames is represented as an array containing one or more strings ans SHALL be present. ransomnotes-refs is represented as an array containing one or more strings ans SHALL be present. payment-method is represented as a string and SHALL be present. price is represented as a string and SHALL be present.</p>
-<p id="rfc.section.2.4.p.10">Example use of the encryption, extensions, ransomnotes fields in the ransomware galaxy:</p>
+</pre><a href="#section-2.4-10" class="pilcrow">¶</a>
+</div>
+<p id="section-2.4-11">encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, payment-method, price <span class="bcp14">MAY</span> be used to give further information in ransomware galaxy. encryption is represented as a string and <span class="bcp14">SHALL</span> be present. extensions is represented as an array containing one or more strings and <span class="bcp14">SHALL</span> be present. ransomnotes is represented as an array containing one or more strings ans <span class="bcp14">SHALL</span> be present. ransomnotes-filenames is represented as an array containing one or more strings ans <span class="bcp14">SHALL</span> be present. ransomnotes-refs is represented as an array containing one or more strings ans <span class="bcp14">SHALL</span> be present. payment-method is represented as a string and <span class="bcp14">SHALL</span> be present. price is represented as a string and <span class="bcp14">SHALL</span> be present.<a href="#section-2.4-11" class="pilcrow">¶</a></p>
+<p id="section-2.4-12">Example use of the encryption, extensions, ransomnotes fields in the ransomware galaxy:<a href="#section-2.4-12" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-2.4-13">
 <pre>{
-  "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk&#8217;s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
+  "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
   "meta": {
     "ransomnotes-filenames": [
       "RyukReadMe.txt"
@@ -587,8 +1461,10 @@
   "uuid": "f9464c80-b776-4f37-8682-ffde0cf8f718",
   "value": "Ryuk ransomware"
 }
-</pre>
-<p id="rfc.section.2.4.p.11">Example use of the payment-method, price fields in the ransomware galaxy:</p>
+</pre><a href="#section-2.4-13" class="pilcrow">¶</a>
+</div>
+<p id="section-2.4-14">Example use of the payment-method, price fields in the ransomware galaxy:<a href="#section-2.4-14" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-2.4-15">
 <pre>{
   "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
   "meta": {
@@ -609,9 +1485,11 @@
   "uuid": "4c76c845-c5eb-472c-93a1-4178f86c319b",
   "value": "CryptoMeister Ransomware"
 }
-</pre>
-<p id="rfc.section.2.4.p.12">source-uuid, target-uuid SHALL be used to describe relationships. source-uuid and target-uuid represent the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the value reference. source-uuid and target-uuid MUST be preserved.</p>
-<p id="rfc.section.2.4.p.13">Example use of the source-uuid, target-uuid fields in the mitre-enterprise-attack-relationship galaxy:</p>
+</pre><a href="#section-2.4-15" class="pilcrow">¶</a>
+</div>
+<p id="section-2.4-16">source-uuid, target-uuid <span class="bcp14">SHALL</span> be used to describe relationships. source-uuid and target-uuid represent the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the value reference. source-uuid and target-uuid <span class="bcp14">MUST</span> be preserved.<a href="#section-2.4-16" class="pilcrow">¶</a></p>
+<p id="section-2.4-17">Example use of the source-uuid, target-uuid fields in the mitre-enterprise-attack-relationship galaxy:<a href="#section-2.4-17" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-2.4-18">
 <pre>{
   "meta": {
     "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
@@ -620,9 +1498,11 @@
   "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633",
   "value": "menuPass (G0045) uses EvilGrab (S0152)"
 }
-</pre>
-<p id="rfc.section.2.4.p.14">cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category MAY be used to report information gathered from CFR's (Council on Foreign Relations) <a href="#CFR" class="xref">[CFR]</a> Cyber Operations Tracker.  cfr-suspected-victims is represented as an array containing one or more strings and SHALL be present. cfr-suspected-state-sponsor is represented as a string and SHALL be present. cfr-type-of-incident is represented as a string or an array and SHALL be present. RECOMMENDED but not exhaustive list of possible values for cfr-type-of-incident includes "Espionage", "Denial of service", "Sabotage". cfr-target-category is represented as an array containing one or more strings ans SHALL be present. RECOMMENDED but not exhaustive list of possible values for cfr-target-category includes "Private sector", "Government", "Civil society", "Military".</p>
-<p id="rfc.section.2.4.p.15">Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category fields in the threat-actor galaxy:</p>
+</pre><a href="#section-2.4-18" class="pilcrow">¶</a>
+</div>
+<p id="section-2.4-19">cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category <span class="bcp14">MAY</span> be used to report information gathered from CFR's (Council on Foreign Relations) <span>[<a href="#CFR" class="xref">CFR</a>]</span> Cyber Operations Tracker.  cfr-suspected-victims is represented as an array containing one or more strings and <span class="bcp14">SHALL</span> be present. cfr-suspected-state-sponsor is represented as a string and <span class="bcp14">SHALL</span> be present. cfr-type-of-incident is represented as a string or an array and <span class="bcp14">SHALL</span> be present. <span class="bcp14">RECOMMENDED</span> but not exhaustive list of possible values for cfr-type-of-incident includes "Espionage", "Denial of service", "Sabotage". cfr-target-category is represented as an array containing one or more strings ans <span class="bcp14">SHALL</span> be present. <span class="bcp14">RECOMMENDED</span> but not exhaustive list of possible values for cfr-target-category includes "Private sector", "Government", "Civil society", "Military".<a href="#section-2.4-19" class="pilcrow">¶</a></p>
+<p id="section-2.4-20">Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category fields in the threat-actor galaxy:<a href="#section-2.4-20" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-2.4-21">
 <pre>{
   "meta": {
     "country": "CN",
@@ -644,22 +1524,34 @@
   "value": "APT 16",
   "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf"
 },
-</pre>
-<p id="rfc.section.2.4.p.16">attribution-confidence MAY be used to indicate the confidence about an attribution given by country or cfr-suspected-state-sponsor. attribution-confidence is represented on a scale from 0 to 100, where 50 means "no information", the values under 50 mean "probably not, almost certainly not to impossibility", the values above 50 means "from probable, almost certain to certainty" and SHALL be present if country or cfr-suspected-state-sponsor are present.</p>
+</pre><a href="#section-2.4-21" class="pilcrow">¶</a>
+</div>
+<p id="section-2.4-22">attribution-confidence <span class="bcp14">MAY</span> be used to indicate the confidence about an attribution given by country or cfr-suspected-state-sponsor. attribution-confidence is represented on a scale from 0 to 100, where 50 means "no information", the values under 50 mean "probably not, almost certainly not to impossibility", the values above 50 means "from probable, almost certain to certainty" and <span class="bcp14">SHALL</span> be present if country or cfr-suspected-state-sponsor are present.<a href="#section-2.4-22" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-2.4-23">
 <pre>Impossibility        no information          Certainty
                            +
                            |
        +-------------------+------------------&gt;
 
        0                  50                100
-</pre>
-<h1 id="rfc.section.3">
-<a href="#rfc.section.3">3.</a> <a href="#json-schema" id="json-schema">JSON Schema</a>
-</h1>
-<p id="rfc.section.3.p.1">The JSON Schema <a href="#JSON-SCHEMA" class="xref">[JSON-SCHEMA]</a> below defines the overall MISP galaxy formats. The main format is the MISP galaxy format used for the clusters.</p>
-<h1 id="rfc.section.3.1">
-<a href="#rfc.section.3.1">3.1.</a> <a href="#misp-galaxy-format-galaxy" id="misp-galaxy-format-galaxy">MISP galaxy format - galaxy</a>
-</h1>
+</pre><a href="#section-2.4-23" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="json-schema">
+<section id="section-3">
+      <h2 id="name-json-schema">
+<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-json-schema" class="section-name selfRef">JSON Schema</a>
+      </h2>
+<p id="section-3-1">The JSON Schema <span>[<a href="#JSON-SCHEMA" class="xref">JSON-SCHEMA</a>]</span> below defines the overall MISP galaxy formats. The main format is the MISP galaxy format used for the clusters.<a href="#section-3-1" class="pilcrow">¶</a></p>
+<div id="misp-galaxy-format-galaxy">
+<section id="section-3.1">
+        <h3 id="name-misp-galaxy-format-galaxy">
+<a href="#section-3.1" class="section-number selfRef">3.1. </a><a href="#name-misp-galaxy-format-galaxy" class="section-name selfRef">MISP galaxy format - galaxy</a>
+        </h3>
+<div class="artwork art-text alignLeft" id="section-3.1-1">
 <pre>{
   "$schema": "http://json-schema.org/schema#",
   "title": "Validator for misp-galaxies - Galaxies",
@@ -700,10 +1592,16 @@
     "uuid"
   ]
 }
-</pre>
-<h1 id="rfc.section.3.2">
-<a href="#rfc.section.3.2">3.2.</a> <a href="#misp-galaxy-format-clusters" id="misp-galaxy-format-clusters">MISP galaxy format - clusters</a>
-</h1>
+</pre><a href="#section-3.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="misp-galaxy-format-clusters">
+<section id="section-3.2">
+        <h3 id="name-misp-galaxy-format-clusters">
+<a href="#section-3.2" class="section-number selfRef">3.2. </a><a href="#name-misp-galaxy-format-clusters" class="section-name selfRef">MISP galaxy format - clusters</a>
+        </h3>
+<div class="artwork art-text alignLeft" id="section-3.2-1">
 <pre>{
   "$schema": "http://json-schema.org/schema#",
   "title": "Validator for misp-galaxies - Clusters",
@@ -867,140 +1765,133 @@
     "category
   ]
 }
-</pre>
-<h1 id="rfc.section.4">
-<a href="#rfc.section.4">4.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
-</h1>
-<p id="rfc.section.4.p.1">The authors wish to thank all the MISP community who are supporting the creation of open standards in threat intelligence sharing.</p>
-<h1 id="rfc.references">
-<a href="#rfc.references">5.</a> References</h1>
-<h1 id="rfc.references.1">
-<a href="#rfc.references.1">5.1.</a> Normative References</h1>
-<table><tbody>
-<tr>
-<td class="reference"><b id="RFC2119">[RFC2119]</b></td>
-<td class="top">
-<a>Bradner, S.</a>, "<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
-</tr>
-<tr>
-<td class="reference"><b id="RFC4122">[RFC4122]</b></td>
-<td class="top">
-<a>Leach, P.</a>, <a>Mealling, M.</a> and <a>R. Salz</a>, "<a href="https://tools.ietf.org/html/rfc4122">A Universally Unique IDentifier (UUID) URN Namespace</a>", RFC 4122, DOI 10.17487/RFC4122, July 2005.</td>
-</tr>
-<tr>
-<td class="reference"><b id="RFC8259">[RFC8259]</b></td>
-<td class="top">
-<a>Bray, T.</a>, "<a href="https://tools.ietf.org/html/rfc8259">The JavaScript Object Notation (JSON) Data Interchange Format</a>", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017.</td>
-</tr>
-</tbody></table>
-<h1 id="rfc.references.2">
-<a href="#rfc.references.2">5.2.</a> Informative References</h1>
-<table><tbody>
-<tr>
-<td class="reference"><b id="CFR">[CFR]</b></td>
-<td class="top">
-<a>Relations, C. O. F.</a>, "<a href="https://www.cfr.org/interactive/cyber-operations">Cyber Operations Tracker - Council on Foreign Relations</a>", 2018.</td>
-</tr>
-<tr>
-<td class="reference"><b id="JSON-SCHEMA">[JSON-SCHEMA]</b></td>
-<td class="top">
-<a>Wright, A.</a>, "<a href="https://tools.ietf.org/html/draft-wright-json-schema">JSON Schema: A Media Type for Describing JSON Documents</a>", 2016.</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-G">[MISP-G]</b></td>
-<td class="top">
-<a>Community, M.</a>, "<a href="https://github.com/MISP/misp-galaxy">MISP Galaxy - Public Repository</a>"</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-G-DOC">[MISP-G-DOC]</b></td>
-<td class="top">
-<a>Community, M.</a>, "<a href="https://www.misp-project.org/galaxy.html">MISP Galaxy - Documentation of the Public Repository</a>"</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-P">[MISP-P]</b></td>
-<td class="top">
-<a>Community, M.</a>, "<a href="https://github.com/MISP">MISP Project - Malware Information Sharing Platform and Threat Sharing</a>"</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-R">[MISP-R]</b></td>
-<td class="top">
-<a>Community, M.</a>, "<a href="https://github.com/MISP/misp-objects/tree/master/relationships">MISP Object Relationship Types - common vocabulary of relationships</a>"</td>
-</tr>
-</tbody></table>
-<h1 id="rfc.authors"><a href="#rfc.authors">Authors' Addresses</a></h1>
-<div class="avoidbreak">
-  <address class="vcard">
-	<span class="vcardline">
-	  <span class="fn">Alexandre Dulaunoy</span> 
-	  <span class="n hidden">
-		<span class="family-name">Dulaunoy</span>
-	  </span>
-	</span>
-	<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
-	<span class="adr">
-	  <span class="vcardline">16, bd d'Avranches</span>
-
-	  <span class="vcardline">
-		<span class="locality">Luxembourg</span>,  
-		<span class="region"></span>
-		<span class="code">L-1611</span>
-	  </span>
-	  <span class="country-name vcardline">Luxembourg</span>
-	</span>
-	<span class="vcardline">Phone: +352 247 88444</span>
-
-<span class="vcardline">EMail: <a href="mailto:alexandre.dulaunoy@circl.lu">alexandre.dulaunoy@circl.lu</a></span>
-
-  </address>
-</div><div class="avoidbreak">
-  <address class="vcard">
-	<span class="vcardline">
-	  <span class="fn">Andras Iklody</span> 
-	  <span class="n hidden">
-		<span class="family-name">Iklody</span>
-	  </span>
-	</span>
-	<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
-	<span class="adr">
-	  <span class="vcardline">16, bd d'Avranches</span>
-
-	  <span class="vcardline">
-		<span class="locality">Luxembourg</span>,  
-		<span class="region"></span>
-		<span class="code">L-1611</span>
-	  </span>
-	  <span class="country-name vcardline">Luxembourg</span>
-	</span>
-	<span class="vcardline">Phone: +352 247 88444</span>
-
-<span class="vcardline">EMail: <a href="mailto:andras.iklody@circl.lu">andras.iklody@circl.lu</a></span>
-
-  </address>
-</div><div class="avoidbreak">
-  <address class="vcard">
-	<span class="vcardline">
-	  <span class="fn">Deborah Servili</span> 
-	  <span class="n hidden">
-		<span class="family-name">Servili</span>
-	  </span>
-	</span>
-	<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
-	<span class="adr">
-	  <span class="vcardline">16, bd d'Avranches</span>
-
-	  <span class="vcardline">
-		<span class="locality">Luxembourg</span>,  
-		<span class="region"></span>
-		<span class="code">L-1611</span>
-	  </span>
-	  <span class="country-name vcardline">Luxembourg</span>
-	</span>
-	<span class="vcardline">Phone: +352 247 88444</span>
-
-<span class="vcardline">EMail: <a href="mailto:deborah.servili@circl.lu">deborah.servili@circl.lu</a></span>
-
-  </address>
+</pre><a href="#section-3.2-1" class="pilcrow">¶</a>
 </div>
-
+</section>
+</div>
+</section>
+</div>
+<div id="acknowledgements">
+<section id="section-4">
+      <h2 id="name-acknowledgements">
+<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
+      </h2>
+<p id="section-4-1">The authors wish to thank all the MISP community who are supporting the creation
+of open standards in threat intelligence sharing.<a href="#section-4-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<section id="section-5">
+      <h2 id="name-normative-references">
+<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
+      </h2>
+<dl class="references">
+<dt id="RFC2119">[RFC2119]</dt>
+      <dd>
+<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC4122">[RFC4122]</dt>
+      <dd>
+<span class="refAuthor">Leach, P.</span>, <span class="refAuthor">Mealling, M.</span>, and <span class="refAuthor">R. Salz</span>, <span class="refTitle">"A Universally Unique IDentifier (UUID) URN Namespace"</span>, <span class="seriesInfo">RFC 4122</span>, <span class="seriesInfo">DOI 10.17487/RFC4122</span>, <time datetime="2005-07" class="refDate">July 2005</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc4122">https://www.rfc-editor.org/info/rfc4122</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC8259">[RFC8259]</dt>
+    <dd>
+<span class="refAuthor">Bray, T., Ed.</span>, <span class="refTitle">"The JavaScript Object Notation (JSON) Data Interchange Format"</span>, <span class="seriesInfo">STD 90</span>, <span class="seriesInfo">RFC 8259</span>, <span class="seriesInfo">DOI 10.17487/RFC8259</span>, <time datetime="2017-12" class="refDate">December 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8259">https://www.rfc-editor.org/info/rfc8259</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+</dl>
+</section>
+<section id="section-6">
+      <h2 id="name-informative-references">
+<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
+      </h2>
+<dl class="references">
+<dt id="CFR">[CFR]</dt>
+      <dd>
+<span class="refAuthor">Relations, C. O. F.</span>, <span class="refTitle">"Cyber Operations Tracker - Council on Foreign Relations"</span>, <span class="refContent"></span>, <time datetime="2018" class="refDate">2018</time>, <span>&lt;<a href="https://www.cfr.org/interactive/cyber-operations">https://www.cfr.org/interactive/cyber-operations</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="JSON-SCHEMA">[JSON-SCHEMA]</dt>
+      <dd>
+<span class="refAuthor">Wright, A.</span>, <span class="refTitle">"JSON Schema: A Media Type for Describing JSON Documents"</span>, <span class="refContent"></span>, <time datetime="2016" class="refDate">2016</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-wright-json-schema">https://tools.ietf.org/html/draft-wright-json-schema</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-G">[MISP-G]</dt>
+      <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Galaxy - Public Repository"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP/misp-galaxy">https://github.com/MISP/misp-galaxy</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-G-DOC">[MISP-G-DOC]</dt>
+      <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Galaxy - Documentation of the Public Repository"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://www.misp-project.org/galaxy.html">https://www.misp-project.org/galaxy.html</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-P">[MISP-P]</dt>
+      <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Project - Malware Information Sharing Platform and Threat Sharing"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP">https://github.com/MISP</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-R">[MISP-R]</dt>
+    <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Object Relationship Types - common vocabulary of relationships"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP/misp-objects/tree/master/relationships">https://github.com/MISP/misp-objects/tree/master/relationships</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+</dl>
+</section>
+<div id="authors-addresses">
+<section id="appendix-A">
+      <h2 id="name-authors-addresses">
+<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
+      </h2>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">Alexandre Dulaunoy</span></div>
+<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
+<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1611</span> <span class="locality">Luxembourg</span>
+</div>
+<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
+<div class="tel">
+<span>Phone:</span>
+<a href="tel:+352%20247%2088444" class="tel">+352 247 88444</a>
+</div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:alexandre.dulaunoy@circl.lu" class="email">alexandre.dulaunoy@circl.lu</a>
+</div>
+</address>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">Andras Iklody</span></div>
+<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
+<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1611</span> <span class="locality">Luxembourg</span>
+</div>
+<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
+<div class="tel">
+<span>Phone:</span>
+<a href="tel:+352%20247%2088444" class="tel">+352 247 88444</a>
+</div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:andras.iklody@circl.lu" class="email">andras.iklody@circl.lu</a>
+</div>
+</address>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">Deborah Servili</span></div>
+<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
+<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1611</span> <span class="locality">Luxembourg</span>
+</div>
+<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
+<div class="tel">
+<span>Phone:</span>
+<a href="tel:+352%20247%2088444" class="tel">+352 247 88444</a>
+</div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:deborah.servili@circl.lu" class="email">deborah.servili@circl.lu</a>
+</div>
+</address>
+</section>
+</div>
+<script>const toc = document.getElementById("toc");
+toc.querySelector("h2").addEventListener("click", e => {
+  toc.classList.toggle("active");
+});
+toc.querySelector("nav").addEventListener("click", e => {
+  toc.classList.remove("active");
+});
+</script>
 </body>
 </html>
diff --git a/rfc/misp-standard-galaxy-format.txt b/rfc/misp-standard-galaxy-format.txt
index 7a09ab0..619b131 100644
--- a/rfc/misp-standard-galaxy-format.txt
+++ b/rfc/misp-standard-galaxy-format.txt
@@ -4,12 +4,13 @@
 
 Network Working Group                                        A. Dulaunoy
 Internet-Draft                                                 A. Iklody
-Expires: April 6, 2020                                        D. Servili
-                                                                   CIRCL
-                                                         October 4, 2019
+Intended status: Informational                                D. Servili
+Expires: 25 May 2022                                               CIRCL
+                                                        21 November 2021
 
 
                            MISP galaxy format
+                                draft-00
 
 Abstract
 
@@ -37,36 +38,31 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on April 6, 2020.
+   This Internet-Draft will expire on 25 May 2022.
 
 Copyright Notice
 
-   Copyright (c) 2019 IETF Trust and the persons identified as the
+   Copyright (c) 2021 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents
-   (https://trustee.ietf.org/license-info) in effect on the date of
-   publication of this document.  Please review these documents
-   carefully, as they describe your rights and restrictions with respect
-   to this document.  Code Components extracted from this document must
+   Provisions Relating to IETF Documents (https://trustee.ietf.org/
+   license-info) in effect on the date of publication of this document.
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
 
 
 
-Dulaunoy, et al.          Expires April 6, 2020                 [Page 1]
+Dulaunoy, et al.           Expires 25 May 2022                  [Page 1]
 
-Internet-Draft             MISP galaxy format               October 2019
+Internet-Draft             MISP galaxy format              November 2021
 
 
-   include Simplified BSD License text as described in Section 4.e of
-   the Trust Legal Provisions and are provided without warranty as
-   described in the Simplified BSD License.
-
 Table of Contents
 
    1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
      1.1.  Conventions and Terminology . . . . . . . . . . . . . . .   2
-   2.  Format  . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
+   2.  Format  . . . . . . . . . . . . . . . . . . . . . . . . . . .   2
      2.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   3
      2.2.  values  . . . . . . . . . . . . . . . . . . . . . . . . .   3
      2.3.  related . . . . . . . . . . . . . . . . . . . . . . . . .   3
@@ -75,9 +71,8 @@ Table of Contents
      3.1.  MISP galaxy format - galaxy . . . . . . . . . . . . . . .   9
      3.2.  MISP galaxy format - clusters . . . . . . . . . . . . . .  10
    4.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  14
-   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  14
-     5.1.  Normative References  . . . . . . . . . . . . . . . . . .  14
-     5.2.  Informative References  . . . . . . . . . . . . . . . . .  14
+   5.  Normative References  . . . . . . . . . . . . . . . . . . . .  14
+   6.  Informative References  . . . . . . . . . . . . . . . . . . .  14
    Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15
 
 1.  Introduction
@@ -104,16 +99,6 @@ Table of Contents
    "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
    document are to be interpreted as described in RFC 2119 [RFC2119].
 
-
-
-
-
-
-Dulaunoy, et al.          Expires April 6, 2020                 [Page 2]
-
-Internet-Draft             MISP galaxy format               October 2019
-
-
 2.  Format
 
    A cluster is composed of a value (MUST), a description (OPTIONAL) and
@@ -121,6 +106,14 @@ Internet-Draft             MISP galaxy format               October 2019
 
    Clusters are represented as a JSON [RFC8259] dictionary.
 
+
+
+
+Dulaunoy, et al.           Expires 25 May 2022                  [Page 2]
+
+Internet-Draft             MISP galaxy format              November 2021
+
+
 2.1.  Overview
 
    The MISP galaxy format uses the JSON [RFC8259] format.  Each galaxy
@@ -162,14 +155,6 @@ Internet-Draft             MISP galaxy format               October 2019
    Related contains a list of JSON key value pairs which describe the
    related values in this galaxy cluster or to other galaxy clusters.
    The JSON object contains three fields, dest-uuid, type and tags.  The
-
-
-
-Dulaunoy, et al.          Expires April 6, 2020                 [Page 3]
-
-Internet-Draft             MISP galaxy format               October 2019
-
-
    dest-uuid represents the target UUID which encompasses a relation of
    some type.  The dest-uuid is represented as a string and MUST be
    present.  The type is represented as a string and MUST be present and
@@ -177,6 +162,14 @@ Internet-Draft             MISP galaxy format               October 2019
    objects [MISP-R].  The tags is a list of string which labels the
    related relationship such as the level of similarities, level of
    certainty, trust or confidence in the relationship, false-positive.
+
+
+
+Dulaunoy, et al.           Expires 25 May 2022                  [Page 3]
+
+Internet-Draft             MISP galaxy format              November 2021
+
+
    A tag is represented in machine tag format which is a string an
    SHOULD be present.
 
@@ -218,14 +211,6 @@ Internet-Draft             MISP galaxy format               October 2019
    field is described as an RGB colour fill in hexadecimal
    representation.
 
-
-
-
-Dulaunoy, et al.          Expires April 6, 2020                 [Page 4]
-
-Internet-Draft             MISP galaxy format               October 2019
-
-
    complexity, effectiveness, impact, possible_issues MAY be used to
    give further information in preventive-measure galaxy. complexity is
    represented by an enumerated value from a fixed vocabulary and SHALL
@@ -234,6 +219,13 @@ Internet-Draft             MISP galaxy format               October 2019
    enumerated value from a fixed vocabulary and SHALL be present.
    possible_issues is represented as a string and SHOULD be present.
 
+
+
+Dulaunoy, et al.           Expires 25 May 2022                  [Page 4]
+
+Internet-Draft             MISP galaxy format              November 2021
+
+
    Example use of the complexity, effectiveness, impact, possible_issues
    fields in the preventive-measure galaxy:
 
@@ -277,9 +269,17 @@ Internet-Draft             MISP galaxy format               October 2019
 
 
 
-Dulaunoy, et al.          Expires April 6, 2020                 [Page 5]
+
+
+
+
+
+
+
+
+Dulaunoy, et al.           Expires 25 May 2022                  [Page 5]
 
-Internet-Draft             MISP galaxy format               October 2019
+Internet-Draft             MISP galaxy format              November 2021
 
 
    {
@@ -333,13 +333,13 @@ Internet-Draft             MISP galaxy format               October 2019
 
 
 
-Dulaunoy, et al.          Expires April 6, 2020                 [Page 6]
+Dulaunoy, et al.           Expires 25 May 2022                  [Page 6]
 
-Internet-Draft             MISP galaxy format               October 2019
+Internet-Draft             MISP galaxy format              November 2021
 
 
 {
-  "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk's appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
+  "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
   "meta": {
     "ransomnotes-filenames": [
       "RyukReadMe.txt"
@@ -389,9 +389,9 @@ Internet-Draft             MISP galaxy format               October 2019
 
 
 
-Dulaunoy, et al.          Expires April 6, 2020                 [Page 7]
+Dulaunoy, et al.           Expires 25 May 2022                  [Page 7]
 
-Internet-Draft             MISP galaxy format               October 2019
+Internet-Draft             MISP galaxy format              November 2021
 
 
    Example use of the source-uuid, target-uuid fields in the mitre-
@@ -445,9 +445,9 @@ Internet-Draft             MISP galaxy format               October 2019
 
 
 
-Dulaunoy, et al.          Expires April 6, 2020                 [Page 8]
+Dulaunoy, et al.           Expires 25 May 2022                  [Page 8]
 
-Internet-Draft             MISP galaxy format               October 2019
+Internet-Draft             MISP galaxy format              November 2021
 
 
 {
@@ -501,9 +501,9 @@ Internet-Draft             MISP galaxy format               October 2019
 
 
 
-Dulaunoy, et al.          Expires April 6, 2020                 [Page 9]
+Dulaunoy, et al.           Expires 25 May 2022                  [Page 9]
 
-Internet-Draft             MISP galaxy format               October 2019
+Internet-Draft             MISP galaxy format              November 2021
 
 
 {
@@ -549,19 +549,24 @@ Internet-Draft             MISP galaxy format               October 2019
 
 3.2.  MISP galaxy format - clusters
 
+
+
+
+
+
+
+
+
+Dulaunoy, et al.           Expires 25 May 2022                 [Page 10]
+
+Internet-Draft             MISP galaxy format              November 2021
+
+
 {
   "$schema": "http://json-schema.org/schema#",
   "title": "Validator for misp-galaxies - Clusters",
   "id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
   "type": "object",
-
-
-
-Dulaunoy, et al.          Expires April 6, 2020                [Page 10]
-
-Internet-Draft             MISP galaxy format               October 2019
-
-
   "additionalProperties": false,
   "properties": {
     "description": {
@@ -605,19 +610,19 @@ Internet-Draft             MISP galaxy format               October 2019
             "type": "array",
             "additionalProperties": false,
             "items": {
+
+
+
+Dulaunoy, et al.           Expires 25 May 2022                 [Page 11]
+
+Internet-Draft             MISP galaxy format              November 2021
+
+
               "type": "object"
             },
             "properties": {
               "dest-uuid": {
                 "type": "string"
-
-
-
-Dulaunoy, et al.          Expires April 6, 2020                [Page 11]
-
-Internet-Draft             MISP galaxy format               October 2019
-
-
               },
               "type": {
                 "type": "string"
@@ -661,19 +666,19 @@ Internet-Draft             MISP galaxy format               October 2019
                 "type": "string"
               },
               "impact": {
+
+
+
+Dulaunoy, et al.           Expires 25 May 2022                 [Page 12]
+
+Internet-Draft             MISP galaxy format              November 2021
+
+
                 "type": "string"
               },
               "refs": {
                 "type": "array",
                 "uniqueItems": true,
-
-
-
-Dulaunoy, et al.          Expires April 6, 2020                [Page 12]
-
-Internet-Draft             MISP galaxy format               October 2019
-
-
                 "items": {
                   "type": "string"
                 }
@@ -717,19 +722,19 @@ Internet-Draft             MISP galaxy format               October 2019
       }
     },
     "authors": {
+
+
+
+Dulaunoy, et al.           Expires 25 May 2022                 [Page 13]
+
+Internet-Draft             MISP galaxy format              November 2021
+
+
       "type": "array",
       "uniqueItems": true,
       "items": {
         "type": "string"
       }
-
-
-
-Dulaunoy, et al.          Expires April 6, 2020                [Page 13]
-
-Internet-Draft             MISP galaxy format               October 2019
-
-
     }
   },
   "required": [
@@ -750,9 +755,7 @@ Internet-Draft             MISP galaxy format               October 2019
    The authors wish to thank all the MISP community who are supporting
    the creation of open standards in threat intelligence sharing.
 
-5.  References
-
-5.1.  Normative References
+5.  Normative References
 
    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119,
@@ -769,7 +772,7 @@ Internet-Draft             MISP galaxy format               October 2019
               DOI 10.17487/RFC8259, December 2017,
               <https://www.rfc-editor.org/info/rfc8259>.
 
-5.2.  Informative References
+6.  Informative References
 
    [CFR]      Relations, C. O. F., "Cyber Operations Tracker - Council
               on Foreign Relations", 2018,
@@ -778,12 +781,9 @@ Internet-Draft             MISP galaxy format               October 2019
 
 
 
-
-
-
-Dulaunoy, et al.          Expires April 6, 2020                [Page 14]
+Dulaunoy, et al.           Expires 25 May 2022                 [Page 14]
 
-Internet-Draft             MISP galaxy format               October 2019
+Internet-Draft             MISP galaxy format              November 2021
 
 
    [JSON-SCHEMA]
@@ -810,7 +810,7 @@ Authors' Addresses
    Alexandre Dulaunoy
    Computer Incident Response Center Luxembourg
    16, bd d'Avranches
-   Luxembourg  L-1611
+   L-L-1611 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
@@ -820,35 +820,28 @@ Authors' Addresses
    Andras Iklody
    Computer Incident Response Center Luxembourg
    16, bd d'Avranches
-   Luxembourg  L-1611
+   L-L-1611 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
    Email: andras.iklody@circl.lu
 
 
-
-
-
-
-
-
-
-
-
-
-Dulaunoy, et al.          Expires April 6, 2020                [Page 15]
-
-Internet-Draft             MISP galaxy format               October 2019
-
-
    Deborah Servili
    Computer Incident Response Center Luxembourg
    16, bd d'Avranches
-   Luxembourg  L-1611
+   L-L-1611 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
+
+
+
+Dulaunoy, et al.           Expires 25 May 2022                 [Page 15]
+
+Internet-Draft             MISP galaxy format              November 2021
+
+
    Email: deborah.servili@circl.lu
 
 
@@ -893,4 +886,11 @@ Internet-Draft             MISP galaxy format               October 2019
 
 
 
-Dulaunoy, et al.          Expires April 6, 2020                [Page 16]
+
+
+
+
+
+
+
+Dulaunoy, et al.           Expires 25 May 2022                 [Page 16]
diff --git a/rfc/misp-standard-object-template-format.html b/rfc/misp-standard-object-template-format.html
index c814517..1da2cfe 100644
--- a/rfc/misp-standard-object-template-format.html
+++ b/rfc/misp-standard-object-template-format.html
@@ -1,591 +1,1518 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
-  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<!DOCTYPE html>
+<html lang="en" class="Internet-Draft">
+<head>
+<meta charset="utf-8">
+<meta content="Common,Latin" name="scripts">
+<meta content="initial-scale=1.0" name="viewport">
+<title>MISP object template format</title>
+<meta content="Alexandre Dulaunoy" name="author">
+<meta content="Andras Iklody" name="author">
+<meta content="
+       This document describes the MISP object template format which describes a simple JSON format to represent the various templates used to construct MISP objects. A public directory of common vocabularies MISP object templates   is available and relies on the MISP object reference format. 
+    " name="description">
+<meta content="xml2rfc 3.9.1" name="generator">
+<meta content="draft-00" name="ietf.draft">
+<!-- Generator version information:
+  xml2rfc 3.9.1
+    Python 3.6.9
+    appdirs 1.4.4
+    ConfigArgParse 1.5.2
+    google-i18n-address 2.3.5
+    html5lib 1.0.1
+    intervaltree 2.1.0
+    Jinja2 2.11.2
+    kitchen 1.2.6
+    lxml 4.6.3
+    pycairo 1.16.2
+    pycountry 18.12.8
+    pyflakes 2.1.1
+    PyYAML 5.4.1
+    requests 2.25.1
+    setuptools 57.1.0
+    six 1.15.0
+    WeasyPrint 48
+-->
+<link href="misp-standard-object-template-format.xml" rel="alternate" type="application/rfc+xml">
+<link href="#copyright" rel="license">
+<style type="text/css">/*
 
-<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
-  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
+  NOTE: Changes at the bottom of this file overrides some earlier settings.
 
-  <title>MISP object template format</title>
+  Once the style has stabilized and has been adopted as an official RFC style,
+  this can be consolidated so that style settings occur only in one place, but
+  for now the contents of this file consists first of the initial CSS work as
+  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
+  commented changes found necssary during the development of the v3
+  formatters.
 
-  <style type="text/css" title="Xml2Rfc (sans serif)">
-  /*<![CDATA[*/
-	  a {
-	  text-decoration: none;
-	  }
-      /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
-      a.info {
-          /* This is the key. */
-          position: relative;
-          z-index: 24;
-          text-decoration: none;
-      }
-      a.info:hover {
-          z-index: 25;
-          color: #FFF; background-color: #900;
-      }
-      a.info span { display: none; }
-      a.info:hover span.info {
-          /* The span will display just on :hover state. */
-          display: block;
-          position: absolute;
-          font-size: smaller;
-          top: 2em; left: -5em; width: 15em;
-          padding: 2px; border: 1px solid #333;
-          color: #900; background-color: #EEE;
-          text-align: left;
-      }
-	  a.smpl {
-	  color: black;
-	  }
-	  a:hover {
-	  text-decoration: underline;
-	  }
-	  a:active {
-	  text-decoration: underline;
-	  }
-	  address {
-	  margin-top: 1em;
-	  margin-left: 2em;
-	  font-style: normal;
-	  }
-	  body {
-	  color: black;
-	  font-family: verdana, helvetica, arial, sans-serif;
-	  font-size: 10pt;
-	  max-width: 55em;
-	  
-	  }
-	  cite {
-	  font-style: normal;
-	  }
-	  dd {
-	  margin-right: 2em;
-	  }
-	  dl {
-	  margin-left: 2em;
-	  }
-	
-	  ul.empty {
-	  list-style-type: none;
-	  }
-	  ul.empty li {
-	  margin-top: .5em;
-	  }
-	  dl p {
-	  margin-left: 0em;
-	  }
-	  dt {
-	  margin-top: .5em;
-	  }
-	  h1 {
-	  font-size: 14pt;
-	  line-height: 21pt;
-	  page-break-after: avoid;
-	  }
-	  h1.np {
-	  page-break-before: always;
-	  }
-	  h1 a {
-	  color: #333333;
-	  }
-	  h2 {
-	  font-size: 12pt;
-	  line-height: 15pt;
-	  page-break-after: avoid;
-	  }
-	  h3, h4, h5, h6 {
-	  font-size: 10pt;
-	  page-break-after: avoid;
-	  }
-	  h2 a, h3 a, h4 a, h5 a, h6 a {
-	  color: black;
-	  }
-	  img {
-	  margin-left: 3em;
-	  }
-	  li {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  ol {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  ol p {
-	  margin-left: 0em;
-	  }
-	  p {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  pre {
-	  margin-left: 3em;
-	  background-color: lightyellow;
-	  padding: .25em;
-	  }
-	  pre.text2 {
-	  border-style: dotted;
-	  border-width: 1px;
-	  background-color: #f0f0f0;
-	  width: 69em;
-	  }
-	  pre.inline {
-	  background-color: white;
-	  padding: 0em;
-	  }
-	  pre.text {
-	  border-style: dotted;
-	  border-width: 1px;
-	  background-color: #f8f8f8;
-	  width: 69em;
-	  }
-	  pre.drawing {
-	  border-style: solid;
-	  border-width: 1px;
-	  background-color: #f8f8f8;
-	  padding: 2em;
-	  }
-	  table {
-	  margin-left: 2em;
-	  }
-	  table.tt {
-	  vertical-align: top;
-	  }
-	  table.full {
-	  border-style: outset;
-	  border-width: 1px;
-	  }
-	  table.headers {
-	  border-style: outset;
-	  border-width: 1px;
-	  }
-	  table.tt td {
-	  vertical-align: top;
-	  }
-	  table.full td {
-	  border-style: inset;
-	  border-width: 1px;
-	  }
-	  table.tt th {
-	  vertical-align: top;
-	  }
-	  table.full th {
-	  border-style: inset;
-	  border-width: 1px;
-	  }
-	  table.headers th {
-	  border-style: none none inset none;
-	  border-width: 1px;
-	  }
-	  table.left {
-	  margin-right: auto;
-	  }
-	  table.right {
-	  margin-left: auto;
-	  }
-	  table.center {
-	  margin-left: auto;
-	  margin-right: auto;
-	  }
-	  caption {
-	  caption-side: bottom;
-	  font-weight: bold;
-	  font-size: 9pt;
-	  margin-top: .5em;
-	  }
-	
-	  table.header {
-	  border-spacing: 1px;
-	  width: 95%;
-	  font-size: 10pt;
-	  color: white;
-	  }
-	  td.top {
-	  vertical-align: top;
-	  }
-	  td.topnowrap {
-	  vertical-align: top;
-	  white-space: nowrap; 
-	  }
-	  table.header td {
-	  background-color: gray;
-	  width: 50%;
-	  }
-	  table.header a {
-	  color: white;
-	  }
-	  td.reference {
-	  vertical-align: top;
-	  white-space: nowrap;
-	  padding-right: 1em;
-	  }
-	  thead {
-	  display:table-header-group;
-	  }
-	  ul.toc, ul.toc ul {
-	  list-style: none;
-	  margin-left: 1.5em;
-	  margin-right: 0em;
-	  padding-left: 0em;
-	  }
-	  ul.toc li {
-	  line-height: 150%;
-	  font-weight: bold;
-	  font-size: 10pt;
-	  margin-left: 0em;
-	  margin-right: 0em;
-	  }
-	  ul.toc li li {
-	  line-height: normal;
-	  font-weight: normal;
-	  font-size: 9pt;
-	  margin-left: 0em;
-	  margin-right: 0em;
-	  }
-	  li.excluded {
-	  font-size: 0pt;
-	  }
-	  ul p {
-	  margin-left: 0em;
-	  }
-	
-	  .comment {
-	  background-color: yellow;
-	  }
-	  .center {
-	  text-align: center;
-	  }
-	  .error {
-	  color: red;
-	  font-style: italic;
-	  font-weight: bold;
-	  }
-	  .figure {
-	  font-weight: bold;
-	  text-align: center;
-	  font-size: 9pt;
-	  }
-	  .filename {
-	  color: #333333;
-	  font-weight: bold;
-	  font-size: 12pt;
-	  line-height: 21pt;
-	  text-align: center;
-	  }
-	  .fn {
-	  font-weight: bold;
-	  }
-	  .hidden {
-	  display: none;
-	  }
-	  .left {
-	  text-align: left;
-	  }
-	  .right {
-	  text-align: right;
-	  }
-	  .title {
-	  color: #990000;
-	  font-size: 18pt;
-	  line-height: 18pt;
-	  font-weight: bold;
-	  text-align: center;
-	  margin-top: 36pt;
-	  }
-	  .vcardline {
-	  display: block;
-	  }
-	  .warning {
-	  font-size: 14pt;
-	  background-color: yellow;
-	  }
-	
-	
-	  @media print {
-	  .noprint {
-		display: none;
-	  }
-	
-	  a {
-		color: black;
-		text-decoration: none;
-	  }
-	
-	  table.header {
-		width: 90%;
-	  }
-	
-	  td.header {
-		width: 50%;
-		color: black;
-		background-color: white;
-		vertical-align: top;
-		font-size: 12pt;
-	  }
-	
-	  ul.toc a::after {
-		content: leader('.') target-counter(attr(href), page);
-	  }
-	
-	  ul.ind li li a {
-		content: target-counter(attr(href), page);
-	  }
-	
-	  .print2col {
-		column-count: 2;
-		-moz-column-count: 2;
-		column-fill: auto;
-	  }
-	  }
-	
-	  @page {
-	  @top-left {
-		   content: "Internet-Draft"; 
-	  } 
-	  @top-right {
-		   content: "December 2010"; 
-	  } 
-	  @top-center {
-		   content: "Abbreviated Title";
-	  } 
-	  @bottom-left {
-		   content: "Doe"; 
-	  } 
-	  @bottom-center {
-		   content: "Expires June 2011"; 
-	  } 
-	  @bottom-right {
-		   content: "[Page " counter(page) "]"; 
-	  } 
-	  }
-	
-	  @page:first { 
-		@top-left {
-		  content: normal;
-		}
-		@top-right {
-		  content: normal;
-		}
-		@top-center {
-		  content: normal;
-		}
-	  }
-  /*]]>*/
-  </style>
+*/
 
-  <link href="#rfc.toc" rel="Contents">
-<link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
-<link href="#rfc.section.1.1" rel="Chapter" title="1.1 Conventions and Terminology">
-<link href="#rfc.section.2" rel="Chapter" title="2 Format">
-<link href="#rfc.section.2.1" rel="Chapter" title="2.1 Overview">
-<link href="#rfc.section.2.1.1" rel="Chapter" title="2.1.1 Object Template">
-<link href="#rfc.section.2.1.2" rel="Chapter" title="2.1.2 attributes">
-<link href="#rfc.section.2.1.3" rel="Chapter" title="2.1.3 Sample Object Template object">
-<link href="#rfc.section.2.1.4" rel="Chapter" title="2.1.4 Object Relationships">
-<link href="#rfc.section.3" rel="Chapter" title="3 Directory">
-<link href="#rfc.section.3.1" rel="Chapter" title="3.1 Existing and public MISP object templates">
-<link href="#rfc.section.4" rel="Chapter" title="4 Acknowledgements">
-<link href="#rfc.references" rel="Chapter" title="5 References">
-<link href="#rfc.references.1" rel="Chapter" title="5.1 Normative References">
-<link href="#rfc.references.2" rel="Chapter" title="5.2 Informative References">
-<link href="#rfc.authors" rel="Chapter">
+/* fonts */
+@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
+@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
+@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */
+
+@viewport {
+  zoom: 1.0;
+  width: extend-to-zoom;
+}
+@-ms-viewport {
+  width: extend-to-zoom;
+  zoom: 1.0;
+}
+/* general and mobile first */
+html {
+}
+body {
+  max-width: 90%;
+  margin: 1.5em auto;
+  color: #222;
+  background-color: #fff;
+  font-size: 14px;
+  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
+  line-height: 1.6;
+  scroll-behavior: smooth;
+}
+.ears {
+  display: none;
+}
+
+/* headings */
+#title, h1, h2, h3, h4, h5, h6 {
+  margin: 1em 0 0.5em;
+  font-weight: bold;
+  line-height: 1.3;
+}
+#title {
+  clear: both;
+  border-bottom: 1px solid #ddd;
+  margin: 0 0 0.5em 0;
+  padding: 1em 0 0.5em;
+}
+.author {
+  padding-bottom: 4px;
+}
+h1 {
+  font-size: 26px;
+  margin: 1em 0;
+}
+h2 {
+  font-size: 22px;
+  margin-top: -20px;  /* provide offset for in-page anchors */
+  padding-top: 33px;
+}
+h3 {
+  font-size: 18px;
+  margin-top: -36px;  /* provide offset for in-page anchors */
+  padding-top: 42px;
+}
+h4 {
+  font-size: 16px;
+  margin-top: -36px;  /* provide offset for in-page anchors */
+  padding-top: 42px;
+}
+h5, h6 {
+  font-size: 14px;
+}
+#n-copyright-notice {
+  border-bottom: 1px solid #ddd;
+  padding-bottom: 1em;
+  margin-bottom: 1em;
+}
+/* general structure */
+p {
+  padding: 0;
+  margin: 0 0 1em 0;
+  text-align: left;
+}
+div, span {
+  position: relative;
+}
+div {
+  margin: 0;
+}
+.alignRight.art-text {
+  background-color: #f9f9f9;
+  border: 1px solid #eee;
+  border-radius: 3px;
+  padding: 1em 1em 0;
+  margin-bottom: 1.5em;
+}
+.alignRight.art-text pre {
+  padding: 0;
+}
+.alignRight {
+  margin: 1em 0;
+}
+.alignRight > *:first-child {
+  border: none;
+  margin: 0;
+  float: right;
+  clear: both;
+}
+.alignRight > *:nth-child(2) {
+  clear: both;
+  display: block;
+  border: none;
+}
+svg {
+  display: block;
+}
+.alignCenter.art-text {
+  background-color: #f9f9f9;
+  border: 1px solid #eee;
+  border-radius: 3px;
+  padding: 1em 1em 0;
+  margin-bottom: 1.5em;
+}
+.alignCenter.art-text pre {
+  padding: 0;
+}
+.alignCenter {
+  margin: 1em 0;
+}
+.alignCenter > *:first-child {
+  border: none;
+  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
+     support flexbox yet.
+  */
+  display: table;
+  margin: 0 auto;
+}
+
+/* lists */
+ol, ul {
+  padding: 0;
+  margin: 0 0 1em 2em;
+}
+ol ol, ul ul, ol ul, ul ol {
+  margin-left: 1em;
+}
+li {
+  margin: 0 0 0.25em 0;
+}
+.ulCompact li {
+  margin: 0;
+}
+ul.empty, .ulEmpty {
+  list-style-type: none;
+}
+ul.empty li, .ulEmpty li {
+  margin-top: 0.5em;
+}
+ul.ulBare, li.ulBare {
+  margin-left: 0em !important;
+}
+ul.compact, .ulCompact,
+ol.compact, .olCompact {
+  line-height: 100%;
+  margin: 0 0 0 2em;
+}
+
+/* definition lists */
+dl {
+}
+dl > dt {
+  float: left;
+  margin-right: 1em;
+}
+/* 
+dl.nohang > dt {
+  float: none;
+}
+*/
+dl > dd {
+  margin-bottom: .8em;
+  min-height: 1.3em;
+}
+dl.compact > dd, .dlCompact > dd {
+  margin-bottom: 0em;
+}
+dl > dd > dl {
+  margin-top: 0.5em;
+  margin-bottom: 0em;
+}
+
+/* links */
+a {
+  text-decoration: none;
+}
+a[href] {
+  color: #22e; /* Arlen: WCAG 2019 */
+}
+a[href]:hover {
+  background-color: #f2f2f2;
+}
+figcaption a[href],
+a[href].selfRef {
+  color: #222;
+}
+/* XXX probably not this:
+a.selfRef:hover {
+  background-color: transparent;
+  cursor: default;
+} */
+
+/* Figures */
+tt, code, pre, code {
+  background-color: #f9f9f9;
+  font-family: 'Roboto Mono', monospace;
+}
+pre {
+  border: 1px solid #eee;
+  margin: 0;
+  padding: 1em;
+}
+img {
+  max-width: 100%;
+}
+figure {
+  margin: 0;
+}
+figure blockquote {
+  margin: 0.8em 0.4em 0.4em;
+}
+figcaption {
+  font-style: italic;
+  margin: 0 0 1em 0;
+}
+@media screen {
+  pre {
+    overflow-x: auto;
+    max-width: 100%;
+    max-width: calc(100% - 22px);
+  }
+}
+
+/* aside, blockquote */
+aside, blockquote {
+  margin-left: 0;
+  padding: 1.2em 2em;
+}
+blockquote {
+  background-color: #f9f9f9;
+  color: #111; /* Arlen: WCAG 2019 */
+  border: 1px solid #ddd;
+  border-radius: 3px;
+  margin: 1em 0;
+}
+cite {
+  display: block;
+  text-align: right;
+  font-style: italic;
+}
+
+/* tables */
+table {
+  width: 100%;
+  margin: 0 0 1em;
+  border-collapse: collapse;
+  border: 1px solid #eee;
+}
+th, td {
+  text-align: left;
+  vertical-align: top;
+  padding: 0.5em 0.75em;
+}
+th {
+  text-align: left;
+  background-color: #e9e9e9;
+}
+tr:nth-child(2n+1) > td {
+  background-color: #f5f5f5;
+}
+table caption {
+  font-style: italic;
+  margin: 0;
+  padding: 0;
+  text-align: left;
+}
+table p {
+  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
+     be allowed within tables more generally, it would be far better to select on a class. */
+  margin: 0;
+}
+
+/* pilcrow */
+a.pilcrow {
+  color: #666; /* Arlen: AHDJ 2019 */
+  text-decoration: none;
+  visibility: hidden;
+  user-select: none;
+  -ms-user-select: none;
+  -o-user-select:none;
+  -moz-user-select: none;
+  -khtml-user-select: none;
+  -webkit-user-select: none;
+  -webkit-touch-callout: none;
+}
+@media screen {
+  aside:hover > a.pilcrow,
+  p:hover > a.pilcrow,
+  blockquote:hover > a.pilcrow,
+  div:hover > a.pilcrow,
+  li:hover > a.pilcrow,
+  pre:hover > a.pilcrow {
+    visibility: visible;
+  }
+  a.pilcrow:hover {
+    background-color: transparent;
+  }
+}
+
+/* misc */
+hr {
+  border: 0;
+  border-top: 1px solid #eee;
+}
+.bcp14 {
+  font-variant: small-caps;
+}
+
+.role {
+  font-variant: all-small-caps;
+}
+
+/* info block */
+#identifiers {
+  margin: 0;
+  font-size: 0.9em;
+}
+#identifiers dt {
+  width: 3em;
+  clear: left;
+}
+#identifiers dd {
+  float: left;
+  margin-bottom: 0;
+}
+#identifiers .authors .author {
+  display: inline-block;
+  margin-right: 1.5em;
+}
+#identifiers .authors .org {
+  font-style: italic;
+}
+
+/* The prepared/rendered info at the very bottom of the page */
+.docInfo {
+  color: #666; /* Arlen: WCAG 2019 */
+  font-size: 0.9em;
+  font-style: italic;
+  margin-top: 2em;
+}
+.docInfo .prepared {
+  float: left;
+}
+.docInfo .prepared {
+  float: right;
+}
+
+/* table of contents */
+#toc  {
+  padding: 0.75em 0 2em 0;
+  margin-bottom: 1em;
+}
+nav.toc ul {
+  margin: 0 0.5em 0 0;
+  padding: 0;
+  list-style: none;
+}
+nav.toc li {
+  line-height: 1.3em;
+  margin: 0.75em 0;
+  padding-left: 1.2em;
+  text-indent: -1.2em;
+}
+/* references */
+.references dt {
+  text-align: right;
+  font-weight: bold;
+  min-width: 7em;
+}
+.references dd {
+  margin-left: 8em;
+  overflow: auto;
+}
+
+.refInstance {
+  margin-bottom: 1.25em;
+}
+
+.references .ascii {
+  margin-bottom: 0.25em;
+}
+
+/* index */
+.index ul {
+  margin: 0 0 0 1em;
+  padding: 0;
+  list-style: none;
+}
+.index ul ul {
+  margin: 0;
+}
+.index li {
+  margin: 0;
+  text-indent: -2em;
+  padding-left: 2em;
+  padding-bottom: 5px;
+}
+.indexIndex {
+  margin: 0.5em 0 1em;
+}
+.index a {
+  font-weight: 700;
+}
+/* make the index two-column on all but the smallest screens */
+@media (min-width: 600px) {
+  .index ul {
+    -moz-column-count: 2;
+    -moz-column-gap: 20px;
+  }
+  .index ul ul {
+    -moz-column-count: 1;
+    -moz-column-gap: 0;
+  }
+}
+
+/* authors */
+address.vcard {
+  font-style: normal;
+  margin: 1em 0;
+}
+
+address.vcard .nameRole {
+  font-weight: 700;
+  margin-left: 0;
+}
+address.vcard .label {
+  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
+  margin: 0.5em 0;
+}
+address.vcard .type {
+  display: none;
+}
+.alternative-contact {
+  margin: 1.5em 0 1em;
+}
+hr.addr {
+  border-top: 1px dashed;
+  margin: 0;
+  color: #ddd;
+  max-width: calc(100% - 16px);
+}
+
+/* temporary notes */
+.rfcEditorRemove::before {
+  position: absolute;
+  top: 0.2em;
+  right: 0.2em;
+  padding: 0.2em;
+  content: "The RFC Editor will remove this note";
+  color: #9e2a00; /* Arlen: WCAG 2019 */
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+}
+.rfcEditorRemove {
+  position: relative;
+  padding-top: 1.8em;
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+  border-radius: 3px;
+}
+.cref {
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+  padding: 2px 4px;
+}
+.crefSource {
+  font-style: italic;
+}
+/* alternative layout for smaller screens */
+@media screen and (max-width: 1023px) {
+  body {
+    padding-top: 2em;
+  }
+  #title {
+    padding: 1em 0;
+  }
+  h1 {
+    font-size: 24px;
+  }
+  h2 {
+    font-size: 20px;
+    margin-top: -18px;  /* provide offset for in-page anchors */
+    padding-top: 38px;
+  }
+  #identifiers dd {
+    max-width: 60%;
+  }
+  #toc {
+    position: fixed;
+    z-index: 2;
+    top: 0;
+    right: 0;
+    padding: 0;
+    margin: 0;
+    background-color: inherit;
+    border-bottom: 1px solid #ccc;
+  }
+  #toc h2 {
+    margin: -1px 0 0 0;
+    padding: 4px 0 4px 6px;
+    padding-right: 1em;
+    min-width: 190px;
+    font-size: 1.1em;
+    text-align: right;
+    background-color: #444;
+    color: white;
+    cursor: pointer;
+  }
+  #toc h2::before { /* css hamburger */
+    float: right;
+    position: relative;
+    width: 1em;
+    height: 1px;
+    left: -164px;
+    margin: 6px 0 0 0;
+    background: white none repeat scroll 0 0;
+    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
+    content: "";
+  }
+  #toc nav {
+    display: none;
+    padding: 0.5em 1em 1em;
+    overflow: auto;
+    height: calc(100vh - 48px);
+    border-left: 1px solid #ddd;
+  }
+}
+
+/* alternative layout for wide screens */
+@media screen and (min-width: 1024px) {
+  body {
+    max-width: 724px;
+    margin: 42px auto;
+    padding-left: 1.5em;
+    padding-right: 29em;
+  }
+  #toc {
+    position: fixed;
+    top: 42px;
+    right: 42px;
+    width: 25%;
+    margin: 0;
+    padding: 0 1em;
+    z-index: 1;
+  }
+  #toc h2 {
+    border-top: none;
+    border-bottom: 1px solid #ddd;
+    font-size: 1em;
+    font-weight: normal;
+    margin: 0;
+    padding: 0.25em 1em 1em 0;
+  }
+  #toc nav {
+    display: block;
+    height: calc(90vh - 84px);
+    bottom: 0;
+    padding: 0.5em 0 0;
+    overflow: auto;
+  }
+  img { /* future proofing */
+    max-width: 100%;
+    height: auto;
+  }
+}
+
+/* pagination */
+@media print {
+  body {
+
+    width: 100%;
+  }
+  p {
+    orphans: 3;
+    widows: 3;
+  }
+  #n-copyright-notice {
+    border-bottom: none;
+  }
+  #toc, #n-introduction {
+    page-break-before: always;
+  }
+  #toc {
+    border-top: none;
+    padding-top: 0;
+  }
+  figure, pre {
+    page-break-inside: avoid;
+  }
+  figure {
+    overflow: scroll;
+  }
+  h1, h2, h3, h4, h5, h6 {
+    page-break-after: avoid;
+  }
+  h2+*, h3+*, h4+*, h5+*, h6+* {
+    page-break-before: avoid;
+  }
+  pre {
+    white-space: pre-wrap;
+    word-wrap: break-word;
+    font-size: 10pt;
+  }
+  table {
+    border: 1px solid #ddd;
+  }
+  td {
+    border-top: 1px solid #ddd;
+  }
+}
+
+/* This is commented out here, as the string-set: doesn't
+   pass W3C validation currently */
+/*
+.ears thead .left {
+  string-set: ears-top-left content();
+}
+
+.ears thead .center {
+  string-set: ears-top-center content();
+}
+
+.ears thead .right {
+  string-set: ears-top-right content();
+}
+
+.ears tfoot .left {
+  string-set: ears-bottom-left content();
+}
+
+.ears tfoot .center {
+  string-set: ears-bottom-center content();
+}
+
+.ears tfoot .right {
+  string-set: ears-bottom-right content();
+}
+*/
+
+@page :first {
+  padding-top: 0;
+  @top-left {
+    content: normal;
+    border: none;
+  }
+  @top-center {
+    content: normal;
+    border: none;
+  }
+  @top-right {
+    content: normal;
+    border: none;
+  }
+}
+
+@page {
+  size: A4;
+  margin-bottom: 45mm;
+  padding-top: 20px;
+  /* The follwing is commented out here, but set appropriately by in code, as
+     the content depends on the document */
+  /*
+  @top-left {
+    content: 'Internet-Draft';
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-left {
+    content: string(ears-top-left);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-center {
+    content: string(ears-top-center);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-right {
+    content: string(ears-top-right);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @bottom-left {
+    content: string(ears-bottom-left);
+    vertical-align: top;
+    border-top: solid 1px #ccc;
+  }
+  @bottom-center {
+    content: string(ears-bottom-center);
+    vertical-align: top;
+    border-top: solid 1px #ccc;
+  }
+  @bottom-right {
+      content: '[Page ' counter(page) ']';
+      vertical-align: top;
+      border-top: solid 1px #ccc;
+  }
+  */
+
+}
+
+/* Changes introduced to fix issues found during implementation */
+/* Make sure links are clickable even if overlapped by following H* */
+a {
+  z-index: 2;
+}
+/* Separate body from document info even without intervening H1 */
+section {
+  clear: both;
+}
 
 
-  <meta name="generator" content="xml2rfc version 2.23.1 - https://tools.ietf.org/tools/xml2rfc" />
-  <link rel="schema.dct" href="http://purl.org/dc/terms/" />
+/* Top align author divs, to avoid names without organization dropping level with org names */
+.author {
+  vertical-align: top;
+}
 
-  <meta name="dct.creator" content="Dulaunoy, A. and A. Iklody" />
-  <meta name="dct.identifier" content="urn:ietf:id:" />
-  <meta name="dct.issued" scheme="ISO8601" content="2018-04-10" />
-  <meta name="dct.abstract" content="This document describes the MISP object template format which describes a simple JSON format to represent the various templates used to construct MISP objects. A public directory of common vocabularies MISP object templates  is available and relies on the MISP object reference format." />
-  <meta name="description" content="This document describes the MISP object template format which describes a simple JSON format to represent the various templates used to construct MISP objects. A public directory of common vocabularies MISP object templates  is available and relies on the MISP object reference format." />
+/* Leave room in document info to show Internet-Draft on one line */
+#identifiers dt {
+  width: 8em;
+}
 
+/* Don't waste quite as much whitespace between label and value in doc info */
+#identifiers dd {
+  margin-left: 1em;
+}
+
+/* Give floating toc a background color (needed when it's a div inside section */
+#toc {
+  background-color: white;
+}
+
+/* Make the collapsed ToC header render white on gray also when it's a link */
+@media screen and (max-width: 1023px) {
+  #toc h2 a,
+  #toc h2 a:link,
+  #toc h2 a:focus,
+  #toc h2 a:hover,
+  #toc a.toplink,
+  #toc a.toplink:hover {
+    color: white;
+    background-color: #444;
+    text-decoration: none;
+  }
+}
+
+/* Give the bottom of the ToC some whitespace */
+@media screen and (min-width: 1024px) {
+  #toc {
+    padding: 0 0 1em 1em;
+  }
+}
+
+/* Style section numbers with more space between number and title */
+.section-number {
+  padding-right: 0.5em;
+}
+
+/* prevent monospace from becoming overly large */
+tt, code, pre, code {
+  font-size: 95%;
+}
+
+/* Fix the height/width aspect for ascii art*/
+pre.sourcecode,
+.art-text pre {
+  line-height: 1.12;
+}
+
+
+/* Add styling for a link in the ToC that points to the top of the document */
+a.toplink {
+  float: right;
+  margin-right: 0.5em;
+}
+
+/* Fix the dl styling to match the RFC 7992 attributes */
+dl > dt,
+dl.dlParallel > dt {
+  float: left;
+  margin-right: 1em;
+}
+dl.dlNewline > dt {
+  float: none;
+}
+
+/* Provide styling for table cell text alignment */
+table td.text-left,
+table th.text-left {
+  text-align: left;
+}
+table td.text-center,
+table th.text-center {
+  text-align: center;
+}
+table td.text-right,
+table th.text-right {
+  text-align: right;
+}
+
+/* Make the alternative author contact informatio look less like just another
+   author, and group it closer with the primary author contact information */
+.alternative-contact {
+  margin: 0.5em 0 0.25em 0;
+}
+address .non-ascii {
+  margin: 0 0 0 2em;
+}
+
+/* With it being possible to set tables with alignment
+  left, center, and right, { width: 100%; } does not make sense */
+table {
+  width: auto;
+}
+
+/* Avoid reference text that sits in a block with very wide left margin,
+   because of a long floating dt label.*/
+.references dd {
+  overflow: visible;
+}
+
+/* Control caption placement */
+caption {
+  caption-side: bottom;
+}
+
+/* Limit the width of the author address vcard, so names in right-to-left
+   script don't end up on the other side of the page. */
+
+address.vcard {
+  max-width: 30em;
+  margin-right: auto;
+}
+
+/* For address alignment dependent on LTR or RTL scripts */
+address div.left {
+  text-align: left;
+}
+address div.right {
+  text-align: right;
+}
+
+/* Provide table alignment support.  We can't use the alignX classes above
+   since they do unwanted things with caption and other styling. */
+table.right {
+ margin-left: auto;
+ margin-right: 0;
+}
+table.center {
+ margin-left: auto;
+ margin-right: auto;
+}
+table.left {
+ margin-left: 0;
+ margin-right: auto;
+}
+
+/* Give the table caption label the same styling as the figcaption */
+caption a[href] {
+  color: #222;
+}
+
+@media print {
+  .toplink {
+    display: none;
+  }
+
+  /* avoid overwriting the top border line with the ToC header */
+  #toc {
+    padding-top: 1px;
+  }
+
+  /* Avoid page breaks inside dl and author address entries */
+  .vcard {
+    page-break-inside: avoid;
+  }
+
+}
+/* Tweak the bcp14 keyword presentation */
+.bcp14 {
+  font-variant: small-caps;
+  font-weight: bold;
+  font-size: 0.9em;
+}
+/* Tweak the invisible space above H* in order not to overlay links in text above */
+ h2 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 31px;
+ }
+ h3 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 24px;
+ }
+ h4 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 24px;
+ }
+/* Float artwork pilcrow to the right */
+@media screen {
+  .artwork a.pilcrow {
+    display: block;
+    line-height: 0.7;
+    margin-top: 0.15em;
+  }
+}
+/* Make pilcrows on dd visible */
+@media screen {
+  dd:hover > a.pilcrow {
+    visibility: visible;
+  }
+}
+/* Make the placement of figcaption match that of a table's caption
+   by removing the figure's added bottom margin */
+.alignLeft.art-text,
+.alignCenter.art-text,
+.alignRight.art-text {
+   margin-bottom: 0;
+}
+.alignLeft,
+.alignCenter,
+.alignRight {
+  margin: 1em 0 0 0;
+}
+/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
+   possibly even requiring a new line */
+@media print {
+  a.pilcrow {
+    display: none;
+  }
+}
+/* Styling for the external metadata */
+div#external-metadata {
+  background-color: #eee;
+  padding: 0.5em;
+  margin-bottom: 0.5em;
+  display: none;
+}
+div#internal-metadata {
+  padding: 0.5em;                       /* to match the external-metadata padding */
+}
+/* Styling for title RFC Number */
+h1#rfcnum {
+  clear: both;
+  margin: 0 0 -1em;
+  padding: 1em 0 0 0;
+}
+/* Make .olPercent look the same as <ol><li> */
+dl.olPercent > dd {
+  margin-bottom: 0.25em;
+  min-height: initial;
+}
+/* Give aside some styling to set it apart */
+aside {
+  border-left: 1px solid #ddd;
+  margin: 1em 0 1em 2em;
+  padding: 0.2em 2em;
+}
+aside > dl,
+aside > ol,
+aside > ul,
+aside > table,
+aside > p {
+  margin-bottom: 0.5em;
+}
+/* Additional page break settings */
+@media print {
+  figcaption, table caption {
+    page-break-before: avoid;
+  }
+}
+/* Font size adjustments for print */
+@media print {
+  body  { font-size: 10pt;      line-height: normal; max-width: 96%; }
+  h1    { font-size: 1.72em;    padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
+  h2    { font-size: 1.44em;    padding-top: 1.5em; } /* 1*1.2*1.2 */
+  h3    { font-size: 1.2em;     padding-top: 1.5em; } /* 1*1.2 */
+  h4    { font-size: 1em;       padding-top: 1.5em; }
+  h5, h6 { font-size: 1em;      margin: initial; padding: 0.5em 0 0.3em; }
+}
+/* Sourcecode margin in print, when there's no pilcrow */
+@media print {
+  .artwork,
+  .sourcecode {
+    margin-bottom: 1em;
+  }
+}
+/* Avoid narrow tables forcing too narrow table captions, which may render badly */
+table {
+  min-width: 20em;
+}
+/* ol type a */
+ol.type-a { list-style-type: lower-alpha; }
+ol.type-A { list-style-type: upper-alpha; }
+ol.type-i { list-style-type: lower-roman; }
+ol.type-I { list-style-type: lower-roman; }
+/* Apply the print table and row borders in general, on request from the RPC,
+and increase the contrast between border and odd row background sligthtly */
+table {
+  border: 1px solid #ddd;
+}
+td {
+  border-top: 1px solid #ddd;
+}
+tr:nth-child(2n+1) > td {
+  background-color: #f8f8f8;
+}
+/* Use style rules to govern display of the TOC. */
+@media screen and (max-width: 1023px) {
+  #toc nav { display: none; }
+  #toc.active nav { display: block; }
+}
+/* Add support for keepWithNext */
+.keepWithNext {
+  break-after: avoid-page;
+  break-after: avoid-page;
+}
+/* Add support for keepWithPrevious */
+.keepWithPrevious {
+  break-before: avoid-page;
+}
+/* Change the approach to avoiding breaks inside artwork etc. */
+figure, pre, table, .artwork, .sourcecode  {
+  break-before: avoid-page;
+  break-after: auto;
+}
+/* Avoid breaks between <dt> and <dd> */
+dl {
+  break-before: auto;
+  break-inside: auto;
+}
+dt {
+  break-before: auto;
+  break-after: avoid-page;
+}
+dd {
+  break-before: avoid-page;
+  break-after: auto;
+  orphans: 3;
+  widows: 3
+}
+span.break, dd.break {
+  margin-bottom: 0;
+  min-height: 0;
+  break-before: auto;
+  break-inside: auto;
+  break-after: auto;
+}
+/* Undo break-before ToC */
+@media print {
+  #toc {
+    break-before: auto;
+  }
+}
+/* Text in compact lists should not get extra bottim margin space,
+   since that would makes the list not compact */
+ul.compact p, .ulCompact p,
+ol.compact p, .olCompact p {
+ margin: 0;
+}
+/* But the list as a whole needs the extra space at the end */
+section ul.compact,
+section .ulCompact,
+section ol.compact,
+section .olCompact {
+  margin-bottom: 1em;                    /* same as p not within ul.compact etc. */
+}
+/* The tt and code background above interferes with for instance table cell
+   backgrounds.  Changed to something a bit more selective. */
+tt, code {
+  background-color: transparent;
+}
+p tt, p code, li tt, li code {
+  background-color: #f8f8f8;
+}
+/* Tweak the pre margin -- 0px doesn't come out well */
+pre {
+   margin-top: 0.5px;
+}
+/* Tweak the comact list text */
+ul.compact, .ulCompact,
+ol.compact, .olCompact,
+dl.compact, .dlCompact {
+  line-height: normal;
+}
+/* Don't add top margin for nested lists */
+li > ul, li > ol, li > dl,
+dd > ul, dd > ol, dd > dl,
+dl > dd > dl {
+  margin-top: initial;
+}
+/* Elements that should not be rendered on the same line as a <dt> */
+/* This should match the element list in writer.text.TextWriter.render_dl() */
+dd > div.artwork:first-child,
+dd > aside:first-child,
+dd > figure:first-child,
+dd > ol:first-child,
+dd > div:first-child > pre.sourcecode,
+dd > table:first-child,
+dd > ul:first-child {
+  clear: left;
+}
+/* fix for weird browser behaviour when <dd/> is empty */
+dt+dd:empty::before{
+  content: "\00a0";
+}
+/* Make paragraph spacing inside <li> smaller than in body text, to fit better within the list */
+li > p {
+  margin-bottom: 0.5em
+}
+/* Don't let p margin spill out from inside list items */
+li > p:last-of-type {
+  margin-bottom: 0;
+}
+</style>
+<link href="rfc-local.css" rel="stylesheet" type="text/css">
+<script type="application/javascript">async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(let t=0;t<e.length;t++)if(/#identifiers/.exec(e[t].selectorText)){const a=e[t].cssText.replace("#identifiers","#external-updates");document.styleSheets[0].insertRule(a,document.styleSheets[0].cssRules.length)}}catch(e){console.log(e)}const e=document.getElementById("external-metadata");if(e)try{var t,a="",o=function(e){const t=document.getElementsByTagName("meta");for(let a=0;a<t.length;a++)if(t[a].getAttribute("name")===e)return t[a].getAttribute("content");return""}("rfc.number");if(o){t="https://www.rfc-editor.org/rfc/rfc"+o+".json";try{const e=await fetch(t);a=await e.json()}catch(e){t=document.URL.indexOf("html")>=0?document.URL.replace(/html$/,"json"):document.URL+".json";const o=await fetch(t);a=await o.json()}}if(!a)return;e.style.display="block";const s="",d="https://datatracker.ietf.org/doc",n="https://datatracker.ietf.org/ipr/search",c="https://www.rfc-editor.org/info",l=a.doc_id.toLowerCase(),i=a.doc_id.slice(0,3).toLowerCase(),f=a.doc_id.slice(3).replace(/^0+/,""),u={status:"Status",obsoletes:"Obsoletes",obsoleted_by:"Obsoleted By",updates:"Updates",updated_by:"Updated By",see_also:"See Also",errata_url:"Errata"};let h="<dl style='overflow:hidden' id='external-updates'>";["status","obsoletes","obsoleted_by","updates","updated_by","see_also","errata_url"].forEach(e=>{if("status"==e){a[e]=a[e].toLowerCase();var t=a[e].split(" "),o=t.length,w="",p=1;for(let e=0;e<o;e++)p<o?w=w+r(t[e])+" ":w+=r(t[e]),p++;a[e]=w}else if("obsoletes"==e||"obsoleted_by"==e||"updates"==e||"updated_by"==e){var g,m="",b=1;g=a[e].length;for(let t=0;t<g;t++)a[e][t]&&(a[e][t]=String(a[e][t]).toLowerCase(),m=b<g?m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>, ":m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>",b++);a[e]=m}else if("see_also"==e){var y,L="",C=1;y=a[e].length;for(let t=0;t<y;t++)if(a[e][t]){a[e][t]=String(a[e][t]);var _=a[e][t].slice(0,3),v=a[e][t].slice(3).replace(/^0+/,"");L=C<y?"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>, ":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>, ":"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>",C++}a[e]=L}else if("errata_url"==e){var R="";R=a[e]?R+"<a href='"+a[e]+"'>Errata exist</a> | <a href='"+d+"/"+l+"'>Datatracker</a>| <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>":"<a href='"+d+"/"+l+"'>Datatracker</a> | <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>",a[e]=R}""!=a[e]?"Errata"==u[e]?h+=`<dt>More info:</dt><dd>${a[e]}</dd>`:h+=`<dt>${u[e]}:</dt><dd>${a[e]}</dd>`:"Errata"==u[e]&&(h+=`<dt>More info:</dt><dd>${a[e]}</dd>`)}),h+="</dl>",e.innerHTML=h}catch(e){console.log(e)}else console.log("Could not locate metadata <div> element");function r(e){return e.charAt(0).toUpperCase()+e.slice(1)}}window.removeEventListener("load",addMetadata),window.addEventListener("load",addMetadata);</script>
 </head>
-
 <body>
-
-  <table class="header">
-    <tbody>
-    
-    	<tr>
-<td class="left">Network Working Group</td>
-<td class="right">A. Dulaunoy</td>
-</tr>
-<tr>
+<script src="metadata.min.js"></script>
+<table class="ears">
+<thead><tr>
 <td class="left">Internet-Draft</td>
-<td class="right">A. Iklody</td>
-</tr>
-<tr>
-<td class="left">Expires: October 12, 2018</td>
-<td class="right">CIRCL</td>
-</tr>
-<tr>
-<td class="left"></td>
-<td class="right">April 10, 2018</td>
-</tr>
-
-    	
-    </tbody>
-  </table>
-
-  <p class="title">MISP object template format<br />
-  <span class="filename"></span></p>
-  
-  <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
-<p>This document describes the MISP object template format which describes a simple JSON format to represent the various templates used to construct MISP objects. A public directory of common vocabularies MISP object templates <a href="#MISP-O" class="xref">[MISP-O]</a> is available and relies on the MISP object reference format.</p>
-<h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1>
-<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
-<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF).  Note that other groups may also distribute working documents as Internet-Drafts.  The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
-<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.  It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
-<p>This Internet-Draft will expire on October 12, 2018.</p>
-<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
-<p>Copyright (c) 2018 IETF Trust and the persons identified as the document authors.  All rights reserved.</p>
-<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document.  Please review these documents carefully, as they describe your rights and restrictions with respect to this document.  Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
-
-  
-  <hr class="noprint" />
-  <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
-  <ul class="toc">
-
-  	<li>1.   <a href="#rfc.section.1">Introduction</a>
+<td class="center">MISP object template format</td>
+<td class="right">November 2021</td>
+</tr></thead>
+<tfoot><tr>
+<td class="left">Dulaunoy &amp; Iklody</td>
+<td class="center">Expires 25 May 2022</td>
+<td class="right">[Page]</td>
+</tr></tfoot>
+</table>
+<div id="external-metadata" class="document-information"></div>
+<div id="internal-metadata" class="document-information">
+<dl id="identifiers">
+<dt class="label-workgroup">Workgroup:</dt>
+<dd class="workgroup">Network Working Group</dd>
+<dt class="label-internet-draft">Internet-Draft:</dt>
+<dd class="internet-draft">draft-00</dd>
+<dt class="label-published">Published:</dt>
+<dd class="published">
+<time datetime="2021-11-21" class="published">21 November 2021</time>
+    </dd>
+<dt class="label-intended-status">Intended Status:</dt>
+<dd class="intended-status">Informational</dd>
+<dt class="label-expires">Expires:</dt>
+<dd class="expires"><time datetime="2022-05-25">25 May 2022</time></dd>
+<dt class="label-authors">Authors:</dt>
+<dd class="authors">
+<div class="author">
+      <div class="author-name">A. Dulaunoy</div>
+<div class="org">CIRCL</div>
+</div>
+<div class="author">
+      <div class="author-name">A. Iklody</div>
+<div class="org">CIRCL</div>
+</div>
+</dd>
+</dl>
+</div>
+<h1 id="title">MISP object template format</h1>
+<section id="section-abstract">
+      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
+<p id="section-abstract-1">This document describes the MISP object template format which describes a simple JSON format to represent the various templates used to construct MISP objects. A public directory of common vocabularies MISP object templates <span>[<a href="#MISP-O" class="xref">MISP-O</a>]</span> is available and relies on the MISP object reference format.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
+</section>
+<div id="status-of-memo">
+<section id="section-boilerplate.1">
+        <h2 id="name-status-of-this-memo">
+<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
+        </h2>
+<p id="section-boilerplate.1-1">
+        This Internet-Draft is submitted in full conformance with the
+        provisions of BCP 78 and BCP 79.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-2">
+        Internet-Drafts are working documents of the Internet Engineering Task
+        Force (IETF). Note that other groups may also distribute working
+        documents as Internet-Drafts. The list of current Internet-Drafts is
+        at <span><a href="https://datatracker.ietf.org/drafts/current/">https://datatracker.ietf.org/drafts/current/</a></span>.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-3">
+        Internet-Drafts are draft documents valid for a maximum of six months
+        and may be updated, replaced, or obsoleted by other documents at any
+        time. It is inappropriate to use Internet-Drafts as reference
+        material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-4">
+        This Internet-Draft will expire on 25 May 2022.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="copyright">
+<section id="section-boilerplate.2">
+        <h2 id="name-copyright-notice">
+<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
+        </h2>
+<p id="section-boilerplate.2-1">
+            Copyright (c) 2021 IETF Trust and the persons identified as the
+            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.2-2">
+            This document is subject to BCP 78 and the IETF Trust's Legal
+            Provisions Relating to IETF Documents
+            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
+            publication of this document. Please review these documents
+            carefully, as they describe your rights and restrictions with
+            respect to this document.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="toc">
+<section id="section-toc.1">
+        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
+<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
+        </h2>
+<nav class="toc"><ul class="ulBare toc compact ulEmpty">
+<li class="ulBare toc compact ulEmpty" id="section-toc.1-1.1">
+            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a></p>
+<ul class="toc compact ulBare ulEmpty">
+<li class="toc compact ulBare ulEmpty" id="section-toc.1-1.1.2.1">
+                <p id="section-toc.1-1.1.2.1.1" class="keepWithNext"><a href="#section-1.1" class="xref">1.1</a>.  <a href="#name-conventions-and-terminology" class="xref">Conventions and Terminology</a></p>
 </li>
-<ul><li>1.1.   <a href="#rfc.section.1.1">Conventions and Terminology</a>
+            </ul>
 </li>
-</ul><li>2.   <a href="#rfc.section.2">Format</a>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.2">
+            <p id="section-toc.1-1.2.1"><a href="#section-2" class="xref">2</a>.  <a href="#name-format" class="xref">Format</a></p>
+<ul class="toc compact ulBare ulEmpty">
+<li class="toc compact ulBare ulEmpty" id="section-toc.1-1.2.2.1">
+                <p id="section-toc.1-1.2.2.1.1"><a href="#section-2.1" class="xref">2.1</a>.  <a href="#name-overview" class="xref">Overview</a></p>
+<ul class="toc ulBare compact ulEmpty">
+<li class="toc ulBare compact ulEmpty" id="section-toc.1-1.2.2.1.2.1">
+                    <p id="section-toc.1-1.2.2.1.2.1.1" class="keepWithNext"><a href="#section-2.1.1" class="xref">2.1.1</a>.  <a href="#name-object-template" class="xref">Object Template</a></p>
 </li>
-<ul><li>2.1.   <a href="#rfc.section.2.1">Overview</a>
+                  <li class="toc ulBare compact ulEmpty" id="section-toc.1-1.2.2.1.2.2">
+                    <p id="section-toc.1-1.2.2.1.2.2.1"><a href="#section-2.1.2" class="xref">2.1.2</a>.  <a href="#name-attributes" class="xref">attributes</a></p>
 </li>
-<ul><li>2.1.1.   <a href="#rfc.section.2.1.1">Object Template</a>
+                  <li class="toc ulBare compact ulEmpty" id="section-toc.1-1.2.2.1.2.3">
+                    <p id="section-toc.1-1.2.2.1.2.3.1"><a href="#section-2.1.3" class="xref">2.1.3</a>.  <a href="#name-sample-object-template-obje" class="xref">Sample Object Template object</a></p>
 </li>
-<li>2.1.2.   <a href="#rfc.section.2.1.2">attributes</a>
+                  <li class="toc ulBare compact ulEmpty" id="section-toc.1-1.2.2.1.2.4">
+                    <p id="section-toc.1-1.2.2.1.2.4.1"><a href="#section-2.1.4" class="xref">2.1.4</a>.  <a href="#name-object-relationships" class="xref">Object Relationships</a></p>
 </li>
-<li>2.1.3.   <a href="#rfc.section.2.1.3">Sample Object Template object</a>
+                </ul>
 </li>
-<li>2.1.4.   <a href="#rfc.section.2.1.4">Object Relationships</a>
+            </ul>
 </li>
-</ul></ul><li>3.   <a href="#rfc.section.3">Directory</a>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.3">
+            <p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>.  <a href="#name-directory" class="xref">Directory</a></p>
+<ul class="toc compact ulBare ulEmpty">
+<li class="toc compact ulBare ulEmpty" id="section-toc.1-1.3.2.1">
+                <p id="section-toc.1-1.3.2.1.1"><a href="#section-3.1" class="xref">3.1</a>.  <a href="#name-existing-and-public-misp-ob" class="xref">Existing and public MISP object templates</a></p>
 </li>
-<ul><li>3.1.   <a href="#rfc.section.3.1">Existing and public MISP object templates</a>
+            </ul>
 </li>
-</ul><li>4.   <a href="#rfc.section.4">Acknowledgements</a>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.4">
+            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-acknowledgements" class="xref">Acknowledgements</a></p>
 </li>
-<li>5.   <a href="#rfc.references">References</a>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.5">
+            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-normative-references" class="xref">Normative References</a></p>
 </li>
-<ul><li>5.1.   <a href="#rfc.references.1">Normative References</a>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.6">
+            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-informative-references" class="xref">Informative References</a></p>
 </li>
-<li>5.2.   <a href="#rfc.references.2">Informative References</a>
+          <li class="ulBare toc compact ulEmpty" id="section-toc.1-1.7">
+            <p id="section-toc.1-1.7.1"><a href="#appendix-A" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a></p>
 </li>
-</ul><li><a href="#rfc.authors">Authors' Addresses</a>
-</li>
-
-
-  </ul>
-
-  <h1 id="rfc.section.1">
-<a href="#rfc.section.1">1.</a> <a href="#introduction" id="introduction">Introduction</a>
-</h1>
-<p id="rfc.section.1.p.1">Due to the increased maturity of threat information sharing, the need arose for more complex and exhaustive data-points to be shared across the various sharing communities. MISP's information sharing in general relied on a flat structure of attributes contained within an event, where attributes served as atomic secluded data-points with some commonalities as defined by the encapsulating event. However, this flat structure restricted the use of more diverse and complex data-points described by a list of atomic values, a problem solved by the MISP object structure.</p>
-<p id="rfc.section.1.p.2">MISP objects combine a list of attributes to represent a singular object with various facets. In order to bootstrap the object creation process and to maintain uniformity among objects describing similar data-points, the MISP object template format serves as a reusable and share-able blueprint format.</p>
-<p id="rfc.section.1.p.3">MISP object templates also include a vocabulary to describe the various inter object and object to attribute relationships and are leveraged by MISP object references.</p>
-<h1 id="rfc.section.1.1">
-<a href="#rfc.section.1.1">1.1.</a> <a href="#conventions-and-terminology" id="conventions-and-terminology">Conventions and Terminology</a>
-</h1>
-<p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 <a href="#RFC2119" class="xref">[RFC2119]</a>.</p>
-<h1 id="rfc.section.2">
-<a href="#rfc.section.2">2.</a> <a href="#format" id="format">Format</a>
-</h1>
-<p id="rfc.section.2.p.1">MISP object templates are composed of the MISP object template (MUST) structure itself and a list of MISP object template elements (SHOULD) describing the list of possible attributes belonging to the resulting object, along with their context and settings.</p>
-<p id="rfc.section.2.p.2">MISP object templates themselves consist of a name (MUST), a meta-category (MUST) and a description (SHOULD). They are identified by a uuid (MUST) and a version (MUST). For any updates or transfer of the same object reference. UUID version 4 is RECOMMENDED when assigning it to a new object reference. The list of requirements when it comes to the contained MISP object template elements is defined in the requirements field (OPTIONAL).</p>
-<p id="rfc.section.2.p.3">MISP object template elements consist of an object_relation (MUST), a type (MUST), an object_template_id (SHOULD), a ui_priority (SHOULD), a list of categories (MAY), a list of sane_default values (MAY) or a values_list (MAY).</p>
-<h1 id="rfc.section.2.1">
-<a href="#rfc.section.2.1">2.1.</a> <a href="#overview" id="overview">Overview</a>
-</h1>
-<p id="rfc.section.2.1.p.1">The MISP object template format uses the JSON <a href="#RFC8259" class="xref">[RFC8259]</a> format. Each template is represented as a JSON object with meta information including the following fields: uuid, requiredOneOf, description, version, meta-category, name.</p>
-<h1 id="rfc.section.2.1.1">
-<a href="#rfc.section.2.1.1">2.1.1.</a> <a href="#object-template" id="object-template">Object Template</a>
-</h1>
-<h1 id="rfc.section.2.1.1.1">
-<a href="#rfc.section.2.1.1.1">2.1.1.1.</a> <a href="#uuid" id="uuid">uuid</a>
-</h1>
-<p id="rfc.section.2.1.1.1.p.1">uuid represents the Universally Unique IDentifier (UUID) <a href="#RFC4122" class="xref">[RFC4122]</a> of the object template. The uuid MUST be preserved for to keep consistency of the templates across instances. UUID version 4 is RECOMMENDED when assigning it to a new object template.</p>
-<p id="rfc.section.2.1.1.1.p.2">uuid is represented as a JSON string. uuid MUST be present.</p>
-<h1 id="rfc.section.2.1.1.2">
-<a href="#rfc.section.2.1.1.2">2.1.1.2.</a> <a href="#requiredoneof" id="requiredoneof">requiredOneOf</a>
-</h1>
-<p id="rfc.section.2.1.1.2.p.1">requiredOneOf is represented as a JSON list and contains a list of attribute relationships of which one must be present in the object to be created based on the given template. The requiredOneOf field MAY be present.</p>
-<h1 id="rfc.section.2.1.1.3">
-<a href="#rfc.section.2.1.1.3">2.1.1.3.</a> <a href="#required" id="required">required</a>
-</h1>
-<p id="rfc.section.2.1.1.3.p.1">required is represented as a JSON list and contains a list of attribute relationships of which all must be present in the object to be created based on the given template. The required field MAY be present.</p>
-<h1 id="rfc.section.2.1.1.4">
-<a href="#rfc.section.2.1.1.4">2.1.1.4.</a> <a href="#description" id="description">description</a>
-</h1>
-<p id="rfc.section.2.1.1.4.p.1">description is represented as a JSON string and contains the assigned meaning given to objects created using this template. The description field MUST be present.</p>
-<h1 id="rfc.section.2.1.1.5">
-<a href="#rfc.section.2.1.1.5">2.1.1.5.</a> <a href="#version" id="version">version</a>
-</h1>
-<p id="rfc.section.2.1.1.5.p.1">version represents a numeric incrementing version of the object template. It is used to associate the object to the correct version of the template and together with the uuid field forms an association to the correct template type and version.</p>
-<p id="rfc.section.2.1.1.5.p.2">version is represented as a JSON string. version MUST be present.</p>
-<h1 id="rfc.section.2.1.1.6">
-<a href="#rfc.section.2.1.1.6">2.1.1.6.</a> <a href="#meta-category" id="meta-category">meta-category</a>
-</h1>
-<p id="rfc.section.2.1.1.6.p.1">meta-category represents the sub-category of objects that the given object template belongs to. meta-categories are not tied to a fixed list of options but can be created on the fly.</p>
-<p id="rfc.section.2.1.1.6.p.2">meta-category is represented as a JSON string. meta-category MUST be present.</p>
-<h1 id="rfc.section.2.1.1.7">
-<a href="#rfc.section.2.1.1.7">2.1.1.7.</a> <a href="#name" id="name">name</a>
-</h1>
-<p id="rfc.section.2.1.1.7.p.1">name represents the human-readable name of the objects created using the given template, describing the intent of the object package.</p>
-<p id="rfc.section.2.1.1.7.p.2">name is represented as a JSON string. name MUST be present</p>
-<h1 id="rfc.section.2.1.2">
-<a href="#rfc.section.2.1.2">2.1.2.</a> <a href="#attributes" id="attributes">attributes</a>
-</h1>
-<p id="rfc.section.2.1.2.p.1">attributes is represented as a JSON list and contains a list of template elements used as a template for creating the individual attributes within the object that is to be created with the object.</p>
-<p id="rfc.section.2.1.2.p.2">attributes is represented as a JSON list. attributes MUST be present.</p>
-<h1 id="rfc.section.2.1.2.1">
-<a href="#rfc.section.2.1.2.1">2.1.2.1.</a> <a href="#description-1" id="description-1">description</a>
-</h1>
-<p id="rfc.section.2.1.2.1.p.1">description is represented as a JSON string and contains the description of the given attribute in the context of the object with the given relationship. The description field MUST be present.</p>
-<h1 id="rfc.section.2.1.2.2">
-<a href="#rfc.section.2.1.2.2">2.1.2.2.</a> <a href="#ui-priority" id="ui-priority">ui-priority</a>
-</h1>
-<p id="rfc.section.2.1.2.2.p.1">ui-priority is represented by a numeric values in JSON string format and is meant to provide a priority for the given element in the object template visualisation. The ui-priority MAY be present.</p>
-<h1 id="rfc.section.2.1.2.3">
-<a href="#rfc.section.2.1.2.3">2.1.2.3.</a> <a href="#misp-attribute" id="misp-attribute">misp-attribute</a>
-</h1>
-<p id="rfc.section.2.1.2.3.p.1">misp-attribute is represented by a JSON string or a JSON object with a list of values. The value(s) are taken from the pool of types defined by the MISP core format's Attribute Object's type list. type can contain a JSON object with a list of suggested value alternatives encapsulated in a list within a sane_default key or a list of enforced value alternatives encapsulated in a list_values key.</p>
-<p id="rfc.section.2.1.2.3.p.2">The misp-attribute field MUST be present.</p>
-<h1 id="rfc.section.2.1.2.4">
-<a href="#rfc.section.2.1.2.4">2.1.2.4.</a> <a href="#disable-correlation" id="disable-correlation">disable_correlation</a>
-</h1>
-<p id="rfc.section.2.1.2.4.p.1">disable_correlation is represented by a JSON boolean. The disable_correlation field flags the attribute(s) created by the given object template element to be marked as non correlating.</p>
-<p id="rfc.section.2.1.2.4.p.2">The misp-attribute field MAY be present.</p>
-<h1 id="rfc.section.2.1.2.5">
-<a href="#rfc.section.2.1.2.5">2.1.2.5.</a> <a href="#categories" id="categories">categories</a>
-</h1>
-<p id="rfc.section.2.1.2.5.p.1">categories is represented by a JSON list containing one or several valid options from the list of verbs valid for the category field in the Attribute object within the MISP core format.</p>
-<p id="rfc.section.2.1.2.5.p.2">The categories field MAY be present.</p>
-<h1 id="rfc.section.2.1.2.6">
-<a href="#rfc.section.2.1.2.6">2.1.2.6.</a> <a href="#multiple" id="multiple">multiple</a>
-</h1>
-<p id="rfc.section.2.1.2.6.p.1">multiple is represented by a JSON boolean value. It marks the MISP object template element as a multiple input field, allowing for several attributes to be created by the element within the same object.</p>
-<p id="rfc.section.2.1.2.6.p.2">The multiple field MAY be present.</p>
-<h1 id="rfc.section.2.1.2.7">
-<a href="#rfc.section.2.1.2.7">2.1.2.7.</a> <a href="#sane-default" id="sane-default">sane_default</a>
-</h1>
-<p id="rfc.section.2.1.2.7.p.1">sane_default is represented by a JSON list containing one or several recommended/sane values for an attribute. sane_default is mutually exclusive with values_list.</p>
-<p id="rfc.section.2.1.2.7.p.2">The sane_default field MAY be present.</p>
-<h1 id="rfc.section.2.1.2.8">
-<a href="#rfc.section.2.1.2.8">2.1.2.8.</a> <a href="#values-list" id="values-list">values_list</a>
-</h1>
-<p id="rfc.section.2.1.2.8.p.1">values_list is represented by a JSON List containing one or several of fixed values for an attribute. values_list is mutually exclusive with sane_default.</p>
-<p id="rfc.section.2.1.2.8.p.2">The value_list field MAY be present.</p>
-<h1 id="rfc.section.2.1.3">
-<a href="#rfc.section.2.1.3">2.1.3.</a> <a href="#sample-object-template-object" id="sample-object-template-object">Sample Object Template object</a>
-</h1>
-<p id="rfc.section.2.1.3.p.1">The MISP object template directory is publicly available <a href="#MISP-O" class="xref">[MISP-O]</a> in a git repository and contains more than 60 object templates. As illustration, two sample objects templates are included.</p>
-<h1 id="rfc.section.2.1.3.1">
-<a href="#rfc.section.2.1.3.1">2.1.3.1.</a> <a href="#credit-card-object-template" id="credit-card-object-template">credit-card object template</a>
-</h1>
+        </ul>
+</nav>
+</section>
+</div>
+<div id="introduction">
+<section id="section-1">
+      <h2 id="name-introduction">
+<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
+      </h2>
+<p id="section-1-1">Due to the increased maturity of threat information sharing, the need arose for more complex and exhaustive data-points to be shared across the various sharing communities. MISP's information sharing in general relied on a flat structure of attributes contained within an event, where attributes served as atomic secluded data-points with some commonalities as defined by the encapsulating event. However, this flat structure restricted the use of more diverse and complex data-points described by a list of atomic values, a problem solved by the MISP object structure.<a href="#section-1-1" class="pilcrow">¶</a></p>
+<p id="section-1-2">MISP objects combine a list of attributes to represent a singular object with various facets. In order to bootstrap the object creation process and to maintain uniformity among objects describing similar data-points, the MISP object template format serves as a reusable and share-able blueprint format.<a href="#section-1-2" class="pilcrow">¶</a></p>
+<p id="section-1-3">MISP object templates also include a vocabulary to describe the various inter object and object to attribute relationships and are leveraged by MISP object references.<a href="#section-1-3" class="pilcrow">¶</a></p>
+<div id="conventions-and-terminology">
+<section id="section-1.1">
+        <h3 id="name-conventions-and-terminology">
+<a href="#section-1.1" class="section-number selfRef">1.1. </a><a href="#name-conventions-and-terminology" class="section-name selfRef">Conventions and Terminology</a>
+        </h3>
+<p id="section-1.1-1">The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>", "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>",
+"<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>", "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this
+document are to be interpreted as described in RFC 2119 <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span>.<a href="#section-1.1-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="format">
+<section id="section-2">
+      <h2 id="name-format">
+<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-format" class="section-name selfRef">Format</a>
+      </h2>
+<p id="section-2-1">MISP object templates are composed of the MISP object template (<span class="bcp14">MUST</span>) structure itself and a list of MISP object template elements (<span class="bcp14">SHOULD</span>) describing the list of possible attributes belonging to the resulting object, along with their context and settings.<a href="#section-2-1" class="pilcrow">¶</a></p>
+<p id="section-2-2">MISP object templates themselves consist of a name (<span class="bcp14">MUST</span>), a meta-category (<span class="bcp14">MUST</span>) and a description (<span class="bcp14">SHOULD</span>). They are identified by a uuid (<span class="bcp14">MUST</span>) and a version (<span class="bcp14">MUST</span>). For any updates or transfer of the same object reference. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new object reference. The list of requirements when it comes to the contained MISP object template elements is defined in the requirements field (<span class="bcp14">OPTIONAL</span>).<a href="#section-2-2" class="pilcrow">¶</a></p>
+<p id="section-2-3">MISP object template elements consist of an object_relation (<span class="bcp14">MUST</span>), a type (<span class="bcp14">MUST</span>), an object_template_id (<span class="bcp14">SHOULD</span>), a ui_priority (<span class="bcp14">SHOULD</span>), a list of categories (<span class="bcp14">MAY</span>), a list of sane_default values (<span class="bcp14">MAY</span>) or a values_list (<span class="bcp14">MAY</span>).<a href="#section-2-3" class="pilcrow">¶</a></p>
+<div id="overview">
+<section id="section-2.1">
+        <h3 id="name-overview">
+<a href="#section-2.1" class="section-number selfRef">2.1. </a><a href="#name-overview" class="section-name selfRef">Overview</a>
+        </h3>
+<p id="section-2.1-1">The MISP object template format uses the JSON <span>[<a href="#RFC8259" class="xref">RFC8259</a>]</span> format. Each template is represented as a JSON object with meta information including the following fields: uuid, requiredOneOf, description, version, meta-category, name.<a href="#section-2.1-1" class="pilcrow">¶</a></p>
+<div id="object-template">
+<section id="section-2.1.1">
+          <h4 id="name-object-template">
+<a href="#section-2.1.1" class="section-number selfRef">2.1.1. </a><a href="#name-object-template" class="section-name selfRef">Object Template</a>
+          </h4>
+<div id="uuid">
+<section id="section-2.1.1.1">
+            <h5 id="name-uuid">
+<a href="#section-2.1.1.1" class="section-number selfRef">2.1.1.1. </a><a href="#name-uuid" class="section-name selfRef">uuid</a>
+            </h5>
+<p id="section-2.1.1.1-1">uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the object template. The uuid <span class="bcp14">MUST</span> be preserved for to keep consistency of the templates across instances. UUID version 4 is <span class="bcp14">RECOMMENDED</span> when assigning it to a new object template.<a href="#section-2.1.1.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.1.1-2">uuid is represented as a JSON string. uuid <span class="bcp14">MUST</span> be present.<a href="#section-2.1.1.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="requiredoneof">
+<section id="section-2.1.1.2">
+            <h5 id="name-requiredoneof">
+<a href="#section-2.1.1.2" class="section-number selfRef">2.1.1.2. </a><a href="#name-requiredoneof" class="section-name selfRef">requiredOneOf</a>
+            </h5>
+<p id="section-2.1.1.2-1">requiredOneOf is represented as a JSON list and contains a list of attribute relationships of which one must be present in the object to be created based on the given template. The requiredOneOf field <span class="bcp14">MAY</span> be present.<a href="#section-2.1.1.2-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="required">
+<section id="section-2.1.1.3">
+            <h5 id="name-required">
+<a href="#section-2.1.1.3" class="section-number selfRef">2.1.1.3. </a><a href="#name-required" class="section-name selfRef">required</a>
+            </h5>
+<p id="section-2.1.1.3-1">required is represented as a JSON list and contains a list of attribute relationships of which all must be present in the object to be created based on the given template. The required field <span class="bcp14">MAY</span> be present.<a href="#section-2.1.1.3-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="description">
+<section id="section-2.1.1.4">
+            <h5 id="name-description">
+<a href="#section-2.1.1.4" class="section-number selfRef">2.1.1.4. </a><a href="#name-description" class="section-name selfRef">description</a>
+            </h5>
+<p id="section-2.1.1.4-1">description is represented as a JSON string and contains the assigned meaning given to objects created using this template. The description field <span class="bcp14">MUST</span> be present.<a href="#section-2.1.1.4-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="version">
+<section id="section-2.1.1.5">
+            <h5 id="name-version">
+<a href="#section-2.1.1.5" class="section-number selfRef">2.1.1.5. </a><a href="#name-version" class="section-name selfRef">version</a>
+            </h5>
+<p id="section-2.1.1.5-1">version represents a numeric incrementing version of the object template. It is used to associate the object to the correct version of the template and together with the uuid field forms an association to the correct template type and version.<a href="#section-2.1.1.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.1.5-2">version is represented as a JSON string. version <span class="bcp14">MUST</span> be present.<a href="#section-2.1.1.5-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="meta-category">
+<section id="section-2.1.1.6">
+            <h5 id="name-meta-category">
+<a href="#section-2.1.1.6" class="section-number selfRef">2.1.1.6. </a><a href="#name-meta-category" class="section-name selfRef">meta-category</a>
+            </h5>
+<p id="section-2.1.1.6-1">meta-category represents the sub-category of objects that the given object template belongs to. meta-categories are not tied to a fixed list of options but can be created on the fly.<a href="#section-2.1.1.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.1.6-2">meta-category is represented as a JSON string. meta-category <span class="bcp14">MUST</span> be present.<a href="#section-2.1.1.6-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="name">
+<section id="section-2.1.1.7">
+            <h5 id="name-name">
+<a href="#section-2.1.1.7" class="section-number selfRef">2.1.1.7. </a><a href="#name-name" class="section-name selfRef">name</a>
+            </h5>
+<p id="section-2.1.1.7-1">name represents the human-readable name of the objects created using the given template, describing the intent of the object package.<a href="#section-2.1.1.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.1.7-2">name is represented as a JSON string. name <span class="bcp14">MUST</span> be present<a href="#section-2.1.1.7-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="attributes">
+<section id="section-2.1.2">
+          <h4 id="name-attributes">
+<a href="#section-2.1.2" class="section-number selfRef">2.1.2. </a><a href="#name-attributes" class="section-name selfRef">attributes</a>
+          </h4>
+<p id="section-2.1.2-1">attributes is represented as a JSON list and contains a list of template elements used as a template for creating the individual attributes within the object that is to be created with the object.<a href="#section-2.1.2-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.2-2">attributes is represented as a JSON list. attributes <span class="bcp14">MUST</span> be present.<a href="#section-2.1.2-2" class="pilcrow">¶</a></p>
+<div id="description-1">
+<section id="section-2.1.2.1">
+            <h5 id="name-description-2">
+<a href="#section-2.1.2.1" class="section-number selfRef">2.1.2.1. </a><a href="#name-description-2" class="section-name selfRef">description</a>
+            </h5>
+<p id="section-2.1.2.1-1">description is represented as a JSON string and contains the description of the given attribute in the context of the object with the given relationship. The description field <span class="bcp14">MUST</span> be present.<a href="#section-2.1.2.1-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="ui-priority">
+<section id="section-2.1.2.2">
+            <h5 id="name-ui-priority">
+<a href="#section-2.1.2.2" class="section-number selfRef">2.1.2.2. </a><a href="#name-ui-priority" class="section-name selfRef">ui-priority</a>
+            </h5>
+<p id="section-2.1.2.2-1">ui-priority is represented by a numeric values in JSON string format and is meant to provide a priority for the given element in the object template visualisation. The ui-priority <span class="bcp14">MAY</span> be present.<a href="#section-2.1.2.2-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="misp-attribute">
+<section id="section-2.1.2.3">
+            <h5 id="name-misp-attribute">
+<a href="#section-2.1.2.3" class="section-number selfRef">2.1.2.3. </a><a href="#name-misp-attribute" class="section-name selfRef">misp-attribute</a>
+            </h5>
+<p id="section-2.1.2.3-1">misp-attribute is represented by a JSON string or a JSON object with a list of values. The value(s) are taken from the pool of types defined by the MISP core format's Attribute Object's type list. type can contain a JSON object with a list of suggested value alternatives encapsulated in a list within a sane_default key or a list of enforced value alternatives encapsulated in a list_values key.<a href="#section-2.1.2.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.2.3-2">The misp-attribute field <span class="bcp14">MUST</span> be present.<a href="#section-2.1.2.3-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="disable-correlation">
+<section id="section-2.1.2.4">
+            <h5 id="name-disable_correlation">
+<a href="#section-2.1.2.4" class="section-number selfRef">2.1.2.4. </a><a href="#name-disable_correlation" class="section-name selfRef">disable_correlation</a>
+            </h5>
+<p id="section-2.1.2.4-1">disable_correlation is represented by a JSON boolean. The disable_correlation field flags the attribute(s) created by the given object template element to be marked as non correlating.<a href="#section-2.1.2.4-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.2.4-2">The misp-attribute field <span class="bcp14">MAY</span> be present.<a href="#section-2.1.2.4-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="categories">
+<section id="section-2.1.2.5">
+            <h5 id="name-categories">
+<a href="#section-2.1.2.5" class="section-number selfRef">2.1.2.5. </a><a href="#name-categories" class="section-name selfRef">categories</a>
+            </h5>
+<p id="section-2.1.2.5-1">categories is represented by a JSON list containing one or several valid options from the list of verbs valid for the category field in the Attribute object within the MISP core format.<a href="#section-2.1.2.5-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.2.5-2">The categories field <span class="bcp14">MAY</span> be present.<a href="#section-2.1.2.5-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="multiple">
+<section id="section-2.1.2.6">
+            <h5 id="name-multiple">
+<a href="#section-2.1.2.6" class="section-number selfRef">2.1.2.6. </a><a href="#name-multiple" class="section-name selfRef">multiple</a>
+            </h5>
+<p id="section-2.1.2.6-1">multiple is represented by a JSON boolean value. It marks the MISP object template element as a multiple input field, allowing for several attributes to be created by the element within the same object.<a href="#section-2.1.2.6-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.2.6-2">The multiple field <span class="bcp14">MAY</span> be present.<a href="#section-2.1.2.6-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="sane-default">
+<section id="section-2.1.2.7">
+            <h5 id="name-sane_default">
+<a href="#section-2.1.2.7" class="section-number selfRef">2.1.2.7. </a><a href="#name-sane_default" class="section-name selfRef">sane_default</a>
+            </h5>
+<p id="section-2.1.2.7-1">sane_default is represented by a JSON list containing one or several recommended/sane values for an attribute. sane_default is mutually exclusive with values_list.<a href="#section-2.1.2.7-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.2.7-2">The sane_default field <span class="bcp14">MAY</span> be present.<a href="#section-2.1.2.7-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="values-list">
+<section id="section-2.1.2.8">
+            <h5 id="name-values_list">
+<a href="#section-2.1.2.8" class="section-number selfRef">2.1.2.8. </a><a href="#name-values_list" class="section-name selfRef">values_list</a>
+            </h5>
+<p id="section-2.1.2.8-1">values_list is represented by a JSON List containing one or several of fixed values for an attribute. values_list is mutually exclusive with sane_default.<a href="#section-2.1.2.8-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.2.8-2">The value_list field <span class="bcp14">MAY</span> be present.<a href="#section-2.1.2.8-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="sample-object-template-object">
+<section id="section-2.1.3">
+          <h4 id="name-sample-object-template-obje">
+<a href="#section-2.1.3" class="section-number selfRef">2.1.3. </a><a href="#name-sample-object-template-obje" class="section-name selfRef">Sample Object Template object</a>
+          </h4>
+<p id="section-2.1.3-1">The MISP object template directory is publicly available <span>[<a href="#MISP-O" class="xref">MISP-O</a>]</span> in a git repository and contains more than 60 object templates. As illustration, two sample objects templates are included.<a href="#section-2.1.3-1" class="pilcrow">¶</a></p>
+<div id="credit-card-object-template">
+<section id="section-2.1.3.1">
+            <h5 id="name-credit-card-object-template">
+<a href="#section-2.1.3.1" class="section-number selfRef">2.1.3.1. </a><a href="#name-credit-card-object-template" class="section-name selfRef">credit-card object template</a>
+            </h5>
+<div class="artwork art-text alignLeft" id="section-2.1.3.1-1">
 <pre>{
   "requiredOneOf": [
     "cc-number"
@@ -633,10 +1560,16 @@
   "uuid": "2b9c57aa-daba-4330-a738-56f18743b0c7",
   "name": "credit-card"
 }
-</pre>
-<h1 id="rfc.section.2.1.3.2">
-<a href="#rfc.section.2.1.3.2">2.1.3.2.</a> <a href="#credential-object-template" id="credential-object-template">credential object template</a>
-</h1>
+</pre><a href="#section-2.1.3.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="credential-object-template">
+<section id="section-2.1.3.2">
+            <h5 id="name-credential-object-template">
+<a href="#section-2.1.3.2" class="section-number selfRef">2.1.3.2. </a><a href="#name-credential-object-template" class="section-name selfRef">credential object template</a>
+            </h5>
+<div class="artwork art-text alignLeft" id="section-2.1.3.2-1">
 <pre>{
   "requiredOneOf": [
     "password"
@@ -712,253 +1645,918 @@
   "uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",
   "name": "credential"
 }
-</pre>
-<h1 id="rfc.section.2.1.4">
-<a href="#rfc.section.2.1.4">2.1.4.</a> <a href="#object-relationships" id="object-relationships">Object Relationships</a>
-</h1>
-<h1 id="rfc.section.2.1.4.1">
-<a href="#rfc.section.2.1.4.1">2.1.4.1.</a> <a href="#name-1" id="name-1">name</a>
-</h1>
-<p id="rfc.section.2.1.4.1.p.1">name represents the human-readable relationship type which can be used when creating MISP object relations.</p>
-<p id="rfc.section.2.1.4.1.p.2">name is represented as a JSON string. name MUST be present.</p>
-<h1 id="rfc.section.2.1.4.2">
-<a href="#rfc.section.2.1.4.2">2.1.4.2.</a> <a href="#description-2" id="description-2">description</a>
-</h1>
-<p id="rfc.section.2.1.4.2.p.1">description is represented as a JSON string and contains the description of the object relationship type. The description field MUST be present.</p>
-<h1 id="rfc.section.2.1.4.3">
-<a href="#rfc.section.2.1.4.3">2.1.4.3.</a> <a href="#format-1" id="format-1">format</a>
-</h1>
-<p id="rfc.section.2.1.4.3.p.1">format is represented by a JSON list containing a list of formats that the relationship type is valid for and can be mapped to. The format field MUST be present.</p>
-<h1 id="rfc.section.3">
-<a href="#rfc.section.3">3.</a> <a href="#directory" id="directory">Directory</a>
-</h1>
-<p id="rfc.section.3.p.1">The MISP object template directory is publicly available <a href="#MISP-O" class="xref">[MISP-O]</a> in a git repository. The repository contains an objects directory, which contains a directory per object type, containing a file named definition.json which contains the definition of the object template in the above described format.</p>
-<p id="rfc.section.3.p.2">A relationships directory is also included, containing a definition.json file which contains a list of MISP object relation definitions. There are more than 125 existing templates object documented in <a href="#MISP-O-DOC" class="xref">[MISP-O-DOC]</a>.</p>
-<h1 id="rfc.section.3.1">
-<a href="#rfc.section.3.1">3.1.</a> <a href="#existing-and-public-misp-object-templates" id="existing-and-public-misp-object-templates">Existing and public MISP object templates</a>
-</h1>
-<p></p>
-
-<ul>
-<li>tsk-chats - An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.</li>
-<li>tsk-web-bookmark - An Object Template to add evidential bookmarks identified during a digital forensic investigation.</li>
-<li>tsk-web-cookie - An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.</li>
-<li>tsk-web-downloads - An Object Template to add web-downloads.</li>
-<li>tsk-web-history - An Object Template to share web history information.</li>
-<li>tsk-web-search-query - An Object Template to share web search query information.</li>
-<li>ail-leak - An information leak as defined by the AIL Analysis Information Leak framework.</li>
-<li>ais-info - Automated Indicator Sharing (AIS) Information Source Markings.</li>
-<li>android-permission - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app).</li>
-<li>annotation - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.</li>
-<li>anonymisation - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: <a href="https://www.caida.org/tools/taxonomy/anonymization.xml">https://www.caida.org/tools/taxonomy/anonymization.xml</a>.</li>
-<li>asn - Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.</li>
-<li>authenticode-signerinfo - Authenticode Signer Info.</li>
-<li>av-signature - Antivirus detection signature.</li>
-<li>bank-account - An object describing bank account information based on account description from goAML 4.0.</li>
-<li>bgp-hijack - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com.</li>
-<li>cap-alert - Common Alerting Protocol Version (CAP) alert object.</li>
-<li>cap-info - Common Alerting Protocol Version (CAP) info object.</li>
-<li>cap-resource - Common Alerting Protocol Version (CAP) resource object.</li>
-<li>coin-address - An address used in a cryptocurrency.</li>
-<li>cookie - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser &#8212; keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.</li>
-<li>cortex - Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.</li>
-<li>cortex-taxonomy - Cortex object describing an Cortex Taxonomy (or mini report).</li>
-<li>course-of-action - An object describing a specific measure taken to prevent or respond to an attack.</li>
-<li>cowrie - Cowrie honeypot object template.</li>
-<li>credential - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).</li>
-<li>credit-card - A payment card like credit card, debit card or any similar cards which can be used for financial transactions.</li>
-<li>ddos - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy.</li>
-<li>device - An object to define a device.</li>
-<li>diameter-attack - Attack as seen on diameter authentication against a GSM, UMTS or LTE network.</li>
-<li>domain-ip - A domain and IP address seen as a tuple in a specific time frame.</li>
-<li>elf - Object describing a Executable and Linkable Format.</li>
-<li>elf-section - Object describing a section of an Executable and Linkable Format.</li>
-<li>email - Email object describing an email with meta-information.</li>
-<li>exploit-poc - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.</li>
-<li>facial-composite - An object which describes a facial composite.</li>
-<li>fail2ban - Fail2ban event.</li>
-<li>file - File object describing a file with meta-information.</li>
-<li>forensic-case - An object template to describe a digital forensic case.</li>
-<li>forensic-evidence - An object template to describe a digital forensic evidence.</li>
-<li>geolocation - An object to describe a geographic location.</li>
-<li>gtp-attack - GTP attack object as seen on a GSM, UMTS or LTE network.</li>
-<li>http-request - A single HTTP request header.</li>
-<li>ilr-impact - Institut Luxembourgeois de Regulation - Impact.</li>
-<li>ilr-notification-incident - Institut Luxembourgeois de Regulation - Notification d'incident.</li>
-<li>internal-reference - Internal reference.</li>
-<li>interpol-notice - An object which describes a Interpol notice.</li>
-<li>ip-api-address - IP Address information. Useful if you are pulling your ip information from ip-api.com.</li>
-<li>ip-port - An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.</li>
-<li>irc - An IRC object to describe an IRC server and the associated channels.</li>
-<li>ja3 - JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. <a href="https://github.com/salesforce/ja3">https://github.com/salesforce/ja3</a>.</li>
-<li>legal-entity - An object to describe a legal entity.</li>
-<li>lnk - LNK object describing a Windows LNK binary file (aka Windows shortcut).</li>
-<li>macho - Object describing a file in Mach-O format.</li>
-<li>macho-section - Object describing a section of a file in Mach-O format.</li>
-<li>mactime-timeline-analysis - Mactime template, used in forensic investigations to describe the timeline of a file activity.</li>
-<li>malware-config - Malware configuration recovered or extracted from a malicious binary.</li>
-<li>microblog - Microblog post like a Twitter tweet or a post on a Facebook wall.</li>
-<li>mutex - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program.</li>
-<li>netflow - Netflow object describes an network object based on the Netflowv5/v9 minimal definition.</li>
-<li>network-connection - A local or remote network connection.</li>
-<li>network-socket - Network socket object describes a local or remote network connections based on the socket data structure.</li>
-<li>misc - An object which describes an organization.</li>
-<li>original-imported-file - Object describing the original file used to import data in MISP.</li>
-<li>passive-dns - Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01.</li>
-<li>paste - Paste or similar post from a website allowing to share privately or publicly posts.</li>
-<li>pcap-metadata - Network packet capture metadata.</li>
-<li>pe - Object describing a Portable Executable.</li>
-<li>pe-section - Object describing a section of a Portable Executable.</li>
-<li>person - An object which describes a person or an identity.</li>
-<li>phishing - Phishing template to describe a phishing website and its analysis.</li>
-<li>phishing-kit - Object to describe a phishing-kit.</li>
-<li>phone - A phone or mobile phone object which describe a phone.</li>
-<li>process - Object describing a system process.</li>
-<li>python-etvx-event-log - Event log object template to share information of the activities conducted on a system. .</li>
-<li>r2graphity - Indicators extracted from files using radare2 and graphml.</li>
-<li>regexp - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.</li>
-<li>registry-key - Registry key object describing a Windows registry key with value and last-modified timestamp.</li>
-<li>regripper-NTUser - Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.</li>
-<li>regripper-sam-hive-single-user - Regripper Object template designed to present user profile details extracted from the SAM hive.</li>
-<li>regripper-sam-hive-user-group - Regripper Object template designed to present group profile details extracted from the SAM hive.</li>
-<li>regripper-software-hive-BHO - Regripper Object template designed to gather information of the browser helper objects installed on the system.</li>
-<li>regripper-software-hive-appInit-DLLS - Regripper Object template designed to gather information of the DLL files installed on the system.</li>
-<li>regripper-software-hive-application-paths - Regripper Object template designed to gather information of the application paths.</li>
-<li>regripper-software-hive-applications-installed - Regripper Object template designed to gather information of the applications installed on the system.</li>
-<li>regripper-software-hive-command-shell - Regripper Object template designed to gather information of the shell commands executed on the system.</li>
-<li>regripper-software-hive-windows-general-info - Regripper Object template designed to gather general windows information extracted from the software-hive.</li>
-<li>regripper-software-hive-software-run - Regripper Object template designed to gather information of the applications set to run on the system.</li>
-<li>regripper-software-hive-userprofile-winlogon - Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.</li>
-<li>regripper-system-hive-firewall-configuration - Regripper Object template designed to present firewall configuration information extracted from the system-hive.</li>
-<li>regripper-system-hive-general-configuration - Regripper Object template designed to present general system properties extracted from the system-hive.</li>
-<li>regripper-system-hive-network-information. - Regripper object template designed to gather network information from the system-hive.</li>
-<li>regripper-system-hive-services-drivers - Regripper Object template designed to gather information regarding the services/drivers from the system-hive.</li>
-<li>report - Metadata used to generate an executive level report.</li>
-<li>research-scanner - Information related to known scanning activity (e.g. from research projects).</li>
-<li>rogue-dns - Rogue DNS as defined by CERT.br.</li>
-<li>rtir - RTIR - Request Tracker for Incident Response.</li>
-<li>sandbox-report - Sandbox report.</li>
-<li>sb-signature - Sandbox detection signature.</li>
-<li>script - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.</li>
-<li>shell-commands - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.</li>
-<li>short-message-service - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.</li>
-<li>shortened-link - Shortened link and its redirect target.</li>
-<li>splunk - Splunk / Splunk ES object.</li>
-<li>ss7-attack - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.</li>
-<li>ssh-authorized-keys - An object to store ssh authorized keys file.</li>
-<li>stix2-pattern - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.</li>
-<li>suricata - An object describing one or more Suricata rule(s) along with version and contextual information.</li>
-<li>target-system - Description about an targeted system, this could potentially be a compromissed internal system.</li>
-<li>threatgrid-report - ThreatGrid report.</li>
-<li>timecode - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence.</li>
-<li>timesketch-timeline - A timesketch timeline object based on mandatory field in timesketch to describe a log entry.</li>
-<li>timesketch_message - A timesketch message entry.</li>
-<li>timestamp - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.</li>
-<li>tor-hiddenservice - Tor hidden service (onion service) object.</li>
-<li>tor-node - Tor node (which protects your privacy on the internet by hiding the connection between users Internet address and the services used by the users) description which are part of the Tor network at a time.</li>
-<li>tracking-id - Analytics and tracking ID such as used in Google Analytics or other analytic platform.</li>
-<li>transaction - An object to describe a financial transaction.</li>
-<li>url - url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.</li>
-<li>vehicle - Vehicle object template to describe a vehicle information and registration.</li>
-<li>victim - Victim object describes the target of an attack or abuse.</li>
-<li>virustotal-report - VirusTotal report.</li>
-<li>vulnerability - Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.</li>
-<li>whois - Whois records information for a domain name or an IP address.</li>
-<li>x509 - x509 object describing a X.509 certificate.</li>
-<li>yabin - yabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref: <a href="https://github.com/AlienVault-OTX/yabin">https://github.com/AlienVault-OTX/yabin</a>.</li>
-<li>yara - An object describing a YARA rule along with its version.</li>
-</ul>
-
-<p> </p>
-<h1 id="rfc.section.4">
-<a href="#rfc.section.4">4.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
-</h1>
-<p id="rfc.section.4.p.1">The authors wish to thank all the MISP community who are supporting the creation of open standards in threat intelligence sharing.</p>
-<h1 id="rfc.references">
-<a href="#rfc.references">5.</a> References</h1>
-<h1 id="rfc.references.1">
-<a href="#rfc.references.1">5.1.</a> Normative References</h1>
-<table><tbody>
-<tr>
-<td class="reference"><b id="RFC2119">[RFC2119]</b></td>
-<td class="top">
-<a>Bradner, S.</a>, "<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
-</tr>
-<tr>
-<td class="reference"><b id="RFC4122">[RFC4122]</b></td>
-<td class="top">
-<a>Leach, P.</a>, <a>Mealling, M.</a> and <a>R. Salz</a>, "<a href="https://tools.ietf.org/html/rfc4122">A Universally Unique IDentifier (UUID) URN Namespace</a>", RFC 4122, DOI 10.17487/RFC4122, July 2005.</td>
-</tr>
-<tr>
-<td class="reference"><b id="RFC8259">[RFC8259]</b></td>
-<td class="top">
-<a>Bray, T.</a>, "<a href="https://tools.ietf.org/html/rfc8259">The JavaScript Object Notation (JSON) Data Interchange Format</a>", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017.</td>
-</tr>
-</tbody></table>
-<h1 id="rfc.references.2">
-<a href="#rfc.references.2">5.2.</a> Informative References</h1>
-<table><tbody>
-<tr>
-<td class="reference"><b id="MISP-O">[MISP-O]</b></td>
-<td class="top">
-<a>Community, M.</a>, "<a href="https://github.com/MISP/misp-objects">MISP Objects - shared and common object templates</a>"</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-O-DOC">[MISP-O-DOC]</b></td>
-<td class="top">
-<a>community, M.</a>, "<a href="https://www.misp-project.org/objects.html">MISP objects directory</a>", 2018.</td>
-</tr>
-</tbody></table>
-<h1 id="rfc.authors"><a href="#rfc.authors">Authors' Addresses</a></h1>
-<div class="avoidbreak">
-  <address class="vcard">
-	<span class="vcardline">
-	  <span class="fn">Alexandre Dulaunoy</span> 
-	  <span class="n hidden">
-		<span class="family-name">Dulaunoy</span>
-	  </span>
-	</span>
-	<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
-	<span class="adr">
-	  <span class="vcardline">16, bd d'Avranches</span>
-
-	  <span class="vcardline">
-		<span class="locality">Luxembourg</span>,  
-		<span class="region"></span>
-		<span class="code">L-1611</span>
-	  </span>
-	  <span class="country-name vcardline">Luxembourg</span>
-	</span>
-	<span class="vcardline">Phone: +352 247 88444</span>
-
-<span class="vcardline">EMail: <a href="mailto:alexandre.dulaunoy@circl.lu">alexandre.dulaunoy@circl.lu</a></span>
-
-  </address>
-</div><div class="avoidbreak">
-  <address class="vcard">
-	<span class="vcardline">
-	  <span class="fn">Andras Iklody</span> 
-	  <span class="n hidden">
-		<span class="family-name">Iklody</span>
-	  </span>
-	</span>
-	<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
-	<span class="adr">
-	  <span class="vcardline">16, bd d'Avranches</span>
-
-	  <span class="vcardline">
-		<span class="locality">Luxembourg</span>,  
-		<span class="region"></span>
-		<span class="code">L-1611</span>
-	  </span>
-	  <span class="country-name vcardline">Luxembourg</span>
-	</span>
-	<span class="vcardline">Phone: +352 247 88444</span>
-
-<span class="vcardline">EMail: <a href="mailto:andras.iklody@circl.lu">andras.iklody@circl.lu</a></span>
-
-  </address>
+</pre><a href="#section-2.1.3.2-1" class="pilcrow">¶</a>
 </div>
-
+</section>
+</div>
+</section>
+</div>
+<div id="object-relationships">
+<section id="section-2.1.4">
+          <h4 id="name-object-relationships">
+<a href="#section-2.1.4" class="section-number selfRef">2.1.4. </a><a href="#name-object-relationships" class="section-name selfRef">Object Relationships</a>
+          </h4>
+<div id="name-1">
+<section id="section-2.1.4.1">
+            <h5 id="name-name-2">
+<a href="#section-2.1.4.1" class="section-number selfRef">2.1.4.1. </a><a href="#name-name-2" class="section-name selfRef">name</a>
+            </h5>
+<p id="section-2.1.4.1-1">name represents the human-readable relationship type which can be used when creating MISP object relations.<a href="#section-2.1.4.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.1.4.1-2">name is represented as a JSON string. name <span class="bcp14">MUST</span> be present.<a href="#section-2.1.4.1-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="description-2">
+<section id="section-2.1.4.2">
+            <h5 id="name-description-3">
+<a href="#section-2.1.4.2" class="section-number selfRef">2.1.4.2. </a><a href="#name-description-3" class="section-name selfRef">description</a>
+            </h5>
+<p id="section-2.1.4.2-1">description is represented as a JSON string and contains the description of the object relationship type. The description field <span class="bcp14">MUST</span> be present.<a href="#section-2.1.4.2-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="format-1">
+<section id="section-2.1.4.3">
+            <h5 id="name-format-2">
+<a href="#section-2.1.4.3" class="section-number selfRef">2.1.4.3. </a><a href="#name-format-2" class="section-name selfRef">format</a>
+            </h5>
+<p id="section-2.1.4.3-1">format is represented by a JSON list containing a list of formats that the relationship type is valid for and can be mapped to. The format field <span class="bcp14">MUST</span> be present.<a href="#section-2.1.4.3-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="directory">
+<section id="section-3">
+      <h2 id="name-directory">
+<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-directory" class="section-name selfRef">Directory</a>
+      </h2>
+<p id="section-3-1">The MISP object template directory is publicly available <span>[<a href="#MISP-O" class="xref">MISP-O</a>]</span> in a git repository. The repository contains an objects directory, which contains a directory per object type, containing a file named definition.json which contains the definition of the object template in the above described format.<a href="#section-3-1" class="pilcrow">¶</a></p>
+<p id="section-3-2">A relationships directory is also included, containing a definition.json file which contains a list of MISP object relation definitions. There are more than 125 existing templates object documented in <span>[<a href="#MISP-O-DOC" class="xref">MISP-O-DOC</a>]</span>.<a href="#section-3-2" class="pilcrow">¶</a></p>
+<div id="existing-and-public-misp-object-templates">
+<section id="section-3.1">
+        <h3 id="name-existing-and-public-misp-ob">
+<a href="#section-3.1" class="section-number selfRef">3.1. </a><a href="#name-existing-and-public-misp-ob" class="section-name selfRef">Existing and public MISP object templates</a>
+        </h3>
+<ul class="normal">
+<li class="normal" id="section-3.1-1.1">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/definition.json">objects/ail-leak</a> - An information leak as defined by the AIL Analysis Information Leak framework.<a href="#section-3.1-1.1" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.2">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ais-info/definition.json">objects/ais-info</a> - Automated Indicator Sharing (AIS) Information Source Markings.<a href="#section-3.1-1.2" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.3">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/android-app/definition.json">objects/android-app</a> - Indicators related to an Android app.<a href="#section-3.1-1.3" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.4">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/android-permission/definition.json">objects/android-permission</a> - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app).<a href="#section-3.1-1.4" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.5">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/annotation/definition.json">objects/annotation</a> - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.<a href="#section-3.1-1.5" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.6">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/anonymisation/definition.json">objects/anonymisation</a> - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: <a href="https://www.caida.org/tools/taxonomy/anonymization.xml">https://www.caida.org/tools/taxonomy/anonymization.xml</a>.<a href="#section-3.1-1.6" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.7">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json">objects/asn</a> - Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.<a href="#section-3.1-1.7" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.8">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json">objects/attack-pattern</a> - Attack pattern describing a common attack pattern enumeration and classification.<a href="#section-3.1-1.8" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.9">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json">objects/authentication-failure-report</a> - Authentication Failure Report.<a href="#section-3.1-1.9" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.10">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/authenticode-signerinfo/definition.json">objects/authenticode-signerinfo</a> - Authenticode Signer Info.<a href="#section-3.1-1.10" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.11">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/av-signature/definition.json">objects/av-signature</a> - Antivirus detection signature.<a href="#section-3.1-1.11" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.12">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/bank-account/definition.json">objects/bank-account</a> - An object describing bank account information based on account description from goAML 4.0.<a href="#section-3.1-1.12" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.13">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/bgp-hijack/definition.json">objects/bgp-hijack</a> - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com.<a href="#section-3.1-1.13" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.14">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/bgp-ranking/definition.json">objects/bgp-ranking</a> - BGP Ranking object describing the ranking of an ASN for a given day, along with its position, 1 being the most malicious ASN of the day, with the highest ranking. This object is meant to have a relationship with the corresponding ASN object and represents its ranking for a specific date.<a href="#section-3.1-1.14" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.15">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/blog/definition.json">objects/blog</a> - Blog post like Medium or WordPress.<a href="#section-3.1-1.15" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.16">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/boleto/definition.json">objects/boleto</a> - A common form of payment used in Brazil.<a href="#section-3.1-1.16" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.17">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/btc-transaction/definition.json">objects/btc-transaction</a> - An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet.<a href="#section-3.1-1.17" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.18">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json">objects/btc-wallet</a> - An object to describe a Bitcoin wallet. Best to be used with bitcoin-transactions.<a href="#section-3.1-1.18" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.19">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json">objects/cap-alert</a> - Common Alerting Protocol Version (CAP) alert object.<a href="#section-3.1-1.19" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.20">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json">objects/cap-info</a> - Common Alerting Protocol Version (CAP) info object.<a href="#section-3.1-1.20" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.21">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json">objects/cap-resource</a> - Common Alerting Protocol Version (CAP) resource object.<a href="#section-3.1-1.21" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.22">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/coin-address/definition.json">objects/coin-address</a> - An address used in a cryptocurrency.<a href="#section-3.1-1.22" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.23">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/command/definition.json">objects/command</a> - Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands.<a href="#section-3.1-1.23" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.24">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/command-line/definition.json">objects/command-line</a> - Command line and options related to a specific command executed by a program, whether it is malicious or not.<a href="#section-3.1-1.24" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.25">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/cookie/definition.json">objects/cookie</a> - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser <span class="unicode">— (U+2014)</span> keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.<a href="#section-3.1-1.25" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.26">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/cortex/definition.json">objects/cortex</a> - Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.<a href="#section-3.1-1.26" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.27">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/cortex-taxonomy/definition.json">objects/cortex-taxonomy</a> - Cortex object describing an Cortex Taxonomy (or mini report).<a href="#section-3.1-1.27" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.28">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/course-of-action/definition.json">objects/course-of-action</a> - An object describing a specific measure taken to prevent or respond to an attack.<a href="#section-3.1-1.28" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.29">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/covid19-csse-daily-report/definition.json">objects/covid19-csse-daily-report</a> - CSSE COVID-19 Daily report.<a href="#section-3.1-1.29" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.30">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/covid19-dxy-live-city/definition.json">objects/covid19-dxy-live-city</a> - COVID 19 from dxy.cn - Aggregation by city.<a href="#section-3.1-1.30" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.31">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/covid19-dxy-live-province/definition.json">objects/covid19-dxy-live-province</a> - COVID 19 from dxy.cn - Aggregation by province.<a href="#section-3.1-1.31" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.32">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/cowrie/definition.json">objects/cowrie</a> - Cowrie honeypot object template.<a href="#section-3.1-1.32" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.33">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/cpe-asset/definition.json">objects/cpe-asset</a> - An asset which can be defined by a CPE. This can be a generic asset. CPE is a structured naming scheme for information technology systems, software, and packages.<a href="#section-3.1-1.33" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.34">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/credential/definition.json">objects/credential</a> - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).<a href="#section-3.1-1.34" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.35">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/credit-card/definition.json">objects/credit-card</a> - A payment card like credit card, debit card or any similar cards which can be used for financial transactions.<a href="#section-3.1-1.35" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.36">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/crypto-material/definition.json">objects/crypto-material</a> - Cryptographic materials such as public or/and private keys.<a href="#section-3.1-1.36" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.37">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-file/definition.json">objects/cytomic-orion-file</a> - Cytomic Orion File Detection.<a href="#section-3.1-1.37" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.38">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-machine/definition.json">objects/cytomic-orion-machine</a> - Cytomic Orion File at Machine Detection.<a href="#section-3.1-1.38" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.39">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json">objects/dark-pattern-item</a> - An Item whose User Interface implements a dark pattern.<a href="#section-3.1-1.39" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.40">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json">objects/ddos</a> - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy.<a href="#section-3.1-1.40" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.41">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json">objects/device</a> - An object to define a device.<a href="#section-3.1-1.41" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.42">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json">objects/diameter-attack</a> - Attack as seen on diameter authentication against a GSM, UMTS or LTE network.<a href="#section-3.1-1.42" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.43">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json">objects/dns-record</a> - A set of DNS records observed for a specific domain.<a href="#section-3.1-1.43" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.44">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json">objects/domain-crawled</a> - A domain crawled over time.<a href="#section-3.1-1.44" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.45">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/domain-ip/definition.json">objects/domain-ip</a> - A domain/hostname and IP address seen as a tuple in a specific time frame.<a href="#section-3.1-1.45" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.46">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/elf/definition.json">objects/elf</a> - Object describing a Executable and Linkable Format.<a href="#section-3.1-1.46" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.47">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/elf-section/definition.json">objects/elf-section</a> - Object describing a section of an Executable and Linkable Format.<a href="#section-3.1-1.47" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.48">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json">objects/email</a> - Email object describing an email with meta-information.<a href="#section-3.1-1.48" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.49">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/employee/definition.json">objects/employee</a> - An employee and related data points.<a href="#section-3.1-1.49" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.50">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/exploit-poc/definition.json">objects/exploit-poc</a> - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.<a href="#section-3.1-1.50" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.51">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/facebook-account/definition.json">objects/facebook-account</a> - Facebook account.<a href="#section-3.1-1.51" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.52">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/facebook-group/definition.json">objects/facebook-group</a> - Public or private facebook group.<a href="#section-3.1-1.52" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.53">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/facebook-page/definition.json">objects/facebook-page</a> - Facebook page.<a href="#section-3.1-1.53" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.54">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/facebook-post/definition.json">objects/facebook-post</a> - Post on a Facebook wall.<a href="#section-3.1-1.54" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.55">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/facial-composite/definition.json">objects/facial-composite</a> - An object which describes a facial composite.<a href="#section-3.1-1.55" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.56">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/fail2ban/definition.json">objects/fail2ban</a> - Fail2ban event.<a href="#section-3.1-1.56" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.57">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/favicon/definition.json">objects/favicon</a> - A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular website or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation.<a href="#section-3.1-1.57" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.58">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/file/definition.json">objects/file</a> - File object describing a file with meta-information.<a href="#section-3.1-1.58" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.59">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json">objects/forensic-case</a> - An object template to describe a digital forensic case.<a href="#section-3.1-1.59" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.60">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json">objects/forensic-evidence</a> - An object template to describe a digital forensic evidence.<a href="#section-3.1-1.60" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.61">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json">objects/forged-document</a> - Object describing a forged document.<a href="#section-3.1-1.61" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.62">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Airplane/definition.json">objects/ftm-Airplane</a> - .<a href="#section-3.1-1.62" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.63">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Assessment/definition.json">objects/ftm-Assessment</a> - .<a href="#section-3.1-1.63" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.64">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Asset/definition.json">objects/ftm-Asset</a> - .<a href="#section-3.1-1.64" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.65">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Associate/definition.json">objects/ftm-Associate</a> - Non-family association between two people.<a href="#section-3.1-1.65" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.66">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Audio/definition.json">objects/ftm-Audio</a> - .<a href="#section-3.1-1.66" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.67">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-BankAccount/definition.json">objects/ftm-BankAccount</a> - .<a href="#section-3.1-1.67" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.68">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/definition.json">objects/ftm-Call</a> - .<a href="#section-3.1-1.68" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.69">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Company/definition.json">objects/ftm-Company</a> - .<a href="#section-3.1-1.69" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.70">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Contract/definition.json">objects/ftm-Contract</a> - An contract or contract lot issued by an authority. Multiple lots may be awarded to different suppliers (see ContractAward).
+.<a href="#section-3.1-1.70" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.71">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-ContractAward/definition.json">objects/ftm-ContractAward</a> - A contract or contract lot as awarded to a supplier.<a href="#section-3.1-1.71" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.72">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCase/definition.json">objects/ftm-CourtCase</a> - .<a href="#section-3.1-1.72" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.73">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCaseParty/definition.json">objects/ftm-CourtCaseParty</a> - .<a href="#section-3.1-1.73" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.74">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Debt/definition.json">objects/ftm-Debt</a> - A monetary debt between two parties.<a href="#section-3.1-1.74" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.75">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Directorship/definition.json">objects/ftm-Directorship</a> - .<a href="#section-3.1-1.75" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.76">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Document/definition.json">objects/ftm-Document</a> - .<a href="#section-3.1-1.76" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.77">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Documentation/definition.json">objects/ftm-Documentation</a> - .<a href="#section-3.1-1.77" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.78">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-EconomicActivity/definition.json">objects/ftm-EconomicActivity</a> - A foreign economic activity.<a href="#section-3.1-1.78" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.79">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Email/definition.json">objects/ftm-Email</a> - .<a href="#section-3.1-1.79" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.80">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Event/definition.json">objects/ftm-Event</a> - .<a href="#section-3.1-1.80" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.81">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Family/definition.json">objects/ftm-Family</a> - Family relationship between two people.<a href="#section-3.1-1.81" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.82">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Folder/definition.json">objects/ftm-Folder</a> - .<a href="#section-3.1-1.82" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.83">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-HyperText/definition.json">objects/ftm-HyperText</a> - .<a href="#section-3.1-1.83" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.84">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Image/definition.json">objects/ftm-Image</a> - .<a href="#section-3.1-1.84" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.85">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Land/definition.json">objects/ftm-Land</a> - .<a href="#section-3.1-1.85" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.86">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-LegalEntity/definition.json">objects/ftm-LegalEntity</a> - A legal entity may be a person or a company.<a href="#section-3.1-1.86" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.87">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-License/definition.json">objects/ftm-License</a> - A grant of land, rights or property. A type of Contract.<a href="#section-3.1-1.87" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.88">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Membership/definition.json">objects/ftm-Membership</a> - .<a href="#section-3.1-1.88" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.89">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Message/definition.json">objects/ftm-Message</a> - .<a href="#section-3.1-1.89" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.90">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Organization/definition.json">objects/ftm-Organization</a> - .<a href="#section-3.1-1.90" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.91">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Ownership/definition.json">objects/ftm-Ownership</a> - .<a href="#section-3.1-1.91" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.92">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Package/definition.json">objects/ftm-Package</a> - .<a href="#section-3.1-1.92" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.93">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Page/definition.json">objects/ftm-Page</a> - .<a href="#section-3.1-1.93" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.94">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Pages/definition.json">objects/ftm-Pages</a> - .<a href="#section-3.1-1.94" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.95">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Passport/definition.json">objects/ftm-Passport</a> - Passport.<a href="#section-3.1-1.95" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.96">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Payment/definition.json">objects/ftm-Payment</a> - A monetary payment between two parties.<a href="#section-3.1-1.96" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.97">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Person/definition.json">objects/ftm-Person</a> - An individual.<a href="#section-3.1-1.97" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.98">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-PlainText/definition.json">objects/ftm-PlainText</a> - .<a href="#section-3.1-1.98" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.99">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-PublicBody/definition.json">objects/ftm-PublicBody</a> - A public body, such as a ministry, department or state company.<a href="#section-3.1-1.99" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.100">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-RealEstate/definition.json">objects/ftm-RealEstate</a> - A piece of land or property.<a href="#section-3.1-1.100" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.101">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Representation/definition.json">objects/ftm-Representation</a> - A mediatory, intermediary, middleman, or broker acting on behalf of a legal entity.<a href="#section-3.1-1.101" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.102">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Row/definition.json">objects/ftm-Row</a> - .<a href="#section-3.1-1.102" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.103">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Sanction/definition.json">objects/ftm-Sanction</a> - A sanction designation.<a href="#section-3.1-1.103" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.104">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Succession/definition.json">objects/ftm-Succession</a> - Two entities that legally succeed each other.<a href="#section-3.1-1.104" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.105">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Table/definition.json">objects/ftm-Table</a> - .<a href="#section-3.1-1.105" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.106">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-TaxRoll/definition.json">objects/ftm-TaxRoll</a> - A tax declaration of an individual.<a href="#section-3.1-1.106" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.107">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-UnknownLink/definition.json">objects/ftm-UnknownLink</a> - .<a href="#section-3.1-1.107" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.108">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-UserAccount/definition.json">objects/ftm-UserAccount</a> - .<a href="#section-3.1-1.108" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.109">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vehicle/definition.json">objects/ftm-Vehicle</a> - .<a href="#section-3.1-1.109" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.110">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vessel/definition.json">objects/ftm-Vessel</a> - A boat or ship.<a href="#section-3.1-1.110" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.111">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json">objects/ftm-Video</a> - .<a href="#section-3.1-1.111" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.112">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json">objects/ftm-Workbook</a> - .<a href="#section-3.1-1.112" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.113">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/geolocation/definition.json">objects/geolocation</a> - An object to describe a geographic location.<a href="#section-3.1-1.113" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.114">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json">objects/git-vuln-finder</a> - Export from git-vuln-finder.<a href="#section-3.1-1.114" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.115">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json">objects/github-user</a> - GitHub user.<a href="#section-3.1-1.115" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.116">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json">objects/gitlab-user</a> - GitLab user. Gitlab.com user or self-hosted GitLab instance.<a href="#section-3.1-1.116" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.117">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json">objects/gtp-attack</a> - GTP attack object as seen on a GSM, UMTS or LTE network.<a href="#section-3.1-1.117" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.118">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/http-request/definition.json">objects/http-request</a> - A single HTTP request header.<a href="#section-3.1-1.118" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.119">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ilr-impact/definition.json">objects/ilr-impact</a> - Institut Luxembourgeois de Regulation - Impact.<a href="#section-3.1-1.119" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.120">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ilr-notification-incident/definition.json">objects/ilr-notification-incident</a> - Institut Luxembourgeois de Regulation - Notification d'incident.<a href="#section-3.1-1.120" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.121">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/image/definition.json">objects/image</a> - Object describing an image file.<a href="#section-3.1-1.121" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.122">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/impersonation/definition.json">objects/impersonation</a> - Represent an impersonating account.<a href="#section-3.1-1.122" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.123">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/imsi-catcher/definition.json">objects/imsi-catcher</a> - IMSI Catcher entry object based on the open source IMSI cather.<a href="#section-3.1-1.123" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.124">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/instant-message/definition.json">objects/instant-message</a> - Instant Message (IM) object template describing one or more IM message.<a href="#section-3.1-1.124" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.125">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/instant-message-group/definition.json">objects/instant-message-group</a> - Instant Message (IM) group object template describing a public or private IM group, channel or conversation.<a href="#section-3.1-1.125" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.126">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/intel471-vulnerability-intelligence/definition.json">objects/intel471-vulnerability-intelligence</a> - Intel 471 vulnerability intelligence object.<a href="#section-3.1-1.126" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.127">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/intelmq_event/definition.json">objects/intelmq_event</a> - IntelMQ Event.<a href="#section-3.1-1.127" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.128">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/intelmq_report/definition.json">objects/intelmq_report</a> - IntelMQ Report.<a href="#section-3.1-1.128" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.129">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/internal-reference/definition.json">objects/internal-reference</a> - Internal reference.<a href="#section-3.1-1.129" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.130">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/interpol-notice/definition.json">objects/interpol-notice</a> - An object which describes a Interpol notice.<a href="#section-3.1-1.130" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.131">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/iot-device/definition.json">objects/iot-device</a> - An IoT device.<a href="#section-3.1-1.131" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.132">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/iot-firmware/definition.json">objects/iot-firmware</a> - A firmware for an IoT device.<a href="#section-3.1-1.132" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.133">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ip-api-address/definition.json">objects/ip-api-address</a> - IP Address information. Useful if you are pulling your ip information from ip-api.com.<a href="#section-3.1-1.133" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.134">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ip-port/definition.json">objects/ip-port</a> - An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.<a href="#section-3.1-1.134" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.135">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/irc/definition.json">objects/irc</a> - An IRC object to describe an IRC server and the associated channels.<a href="#section-3.1-1.135" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.136">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ja3/definition.json">objects/ja3</a> - JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. <a href="https://github.com/salesforce/ja3">https://github.com/salesforce/ja3</a>.<a href="#section-3.1-1.136" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.137">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/keybase-account/definition.json">objects/keybase-account</a> - Information related to a keybase account, from API Users Object.<a href="#section-3.1-1.137" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.138">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/leaked-document/definition.json">objects/leaked-document</a> - Object describing a leaked document.<a href="#section-3.1-1.138" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.139">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/legal-entity/definition.json">objects/legal-entity</a> - An object to describe a legal entity.<a href="#section-3.1-1.139" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.140">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/lnk/definition.json">objects/lnk</a> - LNK object describing a Windows LNK binary file (aka Windows shortcut).<a href="#section-3.1-1.140" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.141">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/macho/definition.json">objects/macho</a> - Object describing a file in Mach-O format.<a href="#section-3.1-1.141" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.142">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/macho-section/definition.json">objects/macho-section</a> - Object describing a section of a file in Mach-O format.<a href="#section-3.1-1.142" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.143">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/mactime-timeline-analysis/definition.json">objects/mactime-timeline-analysis</a> - Mactime template, used in forensic investigations to describe the timeline of a file activity.<a href="#section-3.1-1.143" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.144">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/malware-config/definition.json">objects/malware-config</a> - Malware configuration recovered or extracted from a malicious binary.<a href="#section-3.1-1.144" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.145">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/meme-image/definition.json">objects/meme-image</a> - Object describing a meme (image).<a href="#section-3.1-1.145" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.146">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/microblog/definition.json">objects/microblog</a> - Microblog post like a Twitter tweet or a post on a Facebook wall.<a href="#section-3.1-1.146" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.147">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/mutex/definition.json">objects/mutex</a> - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program.<a href="#section-3.1-1.147" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.148">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/narrative/definition.json">objects/narrative</a> - Object describing a narrative.<a href="#section-3.1-1.148" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.149">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/netflow/definition.json">objects/netflow</a> - Netflow object describes an network object based on the Netflowv5/v9 minimal definition.<a href="#section-3.1-1.149" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.150">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/network-connection/definition.json">objects/network-connection</a> - A local or remote network connection.<a href="#section-3.1-1.150" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.151">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/network-socket/definition.json">objects/network-socket</a> - Network socket object describes a local or remote network connections based on the socket data structure.<a href="#section-3.1-1.151" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.152">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/news-agency/definition.json">objects/news-agency</a> - News agencies compile news and disseminate news in bulk.<a href="#section-3.1-1.152" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.153">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/news-media/definition.json">objects/news-media</a> - News media are forms of mass media delivering news to the general public.<a href="#section-3.1-1.153" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.154">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/organization/definition.json">objects/organization</a> - An object which describes an organization.<a href="#section-3.1-1.154" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.155">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/original-imported-file/definition.json">objects/original-imported-file</a> - Object describing the original file used to import data in MISP.<a href="#section-3.1-1.155" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.156">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/parler-account/definition.json">objects/parler-account</a> - Parler account.<a href="#section-3.1-1.156" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.157">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/parler-comment/definition.json">objects/parler-comment</a> - Parler comment.<a href="#section-3.1-1.157" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.158">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/parler-post/definition.json">objects/parler-post</a> - Parler post (parley).<a href="#section-3.1-1.158" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.159">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/passive-dns/definition.json">objects/passive-dns</a> - Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01.<a href="#section-3.1-1.159" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.160">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/paste/definition.json">objects/paste</a> - Paste or similar post from a website allowing to share privately or publicly posts.<a href="#section-3.1-1.160" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.161">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/pcap-metadata/definition.json">objects/pcap-metadata</a> - Network packet capture metadata.<a href="#section-3.1-1.161" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.162">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/pe/definition.json">objects/pe</a> - Object describing a Portable Executable.<a href="#section-3.1-1.162" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.163">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/pe-section/definition.json">objects/pe-section</a> - Object describing a section of a Portable Executable.<a href="#section-3.1-1.163" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.164">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/person/definition.json">objects/person</a> - An object which describes a person or an identity.<a href="#section-3.1-1.164" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.165">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/pgp-meta/definition.json">objects/pgp-meta</a> - Metadata extracted from a PGP keyblock, message or signature.<a href="#section-3.1-1.165" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.166">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/phishing/definition.json">objects/phishing</a> - Phishing template to describe a phishing website and its analysis.<a href="#section-3.1-1.166" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.167">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/phishing-kit/definition.json">objects/phishing-kit</a> - Object to describe a phishing-kit.<a href="#section-3.1-1.167" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.168">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/phone/definition.json">objects/phone</a> - A phone or mobile phone object which describe a phone.<a href="#section-3.1-1.168" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.169">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/process/definition.json">objects/process</a> - Object describing a system process.<a href="#section-3.1-1.169" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.170">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/publication/definition.json">objects/publication</a> - An object to describe a book, journal, or academic publication.<a href="#section-3.1-1.170" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.171">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/python-etvx-event-log/definition.json">objects/python-etvx-event-log</a> - Event log object template to share information of the activities conducted on a system. .<a href="#section-3.1-1.171" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.172">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json">objects/r2graphity</a> - Indicators extracted from files using radare2 and graphml.<a href="#section-3.1-1.172" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.173">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json">objects/reddit-account</a> - Reddit account.<a href="#section-3.1-1.173" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.174">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json">objects/reddit-comment</a> - A Reddit post comment.<a href="#section-3.1-1.174" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.175">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json">objects/reddit-post</a> - A Reddit post.<a href="#section-3.1-1.175" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.176">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/reddit-subreddit/definition.json">objects/reddit-subreddit</a> - Public or private subreddit.<a href="#section-3.1-1.176" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.177">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regexp/definition.json">objects/regexp</a> - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.<a href="#section-3.1-1.177" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.178">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/registry-key/definition.json">objects/registry-key</a> - Registry key object describing a Windows registry key with value and last-modified timestamp.<a href="#section-3.1-1.178" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.179">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-NTUser/definition.json">objects/regripper-NTUser</a> - Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.<a href="#section-3.1-1.179" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.180">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-single-user/definition.json">objects/regripper-sam-hive-single-user</a> - Regripper Object template designed to present user profile details extracted from the SAM hive.<a href="#section-3.1-1.180" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.181">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-user-group/definition.json">objects/regripper-sam-hive-user-group</a> - Regripper Object template designed to present group profile details extracted from the SAM hive.<a href="#section-3.1-1.181" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.182">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-BHO/definition.json">objects/regripper-software-hive-BHO</a> - Regripper Object template designed to gather information of the browser helper objects installed on the system.<a href="#section-3.1-1.182" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.183">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-appInit-DLLS/definition.json">objects/regripper-software-hive-appInit-DLLS</a> - Regripper Object template designed to gather information of the DLL files installed on the system.<a href="#section-3.1-1.183" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.184">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-application-paths/definition.json">objects/regripper-software-hive-application-paths</a> - Regripper Object template designed to gather information of the application paths.<a href="#section-3.1-1.184" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.185">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-applications-installed/definition.json">objects/regripper-software-hive-applications-installed</a> - Regripper Object template designed to gather information of the applications installed on the system.<a href="#section-3.1-1.185" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.186">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-command-shell/definition.json">objects/regripper-software-hive-command-shell</a> - Regripper Object template designed to gather information of the shell commands executed on the system.<a href="#section-3.1-1.186" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.187">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-software-run/definition.json">objects/regripper-software-hive-software-run</a> - Regripper Object template designed to gather information of the applications set to run on the system.<a href="#section-3.1-1.187" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.188">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-userprofile-winlogon/definition.json">objects/regripper-software-hive-userprofile-winlogon</a> - Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.<a href="#section-3.1-1.188" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.189">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-windows-general-info/definition.json">objects/regripper-software-hive-windows-general-info</a> - Regripper Object template designed to gather general windows information extracted from the software-hive.<a href="#section-3.1-1.189" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.190">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-firewall-configuration/definition.json">objects/regripper-system-hive-firewall-configuration</a> - Regripper Object template designed to present firewall configuration information extracted from the system-hive.<a href="#section-3.1-1.190" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.191">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-general-configuration/definition.json">objects/regripper-system-hive-general-configuration</a> - Regripper Object template designed to present general system properties extracted from the system-hive.<a href="#section-3.1-1.191" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.192">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-network-information/definition.json">objects/regripper-system-hive-network-information</a> - Regripper object template designed to gather network information from the system-hive.<a href="#section-3.1-1.192" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.193">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-services-drivers/definition.json">objects/regripper-system-hive-services-drivers</a> - Regripper Object template designed to gather information regarding the services/drivers from the system-hive.<a href="#section-3.1-1.193" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.194">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/report/definition.json">objects/report</a> - Metadata used to generate an executive level report.<a href="#section-3.1-1.194" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.195">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/research-scanner/definition.json">objects/research-scanner</a> - Information related to known scanning activity (e.g. from research projects).<a href="#section-3.1-1.195" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.196">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/rogue-dns/definition.json">objects/rogue-dns</a> - Rogue DNS as defined by CERT.br.<a href="#section-3.1-1.196" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.197">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/rtir/definition.json">objects/rtir</a> - RTIR - Request Tracker for Incident Response.<a href="#section-3.1-1.197" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.198">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/sandbox-report/definition.json">objects/sandbox-report</a> - Sandbox report.<a href="#section-3.1-1.198" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.199">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/sb-signature/definition.json">objects/sb-signature</a> - Sandbox detection signature.<a href="#section-3.1-1.199" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.200">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/scheduled-event/definition.json">objects/scheduled-event</a> - Event object template describing a gathering of individuals in meatspace.<a href="#section-3.1-1.200" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.201">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-c13-daily/definition.json">objects/scrippsco2-c13-daily</a> - Daily average C13 concentrations (ppm) derived from flask air samples.<a href="#section-3.1-1.201" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.202">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-c13-monthly/definition.json">objects/scrippsco2-c13-monthly</a> - Monthly average C13 concentrations (ppm) derived from flask air samples.<a href="#section-3.1-1.202" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.203">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-co2-daily/definition.json">objects/scrippsco2-co2-daily</a> - Daily average CO2 concentrations (ppm) derived from flask air samples.<a href="#section-3.1-1.203" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.204">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-co2-monthly/definition.json">objects/scrippsco2-co2-monthly</a> - Monthly average CO2 concentrations (ppm) derived from flask air samples.<a href="#section-3.1-1.204" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.205">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-o18-daily/definition.json">objects/scrippsco2-o18-daily</a> - Daily average O18 concentrations (ppm) derived from flask air samples.<a href="#section-3.1-1.205" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.206">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-o18-monthly/definition.json">objects/scrippsco2-o18-monthly</a> - Monthly average O18 concentrations (ppm) derived from flask air samples.<a href="#section-3.1-1.206" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.207">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/script/definition.json">objects/script</a> - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.<a href="#section-3.1-1.207" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.208">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/shell-commands/definition.json">objects/shell-commands</a> - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.<a href="#section-3.1-1.208" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.209">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/shodan-report/definition.json">objects/shodan-report</a> - Shodan Report for a given IP.<a href="#section-3.1-1.209" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.210">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json">objects/short-message-service</a> - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.<a href="#section-3.1-1.210" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.211">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/shortened-link/definition.json">objects/shortened-link</a> - Shortened link and its redirect target.<a href="#section-3.1-1.211" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.212">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/social-media-group/definition.json">objects/social-media-group</a> - Social media group object template describing a public or private group or channel.<a href="#section-3.1-1.212" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.213">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/splunk/definition.json">objects/splunk</a> - Splunk / Splunk ES object.<a href="#section-3.1-1.213" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.214">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ss7-attack/definition.json">objects/ss7-attack</a> - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.<a href="#section-3.1-1.214" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.215">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/ssh-authorized-keys/definition.json">objects/ssh-authorized-keys</a> - An object to store ssh authorized keys file.<a href="#section-3.1-1.215" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.216">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/stix2-pattern/definition.json">objects/stix2-pattern</a> - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.<a href="#section-3.1-1.216" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.217">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/suricata/definition.json">objects/suricata</a> - An object describing one or more Suricata rule(s) along with version and contextual information.<a href="#section-3.1-1.217" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.218">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/target-system/definition.json">objects/target-system</a> - Description about an targeted system, this could potentially be a compromissed internal system.<a href="#section-3.1-1.218" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.219">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/threatgrid-report/definition.json">objects/threatgrid-report</a> - ThreatGrid report.<a href="#section-3.1-1.219" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.220">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/timecode/definition.json">objects/timecode</a> - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence.<a href="#section-3.1-1.220" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.221">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/timesketch-timeline/definition.json">objects/timesketch-timeline</a> - A timesketch timeline object based on mandatory field in timesketch to describe a log entry.<a href="#section-3.1-1.221" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.222">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/timesketch_message/definition.json">objects/timesketch_message</a> - A timesketch message entry.<a href="#section-3.1-1.222" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.223">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/timestamp/definition.json">objects/timestamp</a> - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.<a href="#section-3.1-1.223" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.224">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/tor-hiddenservice/definition.json">objects/tor-hiddenservice</a> - Tor hidden service (onion service) object.<a href="#section-3.1-1.224" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.225">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/tor-node/definition.json">objects/tor-node</a> - Tor node (which protects your privacy on the internet by hiding the connection between users Internet address and the services used by the users) description which are part of the Tor network at a time.<a href="#section-3.1-1.225" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.226">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/tracking-id/definition.json">objects/tracking-id</a> - Analytics and tracking ID such as used in Google Analytics or other analytic platform.<a href="#section-3.1-1.226" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.227">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/transaction/definition.json">objects/transaction</a> - An object to describe a financial transaction.<a href="#section-3.1-1.227" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.228">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/translation/definition.json">objects/translation</a> - Used to keep a text and its translation.<a href="#section-3.1-1.228" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.229">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/trustar_report/definition.json">objects/trustar_report</a> - TruStar Report.<a href="#section-3.1-1.229" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.230">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/tsk-chats/definition.json">objects/tsk-chats</a> - An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.<a href="#section-3.1-1.230" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.231">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-bookmark/definition.json">objects/tsk-web-bookmark</a> - An Object Template to add evidential bookmarks identified during a digital forensic investigation.<a href="#section-3.1-1.231" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.232">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-cookie/definition.json">objects/tsk-web-cookie</a> - An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.<a href="#section-3.1-1.232" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.233">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-downloads/definition.json">objects/tsk-web-downloads</a> - An Object Template to add web-downloads.<a href="#section-3.1-1.233" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.234">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-history/definition.json">objects/tsk-web-history</a> - An Object Template to share web history information.<a href="#section-3.1-1.234" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.235">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-search-query/definition.json">objects/tsk-web-search-query</a> - An Object Template to share web search query information.<a href="#section-3.1-1.235" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.236">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/twitter-account/definition.json">objects/twitter-account</a> - Twitter account.<a href="#section-3.1-1.236" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.237">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/twitter-list/definition.json">objects/twitter-list</a> - Twitter list.<a href="#section-3.1-1.237" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.238">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/twitter-post/definition.json">objects/twitter-post</a> - Twitter post (tweet).<a href="#section-3.1-1.238" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.239">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/url/definition.json">objects/url</a> - url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.<a href="#section-3.1-1.239" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.240">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/user-account/definition.json">objects/user-account</a> - .<a href="#section-3.1-1.240" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.241">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/vehicle/definition.json">objects/vehicle</a> - Vehicle object template to describe a vehicle information and registration.<a href="#section-3.1-1.241" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.242">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/victim/definition.json">objects/victim</a> - Victim object describes the target of an attack or abuse.<a href="#section-3.1-1.242" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.243">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/virustotal-graph/definition.json">objects/virustotal-graph</a> - VirusTotal graph.<a href="#section-3.1-1.243" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.244">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/virustotal-report/definition.json">objects/virustotal-report</a> - VirusTotal report.<a href="#section-3.1-1.244" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.245">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/vulnerability/definition.json">objects/vulnerability</a> - Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.<a href="#section-3.1-1.245" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.246">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/weakness/definition.json">objects/weakness</a> - Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware.<a href="#section-3.1-1.246" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.247">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/whois/definition.json">objects/whois</a> - Whois records information for a domain name or an IP address.<a href="#section-3.1-1.247" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.248">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/x509/definition.json">objects/x509</a> - x509 object describing a X.509 certificate.<a href="#section-3.1-1.248" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.249">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/yabin/definition.json">objects/yabin</a> - yabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref: <a href="https://github.com/AlienVault-OTX/yabin">https://github.com/AlienVault-OTX/yabin</a>.<a href="#section-3.1-1.249" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.250">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/yara/definition.json">objects/yara</a> - An object describing a YARA rule (or a YARA rule name) along with its version.<a href="#section-3.1-1.250" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.251">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/youtube-channel/definition.json">objects/youtube-channel</a> - A YouTube channel.<a href="#section-3.1-1.251" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.252">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/youtube-comment/definition.json">objects/youtube-comment</a> - A YouTube video comment.<a href="#section-3.1-1.252" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.253">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/youtube-playlist/definition.json">objects/youtube-playlist</a> - A YouTube playlist.<a href="#section-3.1-1.253" class="pilcrow">¶</a>
+</li>
+          <li class="normal" id="section-3.1-1.254">
+            <a href="https://github.com/MISP/misp-objects/blob/main/objects/youtube-video/definition.json">objects/youtube-video</a> - A YouTube video.<a href="#section-3.1-1.254" class="pilcrow">¶</a>
+</li>
+        </ul>
+</section>
+</div>
+</section>
+</div>
+<div id="acknowledgements">
+<section id="section-4">
+      <h2 id="name-acknowledgements">
+<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
+      </h2>
+<p id="section-4-1">The authors wish to thank all the MISP community who are supporting the creation
+of open standards in threat intelligence sharing.<a href="#section-4-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<section id="section-5">
+      <h2 id="name-normative-references">
+<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
+      </h2>
+<dl class="references">
+<dt id="RFC2119">[RFC2119]</dt>
+      <dd>
+<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC4122">[RFC4122]</dt>
+      <dd>
+<span class="refAuthor">Leach, P.</span>, <span class="refAuthor">Mealling, M.</span>, and <span class="refAuthor">R. Salz</span>, <span class="refTitle">"A Universally Unique IDentifier (UUID) URN Namespace"</span>, <span class="seriesInfo">RFC 4122</span>, <span class="seriesInfo">DOI 10.17487/RFC4122</span>, <time datetime="2005-07" class="refDate">July 2005</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc4122">https://www.rfc-editor.org/info/rfc4122</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC8259">[RFC8259]</dt>
+    <dd>
+<span class="refAuthor">Bray, T., Ed.</span>, <span class="refTitle">"The JavaScript Object Notation (JSON) Data Interchange Format"</span>, <span class="seriesInfo">STD 90</span>, <span class="seriesInfo">RFC 8259</span>, <span class="seriesInfo">DOI 10.17487/RFC8259</span>, <time datetime="2017-12" class="refDate">December 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8259">https://www.rfc-editor.org/info/rfc8259</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+</dl>
+</section>
+<section id="section-6">
+      <h2 id="name-informative-references">
+<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
+      </h2>
+<dl class="references">
+<dt id="MISP-O">[MISP-O]</dt>
+      <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Objects - shared and common object templates"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP/misp-objects">https://github.com/MISP/misp-objects</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-O-DOC">[MISP-O-DOC]</dt>
+    <dd>
+<span class="refAuthor">community, M.</span>, <span class="refTitle">"MISP objects directory"</span>, <span class="refContent"></span>, <time datetime="2018" class="refDate">2018</time>, <span>&lt;<a href="https://www.misp-project.org/objects.html">https://www.misp-project.org/objects.html</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+</dl>
+</section>
+<div id="authors-addresses">
+<section id="appendix-A">
+      <h2 id="name-authors-addresses">
+<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
+      </h2>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">Alexandre Dulaunoy</span></div>
+<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
+<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1611</span> <span class="locality">Luxembourg</span>
+</div>
+<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
+<div class="tel">
+<span>Phone:</span>
+<a href="tel:+352%20247%2088444" class="tel">+352 247 88444</a>
+</div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:alexandre.dulaunoy@circl.lu" class="email">alexandre.dulaunoy@circl.lu</a>
+</div>
+</address>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">Andras Iklody</span></div>
+<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
+<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1611</span> <span class="locality">Luxembourg</span>
+</div>
+<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
+<div class="tel">
+<span>Phone:</span>
+<a href="tel:+352%20247%2088444" class="tel">+352 247 88444</a>
+</div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:andras.iklody@circl.lu" class="email">andras.iklody@circl.lu</a>
+</div>
+</address>
+</section>
+</div>
+<script>const toc = document.getElementById("toc");
+toc.querySelector("h2").addEventListener("click", e => {
+  toc.classList.toggle("active");
+});
+toc.querySelector("nav").addEventListener("click", e => {
+  toc.classList.remove("active");
+});
+</script>
 </body>
 </html>
diff --git a/rfc/misp-standard-object-template-format.txt b/rfc/misp-standard-object-template-format.txt
index 09b1cfb..09f4bd0 100644
--- a/rfc/misp-standard-object-template-format.txt
+++ b/rfc/misp-standard-object-template-format.txt
@@ -4,11 +4,12 @@
 
 Network Working Group                                        A. Dulaunoy
 Internet-Draft                                                 A. Iklody
-Expires: October 12, 2018                                          CIRCL
-                                                          April 10, 2018
+Intended status: Informational                                     CIRCL
+Expires: 25 May 2022                                    21 November 2021
 
 
                       MISP object template format
+                                draft-00
 
 Abstract
 
@@ -33,29 +34,28 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on October 12, 2018.
+   This Internet-Draft will expire on 25 May 2022.
 
 Copyright Notice
 
-   Copyright (c) 2018 IETF Trust and the persons identified as the
+   Copyright (c) 2021 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents
-   (https://trustee.ietf.org/license-info) in effect on the date of
-   publication of this document.  Please review these documents
-   carefully, as they describe your rights and restrictions with respect
-   to this document.  Code Components extracted from this document must
-   include Simplified BSD License text as described in Section 4.e of
-   the Trust Legal Provisions and are provided without warranty as
-   described in the Simplified BSD License.
+   Provisions Relating to IETF Documents (https://trustee.ietf.org/
+   license-info) in effect on the date of publication of this document.
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
 
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018                [Page 1]
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 1]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
 Table of Contents
@@ -70,12 +70,10 @@ Table of Contents
        2.1.4.  Object Relationships  . . . . . . . . . . . . . . . .   9
    3.  Directory . . . . . . . . . . . . . . . . . . . . . . . . . .  10
      3.1.  Existing and public MISP object templates . . . . . . . .  10
-   4.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  18
-   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  18
-     5.1.  Normative References  . . . . . . . . . . . . . . . . . .  18
-     5.2.  Informative References  . . . . . . . . . . . . . . . . .  18
-     5.3.  URIs  . . . . . . . . . . . . . . . . . . . . . . . . . .  19
-   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  19
+   4.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  34
+   5.  Normative References  . . . . . . . . . . . . . . . . . . . .  34
+   6.  Informative References  . . . . . . . . . . . . . . . . . . .  34
+   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  34
 
 1.  Introduction
 
@@ -109,9 +107,11 @@ Table of Contents
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018                [Page 2]
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 2]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
 2.  Format
@@ -165,9 +165,9 @@ Internet-Draft         MISP object template format            April 2018
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018                [Page 3]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 3]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
 2.1.1.3.  required
@@ -221,9 +221,9 @@ Internet-Draft         MISP object template format            April 2018
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018                [Page 4]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 4]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
 2.1.2.1.  description
@@ -277,9 +277,9 @@ Internet-Draft         MISP object template format            April 2018
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018                [Page 5]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 5]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
 2.1.2.7.  sane_default
@@ -333,9 +333,9 @@ Internet-Draft         MISP object template format            April 2018
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018                [Page 6]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 6]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
 {
@@ -389,9 +389,9 @@ Internet-Draft         MISP object template format            April 2018
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018                [Page 7]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 7]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
 2.1.3.2.  credential object template
@@ -445,9 +445,9 @@ Internet-Draft         MISP object template format            April 2018
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018                [Page 8]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 8]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
     "format": {
@@ -501,9 +501,9 @@ Internet-Draft         MISP object template format            April 2018
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018                [Page 9]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 9]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
 2.1.4.3.  format
@@ -527,457 +527,1343 @@ Internet-Draft         MISP object template format            April 2018
 
 3.1.  Existing and public MISP object templates
 
-   o  tsk-chats - An Object Template to gather information from
-      evidential or interesting exchange of messages identified during a
-      digital forensic investigation.
+   *  objects/ail-leak (https://github.com/MISP/misp-
+      objects/blob/main/objects/ail-leak/definition.json) - An
+      information leak as defined by the AIL Analysis Information Leak
+      framework.
 
-   o  tsk-web-bookmark - An Object Template to add evidential bookmarks
-      identified during a digital forensic investigation.
+   *  objects/ais-info (https://github.com/MISP/misp-
+      objects/blob/main/objects/ais-info/definition.json) - Automated
+      Indicator Sharing (AIS) Information Source Markings.
 
-   o  tsk-web-cookie - An TSK-Autopsy Object Template to represent
-      cookies identified during a forensic investigation.
+   *  objects/android-app (https://github.com/MISP/misp-
+      objects/blob/main/objects/android-app/definition.json) -
+      Indicators related to an Android app.
 
-   o  tsk-web-downloads - An Object Template to add web-downloads.
+   *  objects/android-permission (https://github.com/MISP/misp-
+      objects/blob/main/objects/android-permission/definition.json) - A
+      set of android permissions - one or more permission(s) which can
+      be linked to other objects (e.g. malware, app).
 
-   o  tsk-web-history - An Object Template to share web history
-      information.
-
-   o  tsk-web-search-query - An Object Template to share web search
-      query information.
-
-   o  ail-leak - An information leak as defined by the AIL Analysis
-      Information Leak framework.
-
-   o  ais-info - Automated Indicator Sharing (AIS) Information Source
-      Markings.
-
-   o  android-permission - A set of android permissions - one or more
-      permission(s) which can be linked to other objects (e.g. malware,
-      app).
+   *  objects/annotation (https://github.com/MISP/misp-
+      objects/blob/main/objects/annotation/definition.json) - An
+      annotation object allowing analysts to add annotations, comments,
+      executive summary to a MISP event, objects or attributes.
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018               [Page 10]
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 10]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
-   o  annotation - An annotation object allowing analysts to add
-      annotations, comments, executive summary to a MISP event, objects
-      or attributes.
+   *  objects/anonymisation (https://github.com/MISP/misp-
+      objects/blob/main/objects/anonymisation/definition.json) -
+      Anonymisation object describing an anonymisation technique used to
+      encode MISP attribute values.  Reference:
+      https://www.caida.org/tools/taxonomy/anonymization.xml
+      (https://www.caida.org/tools/taxonomy/anonymization.xml).
 
-   o  anonymisation - Anonymisation object describing an anonymisation
-      technique used to encode MISP attribute values.  Reference:
-      https://www.caida.org/tools/taxonomy/anonymization.xml [1].
+   *  objects/asn (https://github.com/MISP/misp-
+      objects/blob/main/objects/asn/definition.json) - Autonomous system
+      object describing an autonomous system which can include one or
+      more network operators management an entity (e.g.  ISP) along with
+      their routing policy, routing prefixes or alike.
 
-   o  asn - Autonomous system object describing an autonomous system
-      which can include one or more network operators management an
-      entity (e.g.  ISP) along with their routing policy, routing
-      prefixes or alike.
+   *  objects/attack-pattern (https://github.com/MISP/misp-
+      objects/blob/main/objects/attack-pattern/definition.json) - Attack
+      pattern describing a common attack pattern enumeration and
+      classification.
 
-   o  authenticode-signerinfo - Authenticode Signer Info.
+   *  objects/authentication-failure-report (https://github.com/MISP/
+      misp-objects/blob/main/objects/authentication-failure-report/
+      definition.json) - Authentication Failure Report.
 
-   o  av-signature - Antivirus detection signature.
+   *  objects/authenticode-signerinfo (https://github.com/MISP/misp-
+      objects/blob/main/objects/authenticode-signerinfo/definition.json)
+      - Authenticode Signer Info.
 
-   o  bank-account - An object describing bank account information based
-      on account description from goAML 4.0.
+   *  objects/av-signature (https://github.com/MISP/misp-
+      objects/blob/main/objects/av-signature/definition.json) -
+      Antivirus detection signature.
 
-   o  bgp-hijack - Object encapsulating BGP Hijack description as
-      specified, for example, by bgpstream.com.
+   *  objects/bank-account (https://github.com/MISP/misp-
+      objects/blob/main/objects/bank-account/definition.json) - An
+      object describing bank account information based on account
+      description from goAML 4.0.
 
-   o  cap-alert - Common Alerting Protocol Version (CAP) alert object.
+   *  objects/bgp-hijack (https://github.com/MISP/misp-
+      objects/blob/main/objects/bgp-hijack/definition.json) - Object
+      encapsulating BGP Hijack description as specified, for example, by
+      bgpstream.com.
 
-   o  cap-info - Common Alerting Protocol Version (CAP) info object.
+   *  objects/bgp-ranking (https://github.com/MISP/misp-
+      objects/blob/main/objects/bgp-ranking/definition.json) - BGP
+      Ranking object describing the ranking of an ASN for a given day,
+      along with its position, 1 being the most malicious ASN of the
+      day, with the highest ranking.  This object is meant to have a
+      relationship with the corresponding ASN object and represents its
+      ranking for a specific date.
 
-   o  cap-resource - Common Alerting Protocol Version (CAP) resource
-      object.
 
-   o  coin-address - An address used in a cryptocurrency.
 
-   o  cookie - An HTTP cookie (web cookie, browser cookie) is a small
-      piece of data that a server sends to the user's web browser.  The
-      browser may store it and send it back with the next request to the
-      same server.  Typically, it's used to tell if two requests came
-      from the same browser -- keeping a user logged-in, for example.
-      It remembers stateful information for the stateless HTTP protocol.
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 11]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/blog (https://github.com/MISP/misp-
+      objects/blob/main/objects/blog/definition.json) - Blog post like
+      Medium or WordPress.
+
+   *  objects/boleto (https://github.com/MISP/misp-
+      objects/blob/main/objects/boleto/definition.json) - A common form
+      of payment used in Brazil.
+
+   *  objects/btc-transaction (https://github.com/MISP/misp-
+      objects/blob/main/objects/btc-transaction/definition.json) - An
+      object to describe a Bitcoin transaction.  Best to be used with
+      bitcoin-wallet.
+
+   *  objects/btc-wallet (https://github.com/MISP/misp-
+      objects/blob/main/objects/btc-wallet/definition.json) - An object
+      to describe a Bitcoin wallet.  Best to be used with bitcoin-
+      transactions.
+
+   *  objects/cap-alert (https://github.com/MISP/misp-
+      objects/blob/main/objects/cap-alert/definition.json) - Common
+      Alerting Protocol Version (CAP) alert object.
+
+   *  objects/cap-info (https://github.com/MISP/misp-
+      objects/blob/main/objects/cap-info/definition.json) - Common
+      Alerting Protocol Version (CAP) info object.
+
+   *  objects/cap-resource (https://github.com/MISP/misp-
+      objects/blob/main/objects/cap-resource/definition.json) - Common
+      Alerting Protocol Version (CAP) resource object.
+
+   *  objects/coin-address (https://github.com/MISP/misp-
+      objects/blob/main/objects/coin-address/definition.json) - An
+      address used in a cryptocurrency.
+
+   *  objects/command (https://github.com/MISP/misp-
+      objects/blob/main/objects/command/definition.json) - Command
+      functionalities related to specific commands executed by a
+      program, whether it is malicious or not.  Command-line are
+      attached to this object for the related commands.
+
+   *  objects/command-line (https://github.com/MISP/misp-
+      objects/blob/main/objects/command-line/definition.json) - Command
+      line and options related to a specific command executed by a
+      program, whether it is malicious or not.
+
+   *  objects/cookie (https://github.com/MISP/misp-
+      objects/blob/main/objects/cookie/definition.json) - An HTTP cookie
+      (web cookie, browser cookie) is a small piece of data that a
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 12]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+      server sends to the user's web browser.  The browser may store it
+      and send it back with the next request to the same server.
+      Typically, it's used to tell if two requests came from the same
+      browser — (U+2014) keeping a user logged-in, for example.  It
+      remembers stateful information for the stateless HTTP protocol.
       (as defined by the Mozilla foundation.
 
-   o  cortex - Cortex object describing a complete cortex analysis.
-      Observables would be attribute with a relationship from this
-      object.
+   *  objects/cortex (https://github.com/MISP/misp-
+      objects/blob/main/objects/cortex/definition.json) - Cortex object
+      describing a complete cortex analysis.  Observables would be
+      attribute with a relationship from this object.
 
-   o  cortex-taxonomy - Cortex object describing an Cortex Taxonomy (or
-      mini report).
+   *  objects/cortex-taxonomy (https://github.com/MISP/misp-
+      objects/blob/main/objects/cortex-taxonomy/definition.json) -
+      Cortex object describing an Cortex Taxonomy (or mini report).
+
+   *  objects/course-of-action (https://github.com/MISP/misp-
+      objects/blob/main/objects/course-of-action/definition.json) - An
+      object describing a specific measure taken to prevent or respond
+      to an attack.
+
+   *  objects/covid19-csse-daily-report (https://github.com/MISP/misp-
+      objects/blob/main/objects/covid19-csse-daily-report/
+      definition.json) - CSSE COVID-19 Daily report.
+
+   *  objects/covid19-dxy-live-city (https://github.com/MISP/misp-
+      objects/blob/main/objects/covid19-dxy-live-city/definition.json) -
+      COVID 19 from dxy.cn - Aggregation by city.
+
+   *  objects/covid19-dxy-live-province (https://github.com/MISP/misp-
+      objects/blob/main/objects/covid19-dxy-live-province/
+      definition.json) - COVID 19 from dxy.cn - Aggregation by province.
+
+   *  objects/cowrie (https://github.com/MISP/misp-
+      objects/blob/main/objects/cowrie/definition.json) - Cowrie
+      honeypot object template.
+
+   *  objects/cpe-asset (https://github.com/MISP/misp-
+      objects/blob/main/objects/cpe-asset/definition.json) - An asset
+      which can be defined by a CPE.  This can be a generic asset.  CPE
+      is a structured naming scheme for information technology systems,
+      software, and packages.
+
+   *  objects/credential (https://github.com/MISP/misp-
+      objects/blob/main/objects/credential/definition.json) - Credential
+      describes one or more credential(s) including password(s), api
+      key(s) or decryption key(s).
 
 
 
 
-
-Dulaunoy & Iklody       Expires October 12, 2018               [Page 11]
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 13]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
-   o  course-of-action - An object describing a specific measure taken
-      to prevent or respond to an attack.
+   *  objects/credit-card (https://github.com/MISP/misp-
+      objects/blob/main/objects/credit-card/definition.json) - A payment
+      card like credit card, debit card or any similar cards which can
+      be used for financial transactions.
 
-   o  cowrie - Cowrie honeypot object template.
+   *  objects/crypto-material (https://github.com/MISP/misp-
+      objects/blob/main/objects/crypto-material/definition.json) -
+      Cryptographic materials such as public or/and private keys.
 
-   o  credential - Credential describes one or more credential(s)
-      including password(s), api key(s) or decryption key(s).
+   *  objects/cytomic-orion-file (https://github.com/MISP/misp-
+      objects/blob/main/objects/cytomic-orion-file/definition.json) -
+      Cytomic Orion File Detection.
 
-   o  credit-card - A payment card like credit card, debit card or any
-      similar cards which can be used for financial transactions.
+   *  objects/cytomic-orion-machine (https://github.com/MISP/misp-
+      objects/blob/main/objects/cytomic-orion-machine/definition.json) -
+      Cytomic Orion File at Machine Detection.
 
-   o  ddos - DDoS object describes a current DDoS activity from a
-      specific or/and to a specific target.  Type of DDoS can be
-      attached to the object as a taxonomy.
+   *  objects/dark-pattern-item (https://github.com/MISP/misp-
+      objects/blob/main/objects/dark-pattern-item/definition.json) - An
+      Item whose User Interface implements a dark pattern.
 
-   o  device - An object to define a device.
+   *  objects/ddos (https://github.com/MISP/misp-
+      objects/blob/main/objects/ddos/definition.json) - DDoS object
+      describes a current DDoS activity from a specific or/and to a
+      specific target.  Type of DDoS can be attached to the object as a
+      taxonomy.
 
-   o  diameter-attack - Attack as seen on diameter authentication
-      against a GSM, UMTS or LTE network.
+   *  objects/device (https://github.com/MISP/misp-
+      objects/blob/main/objects/device/definition.json) - An object to
+      define a device.
 
-   o  domain-ip - A domain and IP address seen as a tuple in a specific
-      time frame.
+   *  objects/diameter-attack (https://github.com/MISP/misp-
+      objects/blob/main/objects/diameter-attack/definition.json) -
+      Attack as seen on diameter authentication against a GSM, UMTS or
+      LTE network.
 
-   o  elf - Object describing a Executable and Linkable Format.
+   *  objects/dns-record (https://github.com/MISP/misp-
+      objects/blob/main/objects/dns-record/definition.json) - A set of
+      DNS records observed for a specific domain.
 
-   o  elf-section - Object describing a section of an Executable and
-      Linkable Format.
+   *  objects/domain-crawled (https://github.com/MISP/misp-
+      objects/blob/main/objects/domain-crawled/definition.json) - A
+      domain crawled over time.
 
-   o  email - Email object describing an email with meta-information.
-
-   o  exploit-poc - Exploit-poc object describing a proof of concept or
-      exploit of a vulnerability.  This object has often a relationship
-      with a vulnerability object.
-
-   o  facial-composite - An object which describes a facial composite.
-
-   o  fail2ban - Fail2ban event.
-
-   o  file - File object describing a file with meta-information.
-
-   o  forensic-case - An object template to describe a digital forensic
-      case.
-
-   o  forensic-evidence - An object template to describe a digital
-      forensic evidence.
-
-   o  geolocation - An object to describe a geographic location.
+   *  objects/domain-ip (https://github.com/MISP/misp-
+      objects/blob/main/objects/domain-ip/definition.json) - A domain/
+      hostname and IP address seen as a tuple in a specific time frame.
 
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018               [Page 12]
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 14]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
-   o  gtp-attack - GTP attack object as seen on a GSM, UMTS or LTE
-      network.
+   *  objects/elf (https://github.com/MISP/misp-
+      objects/blob/main/objects/elf/definition.json) - Object describing
+      a Executable and Linkable Format.
 
-   o  http-request - A single HTTP request header.
+   *  objects/elf-section (https://github.com/MISP/misp-
+      objects/blob/main/objects/elf-section/definition.json) - Object
+      describing a section of an Executable and Linkable Format.
 
-   o  ilr-impact - Institut Luxembourgeois de Regulation - Impact.
+   *  objects/email (https://github.com/MISP/misp-
+      objects/blob/main/objects/email/definition.json) - Email object
+      describing an email with meta-information.
 
-   o  ilr-notification-incident - Institut Luxembourgeois de Regulation
-      - Notification d'incident.
+   *  objects/employee (https://github.com/MISP/misp-
+      objects/blob/main/objects/employee/definition.json) - An employee
+      and related data points.
 
-   o  internal-reference - Internal reference.
+   *  objects/exploit-poc (https://github.com/MISP/misp-
+      objects/blob/main/objects/exploit-poc/definition.json) - Exploit-
+      poc object describing a proof of concept or exploit of a
+      vulnerability.  This object has often a relationship with a
+      vulnerability object.
 
-   o  interpol-notice - An object which describes a Interpol notice.
+   *  objects/facebook-account (https://github.com/MISP/misp-
+      objects/blob/main/objects/facebook-account/definition.json) -
+      Facebook account.
 
-   o  ip-api-address - IP Address information.  Useful if you are
-      pulling your ip information from ip-api.com.
+   *  objects/facebook-group (https://github.com/MISP/misp-
+      objects/blob/main/objects/facebook-group/definition.json) - Public
+      or private facebook group.
 
-   o  ip-port - An IP address (or domain or hostname) and a port seen as
-      a tuple (or as a triple) in a specific time frame.
+   *  objects/facebook-page (https://github.com/MISP/misp-
+      objects/blob/main/objects/facebook-page/definition.json) -
+      Facebook page.
 
-   o  irc - An IRC object to describe an IRC server and the associated
-      channels.
+   *  objects/facebook-post (https://github.com/MISP/misp-
+      objects/blob/main/objects/facebook-post/definition.json) - Post on
+      a Facebook wall.
 
-   o  ja3 - JA3 is a new technique for creating SSL client fingerprints
-      that are easy to produce and can be easily shared for threat
-      intelligence.  Fingerprints are composed of Client Hello packet;
-      SSL Version, Accepted Ciphers, List of Extensions, Elliptic
-      Curves, and Elliptic Curve Formats. https://github.com/salesforce/
-      ja3 [2].
+   *  objects/facial-composite (https://github.com/MISP/misp-
+      objects/blob/main/objects/facial-composite/definition.json) - An
+      object which describes a facial composite.
 
-   o  legal-entity - An object to describe a legal entity.
+   *  objects/fail2ban (https://github.com/MISP/misp-
+      objects/blob/main/objects/fail2ban/definition.json) - Fail2ban
+      event.
 
-   o  lnk - LNK object describing a Windows LNK binary file (aka Windows
-      shortcut).
 
-   o  macho - Object describing a file in Mach-O format.
 
-   o  macho-section - Object describing a section of a file in Mach-O
-      format.
 
-   o  mactime-timeline-analysis - Mactime template, used in forensic
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 15]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/favicon (https://github.com/MISP/misp-
+      objects/blob/main/objects/favicon/definition.json) - A favicon,
+      also known as a shortcut icon, website icon, tab icon, URL icon,
+      or bookmark icon, is a file containing one or more small icons,
+      associated with a particular website or web page.  The object
+      template can include the murmur3 hash of the favicon to facilitate
+      correlation.
+
+   *  objects/file (https://github.com/MISP/misp-
+      objects/blob/main/objects/file/definition.json) - File object
+      describing a file with meta-information.
+
+   *  objects/forensic-case (https://github.com/MISP/misp-
+      objects/blob/main/objects/forensic-case/definition.json) - An
+      object template to describe a digital forensic case.
+
+   *  objects/forensic-evidence (https://github.com/MISP/misp-
+      objects/blob/main/objects/forensic-evidence/definition.json) - An
+      object template to describe a digital forensic evidence.
+
+   *  objects/forged-document (https://github.com/MISP/misp-
+      objects/blob/main/objects/forged-document/definition.json) -
+      Object describing a forged document.
+
+   *  objects/ftm-Airplane (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Airplane/definition.json) - .
+
+   *  objects/ftm-Assessment (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Assessment/definition.json) - .
+
+   *  objects/ftm-Asset (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Asset/definition.json) - .
+
+   *  objects/ftm-Associate (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Associate/definition.json) - Non-
+      family association between two people.
+
+   *  objects/ftm-Audio (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Audio/definition.json) - .
+
+   *  objects/ftm-BankAccount (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-BankAccount/definition.json) - .
+
+   *  objects/ftm-Call (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Call/definition.json) - .
+
+   *  objects/ftm-Company (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Company/definition.json) - .
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 16]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/ftm-Contract (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Contract/definition.json) - An
+      contract or contract lot issued by an authority.  Multiple lots
+      may be awarded to different suppliers (see ContractAward). .
+
+   *  objects/ftm-ContractAward (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-ContractAward/definition.json) - A
+      contract or contract lot as awarded to a supplier.
+
+   *  objects/ftm-CourtCase (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-CourtCase/definition.json) - .
+
+   *  objects/ftm-CourtCaseParty (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-CourtCaseParty/definition.json) - .
+
+   *  objects/ftm-Debt (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Debt/definition.json) - A monetary
+      debt between two parties.
+
+   *  objects/ftm-Directorship (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Directorship/definition.json) - .
+
+   *  objects/ftm-Document (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Document/definition.json) - .
+
+   *  objects/ftm-Documentation (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Documentation/definition.json) - .
+
+   *  objects/ftm-EconomicActivity (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-EconomicActivity/definition.json) -
+      A foreign economic activity.
+
+   *  objects/ftm-Email (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Email/definition.json) - .
+
+   *  objects/ftm-Event (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Event/definition.json) - .
+
+   *  objects/ftm-Family (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Family/definition.json) - Family
+      relationship between two people.
+
+   *  objects/ftm-Folder (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Folder/definition.json) - .
+
+   *  objects/ftm-HyperText (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-HyperText/definition.json) - .
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 17]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/ftm-Image (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Image/definition.json) - .
+
+   *  objects/ftm-Land (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Land/definition.json) - .
+
+   *  objects/ftm-LegalEntity (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-LegalEntity/definition.json) - A
+      legal entity may be a person or a company.
+
+   *  objects/ftm-License (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-License/definition.json) - A grant
+      of land, rights or property.  A type of Contract.
+
+   *  objects/ftm-Membership (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Membership/definition.json) - .
+
+   *  objects/ftm-Message (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Message/definition.json) - .
+
+   *  objects/ftm-Organization (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Organization/definition.json) - .
+
+   *  objects/ftm-Ownership (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Ownership/definition.json) - .
+
+   *  objects/ftm-Package (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Package/definition.json) - .
+
+   *  objects/ftm-Page (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Page/definition.json) - .
+
+   *  objects/ftm-Pages (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Pages/definition.json) - .
+
+   *  objects/ftm-Passport (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Passport/definition.json) -
+      Passport.
+
+   *  objects/ftm-Payment (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Payment/definition.json) - A
+      monetary payment between two parties.
+
+   *  objects/ftm-Person (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Person/definition.json) - An
+      individual.
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 18]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/ftm-PlainText (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-PlainText/definition.json) - .
+
+   *  objects/ftm-PublicBody (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-PublicBody/definition.json) - A
+      public body, such as a ministry, department or state company.
+
+   *  objects/ftm-RealEstate (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-RealEstate/definition.json) - A
+      piece of land or property.
+
+   *  objects/ftm-Representation (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Representation/definition.json) - A
+      mediatory, intermediary, middleman, or broker acting on behalf of
+      a legal entity.
+
+   *  objects/ftm-Row (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Row/definition.json) - .
+
+   *  objects/ftm-Sanction (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Sanction/definition.json) - A
+      sanction designation.
+
+   *  objects/ftm-Succession (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Succession/definition.json) - Two
+      entities that legally succeed each other.
+
+   *  objects/ftm-Table (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Table/definition.json) - .
+
+   *  objects/ftm-TaxRoll (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-TaxRoll/definition.json) - A tax
+      declaration of an individual.
+
+   *  objects/ftm-UnknownLink (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-UnknownLink/definition.json) - .
+
+   *  objects/ftm-UserAccount (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-UserAccount/definition.json) - .
+
+   *  objects/ftm-Vehicle (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Vehicle/definition.json) - .
+
+   *  objects/ftm-Vessel (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Vessel/definition.json) - A boat or
+      ship.
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 19]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/ftm-Video (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Video/definition.json) - .
+
+   *  objects/ftm-Workbook (https://github.com/MISP/misp-
+      objects/blob/main/objects/ftm-Workbook/definition.json) - .
+
+   *  objects/geolocation (https://github.com/MISP/misp-
+      objects/blob/main/objects/geolocation/definition.json) - An object
+      to describe a geographic location.
+
+   *  objects/git-vuln-finder (https://github.com/MISP/misp-
+      objects/blob/main/objects/git-vuln-finder/definition.json) -
+      Export from git-vuln-finder.
+
+   *  objects/github-user (https://github.com/MISP/misp-
+      objects/blob/main/objects/github-user/definition.json) - GitHub
+      user.
+
+   *  objects/gitlab-user (https://github.com/MISP/misp-
+      objects/blob/main/objects/gitlab-user/definition.json) - GitLab
+      user.  Gitlab.com user or self-hosted GitLab instance.
+
+   *  objects/gtp-attack (https://github.com/MISP/misp-
+      objects/blob/main/objects/gtp-attack/definition.json) - GTP attack
+      object as seen on a GSM, UMTS or LTE network.
+
+   *  objects/http-request (https://github.com/MISP/misp-
+      objects/blob/main/objects/http-request/definition.json) - A single
+      HTTP request header.
+
+   *  objects/ilr-impact (https://github.com/MISP/misp-
+      objects/blob/main/objects/ilr-impact/definition.json) - Institut
+      Luxembourgeois de Regulation - Impact.
+
+   *  objects/ilr-notification-incident (https://github.com/MISP/misp-
+      objects/blob/main/objects/ilr-notification-incident/
+      definition.json) - Institut Luxembourgeois de Regulation -
+      Notification d'incident.
+
+   *  objects/image (https://github.com/MISP/misp-
+      objects/blob/main/objects/image/definition.json) - Object
+      describing an image file.
+
+   *  objects/impersonation (https://github.com/MISP/misp-
+      objects/blob/main/objects/impersonation/definition.json) -
+      Represent an impersonating account.
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 20]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/imsi-catcher (https://github.com/MISP/misp-
+      objects/blob/main/objects/imsi-catcher/definition.json) - IMSI
+      Catcher entry object based on the open source IMSI cather.
+
+   *  objects/instant-message (https://github.com/MISP/misp-
+      objects/blob/main/objects/instant-message/definition.json) -
+      Instant Message (IM) object template describing one or more IM
+      message.
+
+   *  objects/instant-message-group (https://github.com/MISP/misp-
+      objects/blob/main/objects/instant-message-group/definition.json) -
+      Instant Message (IM) group object template describing a public or
+      private IM group, channel or conversation.
+
+   *  objects/intel471-vulnerability-intelligence
+      (https://github.com/MISP/misp-objects/blob/main/objects/intel471-
+      vulnerability-intelligence/definition.json) - Intel 471
+      vulnerability intelligence object.
+
+   *  objects/intelmq_event (https://github.com/MISP/misp-
+      objects/blob/main/objects/intelmq_event/definition.json) - IntelMQ
+      Event.
+
+   *  objects/intelmq_report (https://github.com/MISP/misp-
+      objects/blob/main/objects/intelmq_report/definition.json) -
+      IntelMQ Report.
+
+   *  objects/internal-reference (https://github.com/MISP/misp-
+      objects/blob/main/objects/internal-reference/definition.json) -
+      Internal reference.
+
+   *  objects/interpol-notice (https://github.com/MISP/misp-
+      objects/blob/main/objects/interpol-notice/definition.json) - An
+      object which describes a Interpol notice.
+
+   *  objects/iot-device (https://github.com/MISP/misp-
+      objects/blob/main/objects/iot-device/definition.json) - An IoT
+      device.
+
+   *  objects/iot-firmware (https://github.com/MISP/misp-
+      objects/blob/main/objects/iot-firmware/definition.json) - A
+      firmware for an IoT device.
+
+   *  objects/ip-api-address (https://github.com/MISP/misp-
+      objects/blob/main/objects/ip-api-address/definition.json) - IP
+      Address information.  Useful if you are pulling your ip
+      information from ip-api.com.
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 21]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/ip-port (https://github.com/MISP/misp-
+      objects/blob/main/objects/ip-port/definition.json) - An IP address
+      (or domain or hostname) and a port seen as a tuple (or as a
+      triple) in a specific time frame.
+
+   *  objects/irc (https://github.com/MISP/misp-
+      objects/blob/main/objects/irc/definition.json) - An IRC object to
+      describe an IRC server and the associated channels.
+
+   *  objects/ja3 (https://github.com/MISP/misp-
+      objects/blob/main/objects/ja3/definition.json) - JA3 is a new
+      technique for creating SSL client fingerprints that are easy to
+      produce and can be easily shared for threat intelligence.
+      Fingerprints are composed of Client Hello packet; SSL Version,
+      Accepted Ciphers, List of Extensions, Elliptic Curves, and
+      Elliptic Curve Formats. https://github.com/salesforce/ja3
+      (https://github.com/salesforce/ja3).
+
+   *  objects/keybase-account (https://github.com/MISP/misp-
+      objects/blob/main/objects/keybase-account/definition.json) -
+      Information related to a keybase account, from API Users Object.
+
+   *  objects/leaked-document (https://github.com/MISP/misp-
+      objects/blob/main/objects/leaked-document/definition.json) -
+      Object describing a leaked document.
+
+   *  objects/legal-entity (https://github.com/MISP/misp-
+      objects/blob/main/objects/legal-entity/definition.json) - An
+      object to describe a legal entity.
+
+   *  objects/lnk (https://github.com/MISP/misp-
+      objects/blob/main/objects/lnk/definition.json) - LNK object
+      describing a Windows LNK binary file (aka Windows shortcut).
+
+   *  objects/macho (https://github.com/MISP/misp-
+      objects/blob/main/objects/macho/definition.json) - Object
+      describing a file in Mach-O format.
+
+   *  objects/macho-section (https://github.com/MISP/misp-
+      objects/blob/main/objects/macho-section/definition.json) - Object
+      describing a section of a file in Mach-O format.
+
+   *  objects/mactime-timeline-analysis (https://github.com/MISP/misp-
+      objects/blob/main/objects/mactime-timeline-analysis/
+      definition.json) - Mactime template, used in forensic
       investigations to describe the timeline of a file activity.
 
-   o  malware-config - Malware configuration recovered or extracted from
-      a malicious binary.
-
-   o  microblog - Microblog post like a Twitter tweet or a post on a
-      Facebook wall.
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018               [Page 13]
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 22]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
-   o  mutex - Object to describe mutual exclusion locks (mutex) as seen
-      in memory or computer program.
+   *  objects/malware-config (https://github.com/MISP/misp-
+      objects/blob/main/objects/malware-config/definition.json) -
+      Malware configuration recovered or extracted from a malicious
+      binary.
 
-   o  netflow - Netflow object describes an network object based on the
-      Netflowv5/v9 minimal definition.
+   *  objects/meme-image (https://github.com/MISP/misp-
+      objects/blob/main/objects/meme-image/definition.json) - Object
+      describing a meme (image).
 
-   o  network-connection - A local or remote network connection.
+   *  objects/microblog (https://github.com/MISP/misp-
+      objects/blob/main/objects/microblog/definition.json) - Microblog
+      post like a Twitter tweet or a post on a Facebook wall.
 
-   o  network-socket - Network socket object describes a local or remote
-      network connections based on the socket data structure.
+   *  objects/mutex (https://github.com/MISP/misp-
+      objects/blob/main/objects/mutex/definition.json) - Object to
+      describe mutual exclusion locks (mutex) as seen in memory or
+      computer program.
 
-   o  misc - An object which describes an organization.
+   *  objects/narrative (https://github.com/MISP/misp-
+      objects/blob/main/objects/narrative/definition.json) - Object
+      describing a narrative.
 
-   o  original-imported-file - Object describing the original file used
-      to import data in MISP.
+   *  objects/netflow (https://github.com/MISP/misp-
+      objects/blob/main/objects/netflow/definition.json) - Netflow
+      object describes an network object based on the Netflowv5/v9
+      minimal definition.
 
-   o  passive-dns - Passive DNS records as expressed in draft-dulaunoy-
-      dnsop-passive-dns-cof-01.
+   *  objects/network-connection (https://github.com/MISP/misp-
+      objects/blob/main/objects/network-connection/definition.json) - A
+      local or remote network connection.
 
-   o  paste - Paste or similar post from a website allowing to share
-      privately or publicly posts.
+   *  objects/network-socket (https://github.com/MISP/misp-
+      objects/blob/main/objects/network-socket/definition.json) -
+      Network socket object describes a local or remote network
+      connections based on the socket data structure.
 
-   o  pcap-metadata - Network packet capture metadata.
+   *  objects/news-agency (https://github.com/MISP/misp-
+      objects/blob/main/objects/news-agency/definition.json) - News
+      agencies compile news and disseminate news in bulk.
 
-   o  pe - Object describing a Portable Executable.
+   *  objects/news-media (https://github.com/MISP/misp-
+      objects/blob/main/objects/news-media/definition.json) - News media
+      are forms of mass media delivering news to the general public.
 
-   o  pe-section - Object describing a section of a Portable Executable.
-
-   o  person - An object which describes a person or an identity.
-
-   o  phishing - Phishing template to describe a phishing website and
-      its analysis.
-
-   o  phishing-kit - Object to describe a phishing-kit.
-
-   o  phone - A phone or mobile phone object which describe a phone.
-
-   o  process - Object describing a system process.
-
-   o  python-etvx-event-log - Event log object template to share
-      information of the activities conducted on a system. .
-
-   o  r2graphity - Indicators extracted from files using radare2 and
-      graphml.
-
-   o  regexp - An object describing a regular expression (regex or
-      regexp).  The object can be linked via a relationship to other
+   *  objects/organization (https://github.com/MISP/misp-
+      objects/blob/main/objects/organization/definition.json) - An
+      object which describes an organization.
 
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018               [Page 14]
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 23]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
-      attributes or objects to describe how it can be represented as a
-      regular expression.
+   *  objects/original-imported-file (https://github.com/MISP/misp-
+      objects/blob/main/objects/original-imported-file/definition.json)
+      - Object describing the original file used to import data in MISP.
 
-   o  registry-key - Registry key object describing a Windows registry
-      key with value and last-modified timestamp.
+   *  objects/parler-account (https://github.com/MISP/misp-
+      objects/blob/main/objects/parler-account/definition.json) - Parler
+      account.
 
-   o  regripper-NTUser - Regripper Object template designed to present
-      user specific configuration details extracted from the NTUSER.dat
-      hive.
+   *  objects/parler-comment (https://github.com/MISP/misp-
+      objects/blob/main/objects/parler-comment/definition.json) - Parler
+      comment.
 
-   o  regripper-sam-hive-single-user - Regripper Object template
-      designed to present user profile details extracted from the SAM
-      hive.
+   *  objects/parler-post (https://github.com/MISP/misp-
+      objects/blob/main/objects/parler-post/definition.json) - Parler
+      post (parley).
 
-   o  regripper-sam-hive-user-group - Regripper Object template designed
-      to present group profile details extracted from the SAM hive.
+   *  objects/passive-dns (https://github.com/MISP/misp-
+      objects/blob/main/objects/passive-dns/definition.json) - Passive
+      DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-
+      01.
 
-   o  regripper-software-hive-BHO - Regripper Object template designed
-      to gather information of the browser helper objects installed on
-      the system.
+   *  objects/paste (https://github.com/MISP/misp-
+      objects/blob/main/objects/paste/definition.json) - Paste or
+      similar post from a website allowing to share privately or
+      publicly posts.
 
-   o  regripper-software-hive-appInit-DLLS - Regripper Object template
-      designed to gather information of the DLL files installed on the
-      system.
+   *  objects/pcap-metadata (https://github.com/MISP/misp-
+      objects/blob/main/objects/pcap-metadata/definition.json) - Network
+      packet capture metadata.
 
-   o  regripper-software-hive-application-paths - Regripper Object
-      template designed to gather information of the application paths.
+   *  objects/pe (https://github.com/MISP/misp-
+      objects/blob/main/objects/pe/definition.json) - Object describing
+      a Portable Executable.
 
-   o  regripper-software-hive-applications-installed - Regripper Object
-      template designed to gather information of the applications
+   *  objects/pe-section (https://github.com/MISP/misp-
+      objects/blob/main/objects/pe-section/definition.json) - Object
+      describing a section of a Portable Executable.
+
+   *  objects/person (https://github.com/MISP/misp-
+      objects/blob/main/objects/person/definition.json) - An object
+      which describes a person or an identity.
+
+   *  objects/pgp-meta (https://github.com/MISP/misp-
+      objects/blob/main/objects/pgp-meta/definition.json) - Metadata
+      extracted from a PGP keyblock, message or signature.
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 24]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/phishing (https://github.com/MISP/misp-
+      objects/blob/main/objects/phishing/definition.json) - Phishing
+      template to describe a phishing website and its analysis.
+
+   *  objects/phishing-kit (https://github.com/MISP/misp-
+      objects/blob/main/objects/phishing-kit/definition.json) - Object
+      to describe a phishing-kit.
+
+   *  objects/phone (https://github.com/MISP/misp-
+      objects/blob/main/objects/phone/definition.json) - A phone or
+      mobile phone object which describe a phone.
+
+   *  objects/process (https://github.com/MISP/misp-
+      objects/blob/main/objects/process/definition.json) - Object
+      describing a system process.
+
+   *  objects/publication (https://github.com/MISP/misp-
+      objects/blob/main/objects/publication/definition.json) - An object
+      to describe a book, journal, or academic publication.
+
+   *  objects/python-etvx-event-log (https://github.com/MISP/misp-
+      objects/blob/main/objects/python-etvx-event-log/definition.json) -
+      Event log object template to share information of the activities
+      conducted on a system. .
+
+   *  objects/r2graphity (https://github.com/MISP/misp-
+      objects/blob/main/objects/r2graphity/definition.json) - Indicators
+      extracted from files using radare2 and graphml.
+
+   *  objects/reddit-account (https://github.com/MISP/misp-
+      objects/blob/main/objects/reddit-account/definition.json) - Reddit
+      account.
+
+   *  objects/reddit-comment (https://github.com/MISP/misp-
+      objects/blob/main/objects/reddit-comment/definition.json) - A
+      Reddit post comment.
+
+   *  objects/reddit-post (https://github.com/MISP/misp-
+      objects/blob/main/objects/reddit-post/definition.json) - A Reddit
+      post.
+
+   *  objects/reddit-subreddit (https://github.com/MISP/misp-
+      objects/blob/main/objects/reddit-subreddit/definition.json) -
+      Public or private subreddit.
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 25]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/regexp (https://github.com/MISP/misp-
+      objects/blob/main/objects/regexp/definition.json) - An object
+      describing a regular expression (regex or regexp).  The object can
+      be linked via a relationship to other attributes or objects to
+      describe how it can be represented as a regular expression.
+
+   *  objects/registry-key (https://github.com/MISP/misp-
+      objects/blob/main/objects/registry-key/definition.json) - Registry
+      key object describing a Windows registry key with value and last-
+      modified timestamp.
+
+   *  objects/regripper-NTUser (https://github.com/MISP/misp-
+      objects/blob/main/objects/regripper-NTUser/definition.json) -
+      Regripper Object template designed to present user specific
+      configuration details extracted from the NTUSER.dat hive.
+
+   *  objects/regripper-sam-hive-single-user (https://github.com/MISP/
+      misp-objects/blob/main/objects/regripper-sam-hive-single-user/
+      definition.json) - Regripper Object template designed to present
+      user profile details extracted from the SAM hive.
+
+   *  objects/regripper-sam-hive-user-group (https://github.com/MISP/
+      misp-objects/blob/main/objects/regripper-sam-hive-user-group/
+      definition.json) - Regripper Object template designed to present
+      group profile details extracted from the SAM hive.
+
+   *  objects/regripper-software-hive-BHO (https://github.com/MISP/misp-
+      objects/blob/main/objects/regripper-software-hive-BHO/
+      definition.json) - Regripper Object template designed to gather
+      information of the browser helper objects installed on the system.
+
+   *  objects/regripper-software-hive-appInit-DLLS
+      (https://github.com/MISP/misp-objects/blob/main/objects/regripper-
+      software-hive-appInit-DLLS/definition.json) - Regripper Object
+      template designed to gather information of the DLL files installed
+      on the system.
+
+   *  objects/regripper-software-hive-application-paths
+      (https://github.com/MISP/misp-objects/blob/main/objects/regripper-
+      software-hive-application-paths/definition.json) - Regripper
+      Object template designed to gather information of the application
+      paths.
+
+   *  objects/regripper-software-hive-applications-installed
+      (https://github.com/MISP/misp-objects/blob/main/objects/regripper-
+      software-hive-applications-installed/definition.json) - Regripper
+      Object template designed to gather information of the applications
       installed on the system.
 
-   o  regripper-software-hive-command-shell - Regripper Object template
-      designed to gather information of the shell commands executed on
-      the system.
-
-   o  regripper-software-hive-windows-general-info - Regripper Object
-      template designed to gather general windows information extracted
-      from the software-hive.
-
-   o  regripper-software-hive-software-run - Regripper Object template
-      designed to gather information of the applications set to run on
-      the system.
-
-   o  regripper-software-hive-userprofile-winlogon - Regripper Object
-      template designed to gather user profile information when the user
-      logs onto the system, gathered from the software hive.
 
 
-
-
-Dulaunoy & Iklody       Expires October 12, 2018               [Page 15]
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 26]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
-   o  regripper-system-hive-firewall-configuration - Regripper Object
-      template designed to present firewall configuration information
+   *  objects/regripper-software-hive-command-shell
+      (https://github.com/MISP/misp-objects/blob/main/objects/regripper-
+      software-hive-command-shell/definition.json) - Regripper Object
+      template designed to gather information of the shell commands
+      executed on the system.
+
+   *  objects/regripper-software-hive-software-run
+      (https://github.com/MISP/misp-objects/blob/main/objects/regripper-
+      software-hive-software-run/definition.json) - Regripper Object
+      template designed to gather information of the applications set to
+      run on the system.
+
+   *  objects/regripper-software-hive-userprofile-winlogon
+      (https://github.com/MISP/misp-objects/blob/main/objects/regripper-
+      software-hive-userprofile-winlogon/definition.json) - Regripper
+      Object template designed to gather user profile information when
+      the user logs onto the system, gathered from the software hive.
+
+   *  objects/regripper-software-hive-windows-general-info
+      (https://github.com/MISP/misp-objects/blob/main/objects/regripper-
+      software-hive-windows-general-info/definition.json) - Regripper
+      Object template designed to gather general windows information
+      extracted from the software-hive.
+
+   *  objects/regripper-system-hive-firewall-configuration
+      (https://github.com/MISP/misp-objects/blob/main/objects/regripper-
+      system-hive-firewall-configuration/definition.json) - Regripper
+      Object template designed to present firewall configuration
+      information extracted from the system-hive.
+
+   *  objects/regripper-system-hive-general-configuration
+      (https://github.com/MISP/misp-objects/blob/main/objects/regripper-
+      system-hive-general-configuration/definition.json) - Regripper
+      Object template designed to present general system properties
       extracted from the system-hive.
 
-   o  regripper-system-hive-general-configuration - Regripper Object
-      template designed to present general system properties extracted
-      from the system-hive.
+   *  objects/regripper-system-hive-network-information
+      (https://github.com/MISP/misp-objects/blob/main/objects/regripper-
+      system-hive-network-information/definition.json) - Regripper
+      object template designed to gather network information from the
+      system-hive.
 
-   o  regripper-system-hive-network-information. - Regripper object
-      template designed to gather network information from the system-
-      hive.
+   *  objects/regripper-system-hive-services-drivers
+      (https://github.com/MISP/misp-objects/blob/main/objects/regripper-
+      system-hive-services-drivers/definition.json) - Regripper Object
+      template designed to gather information regarding the services/
+      drivers from the system-hive.
 
-   o  regripper-system-hive-services-drivers - Regripper Object template
-      designed to gather information regarding the services/drivers from
-      the system-hive.
 
-   o  report - Metadata used to generate an executive level report.
 
-   o  research-scanner - Information related to known scanning activity
-      (e.g. from research projects).
 
-   o  rogue-dns - Rogue DNS as defined by CERT.br.
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 27]
+
+Internet-Draft         MISP object template format         November 2021
 
-   o  rtir - RTIR - Request Tracker for Incident Response.
 
-   o  sandbox-report - Sandbox report.
+   *  objects/report (https://github.com/MISP/misp-
+      objects/blob/main/objects/report/definition.json) - Metadata used
+      to generate an executive level report.
 
-   o  sb-signature - Sandbox detection signature.
+   *  objects/research-scanner (https://github.com/MISP/misp-
+      objects/blob/main/objects/research-scanner/definition.json) -
+      Information related to known scanning activity (e.g. from research
+      projects).
 
-   o  script - Object describing a computer program written to be run in
-      a special run-time environment.  The script or shell script can be
-      used for malicious activities but also as support tools for threat
+   *  objects/rogue-dns (https://github.com/MISP/misp-
+      objects/blob/main/objects/rogue-dns/definition.json) - Rogue DNS
+      as defined by CERT.br.
+
+   *  objects/rtir (https://github.com/MISP/misp-
+      objects/blob/main/objects/rtir/definition.json) - RTIR - Request
+      Tracker for Incident Response.
+
+   *  objects/sandbox-report (https://github.com/MISP/misp-
+      objects/blob/main/objects/sandbox-report/definition.json) -
+      Sandbox report.
+
+   *  objects/sb-signature (https://github.com/MISP/misp-
+      objects/blob/main/objects/sb-signature/definition.json) - Sandbox
+      detection signature.
+
+   *  objects/scheduled-event (https://github.com/MISP/misp-
+      objects/blob/main/objects/scheduled-event/definition.json) - Event
+      object template describing a gathering of individuals in
+      meatspace.
+
+   *  objects/scrippsco2-c13-daily (https://github.com/MISP/misp-
+      objects/blob/main/objects/scrippsco2-c13-daily/definition.json) -
+      Daily average C13 concentrations (ppm) derived from flask air
+      samples.
+
+   *  objects/scrippsco2-c13-monthly (https://github.com/MISP/misp-
+      objects/blob/main/objects/scrippsco2-c13-monthly/definition.json)
+      - Monthly average C13 concentrations (ppm) derived from flask air
+      samples.
+
+   *  objects/scrippsco2-co2-daily (https://github.com/MISP/misp-
+      objects/blob/main/objects/scrippsco2-co2-daily/definition.json) -
+      Daily average CO2 concentrations (ppm) derived from flask air
+      samples.
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 28]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/scrippsco2-co2-monthly (https://github.com/MISP/misp-
+      objects/blob/main/objects/scrippsco2-co2-monthly/definition.json)
+      - Monthly average CO2 concentrations (ppm) derived from flask air
+      samples.
+
+   *  objects/scrippsco2-o18-daily (https://github.com/MISP/misp-
+      objects/blob/main/objects/scrippsco2-o18-daily/definition.json) -
+      Daily average O18 concentrations (ppm) derived from flask air
+      samples.
+
+   *  objects/scrippsco2-o18-monthly (https://github.com/MISP/misp-
+      objects/blob/main/objects/scrippsco2-o18-monthly/definition.json)
+      - Monthly average O18 concentrations (ppm) derived from flask air
+      samples.
+
+   *  objects/script (https://github.com/MISP/misp-
+      objects/blob/main/objects/script/definition.json) - Object
+      describing a computer program written to be run in a special run-
+      time environment.  The script or shell script can be used for
+      malicious activities but also as support tools for threat
       analysts.
 
-   o  shell-commands - Object describing a series of shell commands
-      executed.  This object can be linked with malicious files in order
-      to describe a specific execution of shell commands.
+   *  objects/shell-commands (https://github.com/MISP/misp-
+      objects/blob/main/objects/shell-commands/definition.json) - Object
+      describing a series of shell commands executed.  This object can
+      be linked with malicious files in order to describe a specific
+      execution of shell commands.
 
-   o  short-message-service - Short Message Service (SMS) object
-      template describing one or more SMS message.  Restriction of the
-      initial format 3GPP 23.038 GSM character set doesn't apply.
+   *  objects/shodan-report (https://github.com/MISP/misp-
+      objects/blob/main/objects/shodan-report/definition.json) - Shodan
+      Report for a given IP.
 
-   o  shortened-link - Shortened link and its redirect target.
+   *  objects/short-message-service (https://github.com/MISP/misp-
+      objects/blob/main/objects/short-message-service/definition.json) -
+      Short Message Service (SMS) object template describing one or more
+      SMS message.  Restriction of the initial format 3GPP 23.038 GSM
+      character set doesn't apply.
 
-   o  splunk - Splunk / Splunk ES object.
+   *  objects/shortened-link (https://github.com/MISP/misp-
+      objects/blob/main/objects/shortened-link/definition.json) -
+      Shortened link and its redirect target.
 
-   o  ss7-attack - SS7 object of an attack seen on a GSM, UMTS or LTE
-      network via SS7 logging.
+   *  objects/social-media-group (https://github.com/MISP/misp-
+      objects/blob/main/objects/social-media-group/definition.json) -
+      Social media group object template describing a public or private
+      group or channel.
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018               [Page 16]
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 29]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
-   o  ssh-authorized-keys - An object to store ssh authorized keys file.
+   *  objects/splunk (https://github.com/MISP/misp-
+      objects/blob/main/objects/splunk/definition.json) - Splunk /
+      Splunk ES object.
 
-   o  stix2-pattern - An object describing a STIX pattern.  The object
-      can be linked via a relationship to other attributes or objects to
-      describe how it can be represented as a STIX pattern.
+   *  objects/ss7-attack (https://github.com/MISP/misp-
+      objects/blob/main/objects/ss7-attack/definition.json) - SS7 object
+      of an attack seen on a GSM, UMTS or LTE network via SS7 logging.
 
-   o  suricata - An object describing one or more Suricata rule(s) along
-      with version and contextual information.
+   *  objects/ssh-authorized-keys (https://github.com/MISP/misp-
+      objects/blob/main/objects/ssh-authorized-keys/definition.json) -
+      An object to store ssh authorized keys file.
 
-   o  target-system - Description about an targeted system, this could
-      potentially be a compromissed internal system.
+   *  objects/stix2-pattern (https://github.com/MISP/misp-
+      objects/blob/main/objects/stix2-pattern/definition.json) - An
+      object describing a STIX pattern.  The object can be linked via a
+      relationship to other attributes or objects to describe how it can
+      be represented as a STIX pattern.
 
-   o  threatgrid-report - ThreatGrid report.
+   *  objects/suricata (https://github.com/MISP/misp-
+      objects/blob/main/objects/suricata/definition.json) - An object
+      describing one or more Suricata rule(s) along with version and
+      contextual information.
 
-   o  timecode - Timecode object to describe a start of video sequence
-      (e.g.  CCTV evidence) and the end of the video sequence.
+   *  objects/target-system (https://github.com/MISP/misp-
+      objects/blob/main/objects/target-system/definition.json) -
+      Description about an targeted system, this could potentially be a
+      compromissed internal system.
 
-   o  timesketch-timeline - A timesketch timeline object based on
-      mandatory field in timesketch to describe a log entry.
+   *  objects/threatgrid-report (https://github.com/MISP/misp-
+      objects/blob/main/objects/threatgrid-report/definition.json) -
+      ThreatGrid report.
 
-   o  timesketch_message - A timesketch message entry.
+   *  objects/timecode (https://github.com/MISP/misp-
+      objects/blob/main/objects/timecode/definition.json) - Timecode
+      object to describe a start of video sequence (e.g.  CCTV evidence)
+      and the end of the video sequence.
 
-   o  timestamp - A generic timestamp object to represent time including
-      first time and last time seen.  Relationship will then define the
-      kind of time relationship.
+   *  objects/timesketch-timeline (https://github.com/MISP/misp-
+      objects/blob/main/objects/timesketch-timeline/definition.json) - A
+      timesketch timeline object based on mandatory field in timesketch
+      to describe a log entry.
 
-   o  tor-hiddenservice - Tor hidden service (onion service) object.
-
-   o  tor-node - Tor node (which protects your privacy on the internet
-      by hiding the connection between users Internet address and the
-      services used by the users) description which are part of the Tor
-      network at a time.
-
-   o  tracking-id - Analytics and tracking ID such as used in Google
-      Analytics or other analytic platform.
-
-   o  transaction - An object to describe a financial transaction.
-
-   o  url - url object describes an url along with its normalized field
-      (like extracted using faup parsing library) and its metadata.
-
-   o  vehicle - Vehicle object template to describe a vehicle
-      information and registration.
-
-   o  victim - Victim object describes the target of an attack or abuse.
-
-   o  virustotal-report - VirusTotal report.
+   *  objects/timesketch_message (https://github.com/MISP/misp-
+      objects/blob/main/objects/timesketch_message/definition.json) - A
+      timesketch message entry.
 
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018               [Page 17]
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 30]
 
-Internet-Draft         MISP object template format            April 2018
+Internet-Draft         MISP object template format         November 2021
 
 
-   o  vulnerability - Vulnerability object describing a common
-      vulnerability enumeration which can describe published,
-      unpublished, under review or embargo vulnerability for software,
-      equipments or hardware.
+   *  objects/timestamp (https://github.com/MISP/misp-
+      objects/blob/main/objects/timestamp/definition.json) - A generic
+      timestamp object to represent time including first time and last
+      time seen.  Relationship will then define the kind of time
+      relationship.
 
-   o  whois - Whois records information for a domain name or an IP
-      address.
+   *  objects/tor-hiddenservice (https://github.com/MISP/misp-
+      objects/blob/main/objects/tor-hiddenservice/definition.json) - Tor
+      hidden service (onion service) object.
 
-   o  x509 - x509 object describing a X.509 certificate.
+   *  objects/tor-node (https://github.com/MISP/misp-
+      objects/blob/main/objects/tor-node/definition.json) - Tor node
+      (which protects your privacy on the internet by hiding the
+      connection between users Internet address and the services used by
+      the users) description which are part of the Tor network at a
+      time.
 
-   o  yabin - yabin.py generates Yara rules from function prologs, for
-      matching and hunting binaries. ref: https://github.com/AlienVault-
-      OTX/yabin [3].
+   *  objects/tracking-id (https://github.com/MISP/misp-
+      objects/blob/main/objects/tracking-id/definition.json) - Analytics
+      and tracking ID such as used in Google Analytics or other analytic
+      platform.
 
-   o  yara - An object describing a YARA rule along with its version.
+   *  objects/transaction (https://github.com/MISP/misp-
+      objects/blob/main/objects/transaction/definition.json) - An object
+      to describe a financial transaction.
+
+   *  objects/translation (https://github.com/MISP/misp-
+      objects/blob/main/objects/translation/definition.json) - Used to
+      keep a text and its translation.
+
+   *  objects/trustar_report (https://github.com/MISP/misp-
+      objects/blob/main/objects/trustar_report/definition.json) -
+      TruStar Report.
+
+   *  objects/tsk-chats (https://github.com/MISP/misp-
+      objects/blob/main/objects/tsk-chats/definition.json) - An Object
+      Template to gather information from evidential or interesting
+      exchange of messages identified during a digital forensic
+      investigation.
+
+   *  objects/tsk-web-bookmark (https://github.com/MISP/misp-
+      objects/blob/main/objects/tsk-web-bookmark/definition.json) - An
+      Object Template to add evidential bookmarks identified during a
+      digital forensic investigation.
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 31]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/tsk-web-cookie (https://github.com/MISP/misp-
+      objects/blob/main/objects/tsk-web-cookie/definition.json) - An
+      TSK-Autopsy Object Template to represent cookies identified during
+      a forensic investigation.
+
+   *  objects/tsk-web-downloads (https://github.com/MISP/misp-
+      objects/blob/main/objects/tsk-web-downloads/definition.json) - An
+      Object Template to add web-downloads.
+
+   *  objects/tsk-web-history (https://github.com/MISP/misp-
+      objects/blob/main/objects/tsk-web-history/definition.json) - An
+      Object Template to share web history information.
+
+   *  objects/tsk-web-search-query (https://github.com/MISP/misp-
+      objects/blob/main/objects/tsk-web-search-query/definition.json) -
+      An Object Template to share web search query information.
+
+   *  objects/twitter-account (https://github.com/MISP/misp-
+      objects/blob/main/objects/twitter-account/definition.json) -
+      Twitter account.
+
+   *  objects/twitter-list (https://github.com/MISP/misp-
+      objects/blob/main/objects/twitter-list/definition.json) - Twitter
+      list.
+
+   *  objects/twitter-post (https://github.com/MISP/misp-
+      objects/blob/main/objects/twitter-post/definition.json) - Twitter
+      post (tweet).
+
+   *  objects/url (https://github.com/MISP/misp-
+      objects/blob/main/objects/url/definition.json) - url object
+      describes an url along with its normalized field (like extracted
+      using faup parsing library) and its metadata.
+
+   *  objects/user-account (https://github.com/MISP/misp-
+      objects/blob/main/objects/user-account/definition.json) - .
+
+   *  objects/vehicle (https://github.com/MISP/misp-
+      objects/blob/main/objects/vehicle/definition.json) - Vehicle
+      object template to describe a vehicle information and
+      registration.
+
+   *  objects/victim (https://github.com/MISP/misp-
+      objects/blob/main/objects/victim/definition.json) - Victim object
+      describes the target of an attack or abuse.
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 32]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/virustotal-graph (https://github.com/MISP/misp-
+      objects/blob/main/objects/virustotal-graph/definition.json) -
+      VirusTotal graph.
+
+   *  objects/virustotal-report (https://github.com/MISP/misp-
+      objects/blob/main/objects/virustotal-report/definition.json) -
+      VirusTotal report.
+
+   *  objects/vulnerability (https://github.com/MISP/misp-
+      objects/blob/main/objects/vulnerability/definition.json) -
+      Vulnerability object describing a common vulnerability enumeration
+      which can describe published, unpublished, under review or embargo
+      vulnerability for software, equipments or hardware.
+
+   *  objects/weakness (https://github.com/MISP/misp-
+      objects/blob/main/objects/weakness/definition.json) - Weakness
+      object describing a common weakness enumeration which can describe
+      usable, incomplete, draft or deprecated weakness for software,
+      equipment of hardware.
+
+   *  objects/whois (https://github.com/MISP/misp-
+      objects/blob/main/objects/whois/definition.json) - Whois records
+      information for a domain name or an IP address.
+
+   *  objects/x509 (https://github.com/MISP/misp-
+      objects/blob/main/objects/x509/definition.json) - x509 object
+      describing a X.509 certificate.
+
+   *  objects/yabin (https://github.com/MISP/misp-
+      objects/blob/main/objects/yabin/definition.json) - yabin.py
+      generates Yara rules from function prologs, for matching and
+      hunting binaries. ref: https://github.com/AlienVault-OTX/yabin
+      (https://github.com/AlienVault-OTX/yabin).
+
+   *  objects/yara (https://github.com/MISP/misp-
+      objects/blob/main/objects/yara/definition.json) - An object
+      describing a YARA rule (or a YARA rule name) along with its
+      version.
+
+   *  objects/youtube-channel (https://github.com/MISP/misp-
+      objects/blob/main/objects/youtube-channel/definition.json) - A
+      YouTube channel.
+
+   *  objects/youtube-comment (https://github.com/MISP/misp-
+      objects/blob/main/objects/youtube-comment/definition.json) - A
+      YouTube video comment.
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 33]
+
+Internet-Draft         MISP object template format         November 2021
+
+
+   *  objects/youtube-playlist (https://github.com/MISP/misp-
+      objects/blob/main/objects/youtube-playlist/definition.json) - A
+      YouTube playlist.
+
+   *  objects/youtube-video (https://github.com/MISP/misp-
+      objects/blob/main/objects/youtube-video/definition.json) - A
+      YouTube video.
 
 4.  Acknowledgements
 
    The authors wish to thank all the MISP community who are supporting
    the creation of open standards in threat intelligence sharing.
 
-5.  References
-
-5.1.  Normative References
+5.  Normative References
 
    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119,
@@ -994,7 +1880,7 @@ Internet-Draft         MISP object template format            April 2018
               DOI 10.17487/RFC8259, December 2017,
               <https://www.rfc-editor.org/info/rfc8259>.
 
-5.2.  Informative References
+6.  Informative References
 
    [MISP-O]   Community, M., "MISP Objects - shared and common object
               templates", <https://github.com/MISP/misp-objects>.
@@ -1003,37 +1889,30 @@ Internet-Draft         MISP object template format            April 2018
               community, M., "MISP objects directory", 2018,
               <https://www.misp-project.org/objects.html>.
 
-
-
-Dulaunoy & Iklody       Expires October 12, 2018               [Page 18]
-
-Internet-Draft         MISP object template format            April 2018
-
-
-5.3.  URIs
-
-   [1] https://www.caida.org/tools/taxonomy/anonymization.xml
-
-   [2] https://github.com/salesforce/ja3
-
-   [3] https://github.com/AlienVault-OTX/yabin
-
 Authors' Addresses
 
    Alexandre Dulaunoy
    Computer Incident Response Center Luxembourg
    16, bd d'Avranches
-   Luxembourg  L-1611
+   L-L-1611 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 34]
+
+Internet-Draft         MISP object template format         November 2021
+
+
    Email: alexandre.dulaunoy@circl.lu
 
 
    Andras Iklody
    Computer Incident Response Center Luxembourg
    16, bd d'Avranches
-   Luxembourg  L-1611
+   L-L-1611 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
@@ -1061,4 +1940,21 @@ Authors' Addresses
 
 
 
-Dulaunoy & Iklody       Expires October 12, 2018               [Page 19]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 35]
diff --git a/rfc/misp-standard-taxonomy-format.html b/rfc/misp-standard-taxonomy-format.html
index a8b99ee..d819b3c 100644
--- a/rfc/misp-standard-taxonomy-format.html
+++ b/rfc/misp-standard-taxonomy-format.html
@@ -1,550 +1,1436 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
-  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<!DOCTYPE html>
+<html lang="en" class="Internet-Draft">
+<head>
+<meta charset="utf-8">
+<meta content="Common,Latin" name="scripts">
+<meta content="initial-scale=1.0" name="viewport">
+<title>MISP taxonomy format</title>
+<meta content="Alexandre Dulaunoy" name="author">
+<meta content="Andras Iklody" name="author">
+<meta content="
+       This document describes the MISP taxonomy format which describes a simple JSON format to
+represent machine tags (also called triple tags) vocabularies. A public directory of common vocabularies
+called MISP taxonomies is available and relies on the MISP taxonomy format. MISP taxonomies are used to classify
+cyber security events, threats, suspicious events, or indicators. 
+    " name="description">
+<meta content="xml2rfc 3.9.1" name="generator">
+<meta content="draft-00" name="ietf.draft">
+<!-- Generator version information:
+  xml2rfc 3.9.1
+    Python 3.6.9
+    appdirs 1.4.4
+    ConfigArgParse 1.5.2
+    google-i18n-address 2.3.5
+    html5lib 1.0.1
+    intervaltree 2.1.0
+    Jinja2 2.11.2
+    kitchen 1.2.6
+    lxml 4.6.3
+    pycairo 1.16.2
+    pycountry 18.12.8
+    pyflakes 2.1.1
+    PyYAML 5.4.1
+    requests 2.25.1
+    setuptools 57.1.0
+    six 1.15.0
+    WeasyPrint 48
+-->
+<link href="misp-standard-taxonomy-format.xml" rel="alternate" type="application/rfc+xml">
+<link href="#copyright" rel="license">
+<style type="text/css">/*
 
-<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
-  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
+  NOTE: Changes at the bottom of this file overrides some earlier settings.
 
-  <title>MISP taxonomy format</title>
+  Once the style has stabilized and has been adopted as an official RFC style,
+  this can be consolidated so that style settings occur only in one place, but
+  for now the contents of this file consists first of the initial CSS work as
+  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
+  commented changes found necssary during the development of the v3
+  formatters.
 
-  <style type="text/css" title="Xml2Rfc (sans serif)">
-  /*<![CDATA[*/
-	  a {
-	  text-decoration: none;
-	  }
-      /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
-      a.info {
-          /* This is the key. */
-          position: relative;
-          z-index: 24;
-          text-decoration: none;
-      }
-      a.info:hover {
-          z-index: 25;
-          color: #FFF; background-color: #900;
-      }
-      a.info span { display: none; }
-      a.info:hover span.info {
-          /* The span will display just on :hover state. */
-          display: block;
-          position: absolute;
-          font-size: smaller;
-          top: 2em; left: -5em; width: 15em;
-          padding: 2px; border: 1px solid #333;
-          color: #900; background-color: #EEE;
-          text-align: left;
-      }
-	  a.smpl {
-	  color: black;
-	  }
-	  a:hover {
-	  text-decoration: underline;
-	  }
-	  a:active {
-	  text-decoration: underline;
-	  }
-	  address {
-	  margin-top: 1em;
-	  margin-left: 2em;
-	  font-style: normal;
-	  }
-	  body {
-	  color: black;
-	  font-family: verdana, helvetica, arial, sans-serif;
-	  font-size: 10pt;
-	  max-width: 55em;
-	  
-	  }
-	  cite {
-	  font-style: normal;
-	  }
-	  dd {
-	  margin-right: 2em;
-	  }
-	  dl {
-	  margin-left: 2em;
-	  }
-	
-	  ul.empty {
-	  list-style-type: none;
-	  }
-	  ul.empty li {
-	  margin-top: .5em;
-	  }
-	  dl p {
-	  margin-left: 0em;
-	  }
-	  dt {
-	  margin-top: .5em;
-	  }
-	  h1 {
-	  font-size: 14pt;
-	  line-height: 21pt;
-	  page-break-after: avoid;
-	  }
-	  h1.np {
-	  page-break-before: always;
-	  }
-	  h1 a {
-	  color: #333333;
-	  }
-	  h2 {
-	  font-size: 12pt;
-	  line-height: 15pt;
-	  page-break-after: avoid;
-	  }
-	  h3, h4, h5, h6 {
-	  font-size: 10pt;
-	  page-break-after: avoid;
-	  }
-	  h2 a, h3 a, h4 a, h5 a, h6 a {
-	  color: black;
-	  }
-	  img {
-	  margin-left: 3em;
-	  }
-	  li {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  ol {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  ol p {
-	  margin-left: 0em;
-	  }
-	  p {
-	  margin-left: 2em;
-	  margin-right: 2em;
-	  }
-	  pre {
-	  margin-left: 3em;
-	  background-color: lightyellow;
-	  padding: .25em;
-	  }
-	  pre.text2 {
-	  border-style: dotted;
-	  border-width: 1px;
-	  background-color: #f0f0f0;
-	  width: 69em;
-	  }
-	  pre.inline {
-	  background-color: white;
-	  padding: 0em;
-	  }
-	  pre.text {
-	  border-style: dotted;
-	  border-width: 1px;
-	  background-color: #f8f8f8;
-	  width: 69em;
-	  }
-	  pre.drawing {
-	  border-style: solid;
-	  border-width: 1px;
-	  background-color: #f8f8f8;
-	  padding: 2em;
-	  }
-	  table {
-	  margin-left: 2em;
-	  }
-	  table.tt {
-	  vertical-align: top;
-	  }
-	  table.full {
-	  border-style: outset;
-	  border-width: 1px;
-	  }
-	  table.headers {
-	  border-style: outset;
-	  border-width: 1px;
-	  }
-	  table.tt td {
-	  vertical-align: top;
-	  }
-	  table.full td {
-	  border-style: inset;
-	  border-width: 1px;
-	  }
-	  table.tt th {
-	  vertical-align: top;
-	  }
-	  table.full th {
-	  border-style: inset;
-	  border-width: 1px;
-	  }
-	  table.headers th {
-	  border-style: none none inset none;
-	  border-width: 1px;
-	  }
-	  table.left {
-	  margin-right: auto;
-	  }
-	  table.right {
-	  margin-left: auto;
-	  }
-	  table.center {
-	  margin-left: auto;
-	  margin-right: auto;
-	  }
-	  caption {
-	  caption-side: bottom;
-	  font-weight: bold;
-	  font-size: 9pt;
-	  margin-top: .5em;
-	  }
-	
-	  table.header {
-	  border-spacing: 1px;
-	  width: 95%;
-	  font-size: 10pt;
-	  color: white;
-	  }
-	  td.top {
-	  vertical-align: top;
-	  }
-	  td.topnowrap {
-	  vertical-align: top;
-	  white-space: nowrap; 
-	  }
-	  table.header td {
-	  background-color: gray;
-	  width: 50%;
-	  }
-	  table.header a {
-	  color: white;
-	  }
-	  td.reference {
-	  vertical-align: top;
-	  white-space: nowrap;
-	  padding-right: 1em;
-	  }
-	  thead {
-	  display:table-header-group;
-	  }
-	  ul.toc, ul.toc ul {
-	  list-style: none;
-	  margin-left: 1.5em;
-	  margin-right: 0em;
-	  padding-left: 0em;
-	  }
-	  ul.toc li {
-	  line-height: 150%;
-	  font-weight: bold;
-	  font-size: 10pt;
-	  margin-left: 0em;
-	  margin-right: 0em;
-	  }
-	  ul.toc li li {
-	  line-height: normal;
-	  font-weight: normal;
-	  font-size: 9pt;
-	  margin-left: 0em;
-	  margin-right: 0em;
-	  }
-	  li.excluded {
-	  font-size: 0pt;
-	  }
-	  ul p {
-	  margin-left: 0em;
-	  }
-	
-	  .comment {
-	  background-color: yellow;
-	  }
-	  .center {
-	  text-align: center;
-	  }
-	  .error {
-	  color: red;
-	  font-style: italic;
-	  font-weight: bold;
-	  }
-	  .figure {
-	  font-weight: bold;
-	  text-align: center;
-	  font-size: 9pt;
-	  }
-	  .filename {
-	  color: #333333;
-	  font-weight: bold;
-	  font-size: 12pt;
-	  line-height: 21pt;
-	  text-align: center;
-	  }
-	  .fn {
-	  font-weight: bold;
-	  }
-	  .hidden {
-	  display: none;
-	  }
-	  .left {
-	  text-align: left;
-	  }
-	  .right {
-	  text-align: right;
-	  }
-	  .title {
-	  color: #990000;
-	  font-size: 18pt;
-	  line-height: 18pt;
-	  font-weight: bold;
-	  text-align: center;
-	  margin-top: 36pt;
-	  }
-	  .vcardline {
-	  display: block;
-	  }
-	  .warning {
-	  font-size: 14pt;
-	  background-color: yellow;
-	  }
-	
-	
-	  @media print {
-	  .noprint {
-		display: none;
-	  }
-	
-	  a {
-		color: black;
-		text-decoration: none;
-	  }
-	
-	  table.header {
-		width: 90%;
-	  }
-	
-	  td.header {
-		width: 50%;
-		color: black;
-		background-color: white;
-		vertical-align: top;
-		font-size: 12pt;
-	  }
-	
-	  ul.toc a::after {
-		content: leader('.') target-counter(attr(href), page);
-	  }
-	
-	  ul.ind li li a {
-		content: target-counter(attr(href), page);
-	  }
-	
-	  .print2col {
-		column-count: 2;
-		-moz-column-count: 2;
-		column-fill: auto;
-	  }
-	  }
-	
-	  @page {
-	  @top-left {
-		   content: "Internet-Draft"; 
-	  } 
-	  @top-right {
-		   content: "December 2010"; 
-	  } 
-	  @top-center {
-		   content: "Abbreviated Title";
-	  } 
-	  @bottom-left {
-		   content: "Doe"; 
-	  } 
-	  @bottom-center {
-		   content: "Expires June 2011"; 
-	  } 
-	  @bottom-right {
-		   content: "[Page " counter(page) "]"; 
-	  } 
-	  }
-	
-	  @page:first { 
-		@top-left {
-		  content: normal;
-		}
-		@top-right {
-		  content: normal;
-		}
-		@top-center {
-		  content: normal;
-		}
-	  }
-  /*]]>*/
-  </style>
+*/
 
-  <link href="#rfc.toc" rel="Contents">
-<link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
-<link href="#rfc.section.1.1" rel="Chapter" title="1.1 Conventions and Terminology">
-<link href="#rfc.section.2" rel="Chapter" title="2 Format">
-<link href="#rfc.section.2.1" rel="Chapter" title="2.1 Overview">
-<link href="#rfc.section.2.2" rel="Chapter" title="2.2 predicates">
-<link href="#rfc.section.2.3" rel="Chapter" title="2.3 values">
-<link href="#rfc.section.2.4" rel="Chapter" title="2.4 optional fields">
-<link href="#rfc.section.2.4.1" rel="Chapter" title="2.4.1 colour">
-<link href="#rfc.section.2.4.2" rel="Chapter" title="2.4.2 description">
-<link href="#rfc.section.2.4.3" rel="Chapter" title="2.4.3 numerical_value">
-<link href="#rfc.section.3" rel="Chapter" title="3 Directory">
-<link href="#rfc.section.3.1" rel="Chapter" title="3.1 Sample Manifest">
-<link href="#rfc.section.4" rel="Chapter" title="4 Sample Taxonomy in MISP taxonomy format">
-<link href="#rfc.section.4.1" rel="Chapter" title="4.1 Admiralty Scale Taxonomy">
-<link href="#rfc.section.4.2" rel="Chapter" title="4.2 Open Source Intelligence - Classification">
-<link href="#rfc.section.4.3" rel="Chapter" title="4.3 Available taxonomies in the public directory">
-<link href="#rfc.section.5" rel="Chapter" title="5 JSON Schema">
-<link href="#rfc.section.6" rel="Chapter" title="6 Acknowledgements">
-<link href="#rfc.references" rel="Chapter" title="7 References">
-<link href="#rfc.references.1" rel="Chapter" title="7.1 Normative References">
-<link href="#rfc.references.2" rel="Chapter" title="7.2 Informative References">
-<link href="#rfc.authors" rel="Chapter">
+/* fonts */
+@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
+@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
+@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */
+
+@viewport {
+  zoom: 1.0;
+  width: extend-to-zoom;
+}
+@-ms-viewport {
+  width: extend-to-zoom;
+  zoom: 1.0;
+}
+/* general and mobile first */
+html {
+}
+body {
+  max-width: 90%;
+  margin: 1.5em auto;
+  color: #222;
+  background-color: #fff;
+  font-size: 14px;
+  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
+  line-height: 1.6;
+  scroll-behavior: smooth;
+}
+.ears {
+  display: none;
+}
+
+/* headings */
+#title, h1, h2, h3, h4, h5, h6 {
+  margin: 1em 0 0.5em;
+  font-weight: bold;
+  line-height: 1.3;
+}
+#title {
+  clear: both;
+  border-bottom: 1px solid #ddd;
+  margin: 0 0 0.5em 0;
+  padding: 1em 0 0.5em;
+}
+.author {
+  padding-bottom: 4px;
+}
+h1 {
+  font-size: 26px;
+  margin: 1em 0;
+}
+h2 {
+  font-size: 22px;
+  margin-top: -20px;  /* provide offset for in-page anchors */
+  padding-top: 33px;
+}
+h3 {
+  font-size: 18px;
+  margin-top: -36px;  /* provide offset for in-page anchors */
+  padding-top: 42px;
+}
+h4 {
+  font-size: 16px;
+  margin-top: -36px;  /* provide offset for in-page anchors */
+  padding-top: 42px;
+}
+h5, h6 {
+  font-size: 14px;
+}
+#n-copyright-notice {
+  border-bottom: 1px solid #ddd;
+  padding-bottom: 1em;
+  margin-bottom: 1em;
+}
+/* general structure */
+p {
+  padding: 0;
+  margin: 0 0 1em 0;
+  text-align: left;
+}
+div, span {
+  position: relative;
+}
+div {
+  margin: 0;
+}
+.alignRight.art-text {
+  background-color: #f9f9f9;
+  border: 1px solid #eee;
+  border-radius: 3px;
+  padding: 1em 1em 0;
+  margin-bottom: 1.5em;
+}
+.alignRight.art-text pre {
+  padding: 0;
+}
+.alignRight {
+  margin: 1em 0;
+}
+.alignRight > *:first-child {
+  border: none;
+  margin: 0;
+  float: right;
+  clear: both;
+}
+.alignRight > *:nth-child(2) {
+  clear: both;
+  display: block;
+  border: none;
+}
+svg {
+  display: block;
+}
+.alignCenter.art-text {
+  background-color: #f9f9f9;
+  border: 1px solid #eee;
+  border-radius: 3px;
+  padding: 1em 1em 0;
+  margin-bottom: 1.5em;
+}
+.alignCenter.art-text pre {
+  padding: 0;
+}
+.alignCenter {
+  margin: 1em 0;
+}
+.alignCenter > *:first-child {
+  border: none;
+  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
+     support flexbox yet.
+  */
+  display: table;
+  margin: 0 auto;
+}
+
+/* lists */
+ol, ul {
+  padding: 0;
+  margin: 0 0 1em 2em;
+}
+ol ol, ul ul, ol ul, ul ol {
+  margin-left: 1em;
+}
+li {
+  margin: 0 0 0.25em 0;
+}
+.ulCompact li {
+  margin: 0;
+}
+ul.empty, .ulEmpty {
+  list-style-type: none;
+}
+ul.empty li, .ulEmpty li {
+  margin-top: 0.5em;
+}
+ul.ulBare, li.ulBare {
+  margin-left: 0em !important;
+}
+ul.compact, .ulCompact,
+ol.compact, .olCompact {
+  line-height: 100%;
+  margin: 0 0 0 2em;
+}
+
+/* definition lists */
+dl {
+}
+dl > dt {
+  float: left;
+  margin-right: 1em;
+}
+/* 
+dl.nohang > dt {
+  float: none;
+}
+*/
+dl > dd {
+  margin-bottom: .8em;
+  min-height: 1.3em;
+}
+dl.compact > dd, .dlCompact > dd {
+  margin-bottom: 0em;
+}
+dl > dd > dl {
+  margin-top: 0.5em;
+  margin-bottom: 0em;
+}
+
+/* links */
+a {
+  text-decoration: none;
+}
+a[href] {
+  color: #22e; /* Arlen: WCAG 2019 */
+}
+a[href]:hover {
+  background-color: #f2f2f2;
+}
+figcaption a[href],
+a[href].selfRef {
+  color: #222;
+}
+/* XXX probably not this:
+a.selfRef:hover {
+  background-color: transparent;
+  cursor: default;
+} */
+
+/* Figures */
+tt, code, pre, code {
+  background-color: #f9f9f9;
+  font-family: 'Roboto Mono', monospace;
+}
+pre {
+  border: 1px solid #eee;
+  margin: 0;
+  padding: 1em;
+}
+img {
+  max-width: 100%;
+}
+figure {
+  margin: 0;
+}
+figure blockquote {
+  margin: 0.8em 0.4em 0.4em;
+}
+figcaption {
+  font-style: italic;
+  margin: 0 0 1em 0;
+}
+@media screen {
+  pre {
+    overflow-x: auto;
+    max-width: 100%;
+    max-width: calc(100% - 22px);
+  }
+}
+
+/* aside, blockquote */
+aside, blockquote {
+  margin-left: 0;
+  padding: 1.2em 2em;
+}
+blockquote {
+  background-color: #f9f9f9;
+  color: #111; /* Arlen: WCAG 2019 */
+  border: 1px solid #ddd;
+  border-radius: 3px;
+  margin: 1em 0;
+}
+cite {
+  display: block;
+  text-align: right;
+  font-style: italic;
+}
+
+/* tables */
+table {
+  width: 100%;
+  margin: 0 0 1em;
+  border-collapse: collapse;
+  border: 1px solid #eee;
+}
+th, td {
+  text-align: left;
+  vertical-align: top;
+  padding: 0.5em 0.75em;
+}
+th {
+  text-align: left;
+  background-color: #e9e9e9;
+}
+tr:nth-child(2n+1) > td {
+  background-color: #f5f5f5;
+}
+table caption {
+  font-style: italic;
+  margin: 0;
+  padding: 0;
+  text-align: left;
+}
+table p {
+  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
+     be allowed within tables more generally, it would be far better to select on a class. */
+  margin: 0;
+}
+
+/* pilcrow */
+a.pilcrow {
+  color: #666; /* Arlen: AHDJ 2019 */
+  text-decoration: none;
+  visibility: hidden;
+  user-select: none;
+  -ms-user-select: none;
+  -o-user-select:none;
+  -moz-user-select: none;
+  -khtml-user-select: none;
+  -webkit-user-select: none;
+  -webkit-touch-callout: none;
+}
+@media screen {
+  aside:hover > a.pilcrow,
+  p:hover > a.pilcrow,
+  blockquote:hover > a.pilcrow,
+  div:hover > a.pilcrow,
+  li:hover > a.pilcrow,
+  pre:hover > a.pilcrow {
+    visibility: visible;
+  }
+  a.pilcrow:hover {
+    background-color: transparent;
+  }
+}
+
+/* misc */
+hr {
+  border: 0;
+  border-top: 1px solid #eee;
+}
+.bcp14 {
+  font-variant: small-caps;
+}
+
+.role {
+  font-variant: all-small-caps;
+}
+
+/* info block */
+#identifiers {
+  margin: 0;
+  font-size: 0.9em;
+}
+#identifiers dt {
+  width: 3em;
+  clear: left;
+}
+#identifiers dd {
+  float: left;
+  margin-bottom: 0;
+}
+#identifiers .authors .author {
+  display: inline-block;
+  margin-right: 1.5em;
+}
+#identifiers .authors .org {
+  font-style: italic;
+}
+
+/* The prepared/rendered info at the very bottom of the page */
+.docInfo {
+  color: #666; /* Arlen: WCAG 2019 */
+  font-size: 0.9em;
+  font-style: italic;
+  margin-top: 2em;
+}
+.docInfo .prepared {
+  float: left;
+}
+.docInfo .prepared {
+  float: right;
+}
+
+/* table of contents */
+#toc  {
+  padding: 0.75em 0 2em 0;
+  margin-bottom: 1em;
+}
+nav.toc ul {
+  margin: 0 0.5em 0 0;
+  padding: 0;
+  list-style: none;
+}
+nav.toc li {
+  line-height: 1.3em;
+  margin: 0.75em 0;
+  padding-left: 1.2em;
+  text-indent: -1.2em;
+}
+/* references */
+.references dt {
+  text-align: right;
+  font-weight: bold;
+  min-width: 7em;
+}
+.references dd {
+  margin-left: 8em;
+  overflow: auto;
+}
+
+.refInstance {
+  margin-bottom: 1.25em;
+}
+
+.references .ascii {
+  margin-bottom: 0.25em;
+}
+
+/* index */
+.index ul {
+  margin: 0 0 0 1em;
+  padding: 0;
+  list-style: none;
+}
+.index ul ul {
+  margin: 0;
+}
+.index li {
+  margin: 0;
+  text-indent: -2em;
+  padding-left: 2em;
+  padding-bottom: 5px;
+}
+.indexIndex {
+  margin: 0.5em 0 1em;
+}
+.index a {
+  font-weight: 700;
+}
+/* make the index two-column on all but the smallest screens */
+@media (min-width: 600px) {
+  .index ul {
+    -moz-column-count: 2;
+    -moz-column-gap: 20px;
+  }
+  .index ul ul {
+    -moz-column-count: 1;
+    -moz-column-gap: 0;
+  }
+}
+
+/* authors */
+address.vcard {
+  font-style: normal;
+  margin: 1em 0;
+}
+
+address.vcard .nameRole {
+  font-weight: 700;
+  margin-left: 0;
+}
+address.vcard .label {
+  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
+  margin: 0.5em 0;
+}
+address.vcard .type {
+  display: none;
+}
+.alternative-contact {
+  margin: 1.5em 0 1em;
+}
+hr.addr {
+  border-top: 1px dashed;
+  margin: 0;
+  color: #ddd;
+  max-width: calc(100% - 16px);
+}
+
+/* temporary notes */
+.rfcEditorRemove::before {
+  position: absolute;
+  top: 0.2em;
+  right: 0.2em;
+  padding: 0.2em;
+  content: "The RFC Editor will remove this note";
+  color: #9e2a00; /* Arlen: WCAG 2019 */
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+}
+.rfcEditorRemove {
+  position: relative;
+  padding-top: 1.8em;
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+  border-radius: 3px;
+}
+.cref {
+  background-color: #ffd; /* Arlen: WCAG 2019 */
+  padding: 2px 4px;
+}
+.crefSource {
+  font-style: italic;
+}
+/* alternative layout for smaller screens */
+@media screen and (max-width: 1023px) {
+  body {
+    padding-top: 2em;
+  }
+  #title {
+    padding: 1em 0;
+  }
+  h1 {
+    font-size: 24px;
+  }
+  h2 {
+    font-size: 20px;
+    margin-top: -18px;  /* provide offset for in-page anchors */
+    padding-top: 38px;
+  }
+  #identifiers dd {
+    max-width: 60%;
+  }
+  #toc {
+    position: fixed;
+    z-index: 2;
+    top: 0;
+    right: 0;
+    padding: 0;
+    margin: 0;
+    background-color: inherit;
+    border-bottom: 1px solid #ccc;
+  }
+  #toc h2 {
+    margin: -1px 0 0 0;
+    padding: 4px 0 4px 6px;
+    padding-right: 1em;
+    min-width: 190px;
+    font-size: 1.1em;
+    text-align: right;
+    background-color: #444;
+    color: white;
+    cursor: pointer;
+  }
+  #toc h2::before { /* css hamburger */
+    float: right;
+    position: relative;
+    width: 1em;
+    height: 1px;
+    left: -164px;
+    margin: 6px 0 0 0;
+    background: white none repeat scroll 0 0;
+    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
+    content: "";
+  }
+  #toc nav {
+    display: none;
+    padding: 0.5em 1em 1em;
+    overflow: auto;
+    height: calc(100vh - 48px);
+    border-left: 1px solid #ddd;
+  }
+}
+
+/* alternative layout for wide screens */
+@media screen and (min-width: 1024px) {
+  body {
+    max-width: 724px;
+    margin: 42px auto;
+    padding-left: 1.5em;
+    padding-right: 29em;
+  }
+  #toc {
+    position: fixed;
+    top: 42px;
+    right: 42px;
+    width: 25%;
+    margin: 0;
+    padding: 0 1em;
+    z-index: 1;
+  }
+  #toc h2 {
+    border-top: none;
+    border-bottom: 1px solid #ddd;
+    font-size: 1em;
+    font-weight: normal;
+    margin: 0;
+    padding: 0.25em 1em 1em 0;
+  }
+  #toc nav {
+    display: block;
+    height: calc(90vh - 84px);
+    bottom: 0;
+    padding: 0.5em 0 0;
+    overflow: auto;
+  }
+  img { /* future proofing */
+    max-width: 100%;
+    height: auto;
+  }
+}
+
+/* pagination */
+@media print {
+  body {
+
+    width: 100%;
+  }
+  p {
+    orphans: 3;
+    widows: 3;
+  }
+  #n-copyright-notice {
+    border-bottom: none;
+  }
+  #toc, #n-introduction {
+    page-break-before: always;
+  }
+  #toc {
+    border-top: none;
+    padding-top: 0;
+  }
+  figure, pre {
+    page-break-inside: avoid;
+  }
+  figure {
+    overflow: scroll;
+  }
+  h1, h2, h3, h4, h5, h6 {
+    page-break-after: avoid;
+  }
+  h2+*, h3+*, h4+*, h5+*, h6+* {
+    page-break-before: avoid;
+  }
+  pre {
+    white-space: pre-wrap;
+    word-wrap: break-word;
+    font-size: 10pt;
+  }
+  table {
+    border: 1px solid #ddd;
+  }
+  td {
+    border-top: 1px solid #ddd;
+  }
+}
+
+/* This is commented out here, as the string-set: doesn't
+   pass W3C validation currently */
+/*
+.ears thead .left {
+  string-set: ears-top-left content();
+}
+
+.ears thead .center {
+  string-set: ears-top-center content();
+}
+
+.ears thead .right {
+  string-set: ears-top-right content();
+}
+
+.ears tfoot .left {
+  string-set: ears-bottom-left content();
+}
+
+.ears tfoot .center {
+  string-set: ears-bottom-center content();
+}
+
+.ears tfoot .right {
+  string-set: ears-bottom-right content();
+}
+*/
+
+@page :first {
+  padding-top: 0;
+  @top-left {
+    content: normal;
+    border: none;
+  }
+  @top-center {
+    content: normal;
+    border: none;
+  }
+  @top-right {
+    content: normal;
+    border: none;
+  }
+}
+
+@page {
+  size: A4;
+  margin-bottom: 45mm;
+  padding-top: 20px;
+  /* The follwing is commented out here, but set appropriately by in code, as
+     the content depends on the document */
+  /*
+  @top-left {
+    content: 'Internet-Draft';
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-left {
+    content: string(ears-top-left);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-center {
+    content: string(ears-top-center);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @top-right {
+    content: string(ears-top-right);
+    vertical-align: bottom;
+    border-bottom: solid 1px #ccc;
+  }
+  @bottom-left {
+    content: string(ears-bottom-left);
+    vertical-align: top;
+    border-top: solid 1px #ccc;
+  }
+  @bottom-center {
+    content: string(ears-bottom-center);
+    vertical-align: top;
+    border-top: solid 1px #ccc;
+  }
+  @bottom-right {
+      content: '[Page ' counter(page) ']';
+      vertical-align: top;
+      border-top: solid 1px #ccc;
+  }
+  */
+
+}
+
+/* Changes introduced to fix issues found during implementation */
+/* Make sure links are clickable even if overlapped by following H* */
+a {
+  z-index: 2;
+}
+/* Separate body from document info even without intervening H1 */
+section {
+  clear: both;
+}
 
 
-  <meta name="generator" content="xml2rfc version 2.23.1 - https://tools.ietf.org/tools/xml2rfc" />
-  <link rel="schema.dct" href="http://purl.org/dc/terms/" />
+/* Top align author divs, to avoid names without organization dropping level with org names */
+.author {
+  vertical-align: top;
+}
 
-  <meta name="dct.creator" content="Dulaunoy, A. and A. Iklody" />
-  <meta name="dct.identifier" content="urn:ietf:id:" />
-  <meta name="dct.issued" scheme="ISO8601" content="2017-11-29" />
-  <meta name="dct.abstract" content="This document describes the MISP taxonomy format which describes a simple JSON format to represent machine tags (also called triple tags) vocabularies. A public directory of common vocabularies called MISP taxonomies is available and relies on the MISP taxonomy format. MISP taxonomies are used to classify cyber security events, threats, suspicious events, or indicators." />
-  <meta name="description" content="This document describes the MISP taxonomy format which describes a simple JSON format to represent machine tags (also called triple tags) vocabularies. A public directory of common vocabularies called MISP taxonomies is available and relies on the MISP taxonomy format. MISP taxonomies are used to classify cyber security events, threats, suspicious events, or indicators." />
+/* Leave room in document info to show Internet-Draft on one line */
+#identifiers dt {
+  width: 8em;
+}
 
+/* Don't waste quite as much whitespace between label and value in doc info */
+#identifiers dd {
+  margin-left: 1em;
+}
+
+/* Give floating toc a background color (needed when it's a div inside section */
+#toc {
+  background-color: white;
+}
+
+/* Make the collapsed ToC header render white on gray also when it's a link */
+@media screen and (max-width: 1023px) {
+  #toc h2 a,
+  #toc h2 a:link,
+  #toc h2 a:focus,
+  #toc h2 a:hover,
+  #toc a.toplink,
+  #toc a.toplink:hover {
+    color: white;
+    background-color: #444;
+    text-decoration: none;
+  }
+}
+
+/* Give the bottom of the ToC some whitespace */
+@media screen and (min-width: 1024px) {
+  #toc {
+    padding: 0 0 1em 1em;
+  }
+}
+
+/* Style section numbers with more space between number and title */
+.section-number {
+  padding-right: 0.5em;
+}
+
+/* prevent monospace from becoming overly large */
+tt, code, pre, code {
+  font-size: 95%;
+}
+
+/* Fix the height/width aspect for ascii art*/
+pre.sourcecode,
+.art-text pre {
+  line-height: 1.12;
+}
+
+
+/* Add styling for a link in the ToC that points to the top of the document */
+a.toplink {
+  float: right;
+  margin-right: 0.5em;
+}
+
+/* Fix the dl styling to match the RFC 7992 attributes */
+dl > dt,
+dl.dlParallel > dt {
+  float: left;
+  margin-right: 1em;
+}
+dl.dlNewline > dt {
+  float: none;
+}
+
+/* Provide styling for table cell text alignment */
+table td.text-left,
+table th.text-left {
+  text-align: left;
+}
+table td.text-center,
+table th.text-center {
+  text-align: center;
+}
+table td.text-right,
+table th.text-right {
+  text-align: right;
+}
+
+/* Make the alternative author contact informatio look less like just another
+   author, and group it closer with the primary author contact information */
+.alternative-contact {
+  margin: 0.5em 0 0.25em 0;
+}
+address .non-ascii {
+  margin: 0 0 0 2em;
+}
+
+/* With it being possible to set tables with alignment
+  left, center, and right, { width: 100%; } does not make sense */
+table {
+  width: auto;
+}
+
+/* Avoid reference text that sits in a block with very wide left margin,
+   because of a long floating dt label.*/
+.references dd {
+  overflow: visible;
+}
+
+/* Control caption placement */
+caption {
+  caption-side: bottom;
+}
+
+/* Limit the width of the author address vcard, so names in right-to-left
+   script don't end up on the other side of the page. */
+
+address.vcard {
+  max-width: 30em;
+  margin-right: auto;
+}
+
+/* For address alignment dependent on LTR or RTL scripts */
+address div.left {
+  text-align: left;
+}
+address div.right {
+  text-align: right;
+}
+
+/* Provide table alignment support.  We can't use the alignX classes above
+   since they do unwanted things with caption and other styling. */
+table.right {
+ margin-left: auto;
+ margin-right: 0;
+}
+table.center {
+ margin-left: auto;
+ margin-right: auto;
+}
+table.left {
+ margin-left: 0;
+ margin-right: auto;
+}
+
+/* Give the table caption label the same styling as the figcaption */
+caption a[href] {
+  color: #222;
+}
+
+@media print {
+  .toplink {
+    display: none;
+  }
+
+  /* avoid overwriting the top border line with the ToC header */
+  #toc {
+    padding-top: 1px;
+  }
+
+  /* Avoid page breaks inside dl and author address entries */
+  .vcard {
+    page-break-inside: avoid;
+  }
+
+}
+/* Tweak the bcp14 keyword presentation */
+.bcp14 {
+  font-variant: small-caps;
+  font-weight: bold;
+  font-size: 0.9em;
+}
+/* Tweak the invisible space above H* in order not to overlay links in text above */
+ h2 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 31px;
+ }
+ h3 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 24px;
+ }
+ h4 {
+  margin-top: -18px;  /* provide offset for in-page anchors */
+  padding-top: 24px;
+ }
+/* Float artwork pilcrow to the right */
+@media screen {
+  .artwork a.pilcrow {
+    display: block;
+    line-height: 0.7;
+    margin-top: 0.15em;
+  }
+}
+/* Make pilcrows on dd visible */
+@media screen {
+  dd:hover > a.pilcrow {
+    visibility: visible;
+  }
+}
+/* Make the placement of figcaption match that of a table's caption
+   by removing the figure's added bottom margin */
+.alignLeft.art-text,
+.alignCenter.art-text,
+.alignRight.art-text {
+   margin-bottom: 0;
+}
+.alignLeft,
+.alignCenter,
+.alignRight {
+  margin: 1em 0 0 0;
+}
+/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
+   possibly even requiring a new line */
+@media print {
+  a.pilcrow {
+    display: none;
+  }
+}
+/* Styling for the external metadata */
+div#external-metadata {
+  background-color: #eee;
+  padding: 0.5em;
+  margin-bottom: 0.5em;
+  display: none;
+}
+div#internal-metadata {
+  padding: 0.5em;                       /* to match the external-metadata padding */
+}
+/* Styling for title RFC Number */
+h1#rfcnum {
+  clear: both;
+  margin: 0 0 -1em;
+  padding: 1em 0 0 0;
+}
+/* Make .olPercent look the same as <ol><li> */
+dl.olPercent > dd {
+  margin-bottom: 0.25em;
+  min-height: initial;
+}
+/* Give aside some styling to set it apart */
+aside {
+  border-left: 1px solid #ddd;
+  margin: 1em 0 1em 2em;
+  padding: 0.2em 2em;
+}
+aside > dl,
+aside > ol,
+aside > ul,
+aside > table,
+aside > p {
+  margin-bottom: 0.5em;
+}
+/* Additional page break settings */
+@media print {
+  figcaption, table caption {
+    page-break-before: avoid;
+  }
+}
+/* Font size adjustments for print */
+@media print {
+  body  { font-size: 10pt;      line-height: normal; max-width: 96%; }
+  h1    { font-size: 1.72em;    padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
+  h2    { font-size: 1.44em;    padding-top: 1.5em; } /* 1*1.2*1.2 */
+  h3    { font-size: 1.2em;     padding-top: 1.5em; } /* 1*1.2 */
+  h4    { font-size: 1em;       padding-top: 1.5em; }
+  h5, h6 { font-size: 1em;      margin: initial; padding: 0.5em 0 0.3em; }
+}
+/* Sourcecode margin in print, when there's no pilcrow */
+@media print {
+  .artwork,
+  .sourcecode {
+    margin-bottom: 1em;
+  }
+}
+/* Avoid narrow tables forcing too narrow table captions, which may render badly */
+table {
+  min-width: 20em;
+}
+/* ol type a */
+ol.type-a { list-style-type: lower-alpha; }
+ol.type-A { list-style-type: upper-alpha; }
+ol.type-i { list-style-type: lower-roman; }
+ol.type-I { list-style-type: lower-roman; }
+/* Apply the print table and row borders in general, on request from the RPC,
+and increase the contrast between border and odd row background sligthtly */
+table {
+  border: 1px solid #ddd;
+}
+td {
+  border-top: 1px solid #ddd;
+}
+tr:nth-child(2n+1) > td {
+  background-color: #f8f8f8;
+}
+/* Use style rules to govern display of the TOC. */
+@media screen and (max-width: 1023px) {
+  #toc nav { display: none; }
+  #toc.active nav { display: block; }
+}
+/* Add support for keepWithNext */
+.keepWithNext {
+  break-after: avoid-page;
+  break-after: avoid-page;
+}
+/* Add support for keepWithPrevious */
+.keepWithPrevious {
+  break-before: avoid-page;
+}
+/* Change the approach to avoiding breaks inside artwork etc. */
+figure, pre, table, .artwork, .sourcecode  {
+  break-before: avoid-page;
+  break-after: auto;
+}
+/* Avoid breaks between <dt> and <dd> */
+dl {
+  break-before: auto;
+  break-inside: auto;
+}
+dt {
+  break-before: auto;
+  break-after: avoid-page;
+}
+dd {
+  break-before: avoid-page;
+  break-after: auto;
+  orphans: 3;
+  widows: 3
+}
+span.break, dd.break {
+  margin-bottom: 0;
+  min-height: 0;
+  break-before: auto;
+  break-inside: auto;
+  break-after: auto;
+}
+/* Undo break-before ToC */
+@media print {
+  #toc {
+    break-before: auto;
+  }
+}
+/* Text in compact lists should not get extra bottim margin space,
+   since that would makes the list not compact */
+ul.compact p, .ulCompact p,
+ol.compact p, .olCompact p {
+ margin: 0;
+}
+/* But the list as a whole needs the extra space at the end */
+section ul.compact,
+section .ulCompact,
+section ol.compact,
+section .olCompact {
+  margin-bottom: 1em;                    /* same as p not within ul.compact etc. */
+}
+/* The tt and code background above interferes with for instance table cell
+   backgrounds.  Changed to something a bit more selective. */
+tt, code {
+  background-color: transparent;
+}
+p tt, p code, li tt, li code {
+  background-color: #f8f8f8;
+}
+/* Tweak the pre margin -- 0px doesn't come out well */
+pre {
+   margin-top: 0.5px;
+}
+/* Tweak the comact list text */
+ul.compact, .ulCompact,
+ol.compact, .olCompact,
+dl.compact, .dlCompact {
+  line-height: normal;
+}
+/* Don't add top margin for nested lists */
+li > ul, li > ol, li > dl,
+dd > ul, dd > ol, dd > dl,
+dl > dd > dl {
+  margin-top: initial;
+}
+/* Elements that should not be rendered on the same line as a <dt> */
+/* This should match the element list in writer.text.TextWriter.render_dl() */
+dd > div.artwork:first-child,
+dd > aside:first-child,
+dd > figure:first-child,
+dd > ol:first-child,
+dd > div:first-child > pre.sourcecode,
+dd > table:first-child,
+dd > ul:first-child {
+  clear: left;
+}
+/* fix for weird browser behaviour when <dd/> is empty */
+dt+dd:empty::before{
+  content: "\00a0";
+}
+/* Make paragraph spacing inside <li> smaller than in body text, to fit better within the list */
+li > p {
+  margin-bottom: 0.5em
+}
+/* Don't let p margin spill out from inside list items */
+li > p:last-of-type {
+  margin-bottom: 0;
+}
+</style>
+<link href="rfc-local.css" rel="stylesheet" type="text/css">
+<script type="application/javascript">async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(let t=0;t<e.length;t++)if(/#identifiers/.exec(e[t].selectorText)){const a=e[t].cssText.replace("#identifiers","#external-updates");document.styleSheets[0].insertRule(a,document.styleSheets[0].cssRules.length)}}catch(e){console.log(e)}const e=document.getElementById("external-metadata");if(e)try{var t,a="",o=function(e){const t=document.getElementsByTagName("meta");for(let a=0;a<t.length;a++)if(t[a].getAttribute("name")===e)return t[a].getAttribute("content");return""}("rfc.number");if(o){t="https://www.rfc-editor.org/rfc/rfc"+o+".json";try{const e=await fetch(t);a=await e.json()}catch(e){t=document.URL.indexOf("html")>=0?document.URL.replace(/html$/,"json"):document.URL+".json";const o=await fetch(t);a=await o.json()}}if(!a)return;e.style.display="block";const s="",d="https://datatracker.ietf.org/doc",n="https://datatracker.ietf.org/ipr/search",c="https://www.rfc-editor.org/info",l=a.doc_id.toLowerCase(),i=a.doc_id.slice(0,3).toLowerCase(),f=a.doc_id.slice(3).replace(/^0+/,""),u={status:"Status",obsoletes:"Obsoletes",obsoleted_by:"Obsoleted By",updates:"Updates",updated_by:"Updated By",see_also:"See Also",errata_url:"Errata"};let h="<dl style='overflow:hidden' id='external-updates'>";["status","obsoletes","obsoleted_by","updates","updated_by","see_also","errata_url"].forEach(e=>{if("status"==e){a[e]=a[e].toLowerCase();var t=a[e].split(" "),o=t.length,w="",p=1;for(let e=0;e<o;e++)p<o?w=w+r(t[e])+" ":w+=r(t[e]),p++;a[e]=w}else if("obsoletes"==e||"obsoleted_by"==e||"updates"==e||"updated_by"==e){var g,m="",b=1;g=a[e].length;for(let t=0;t<g;t++)a[e][t]&&(a[e][t]=String(a[e][t]).toLowerCase(),m=b<g?m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>, ":m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>",b++);a[e]=m}else if("see_also"==e){var y,L="",C=1;y=a[e].length;for(let t=0;t<y;t++)if(a[e][t]){a[e][t]=String(a[e][t]);var _=a[e][t].slice(0,3),v=a[e][t].slice(3).replace(/^0+/,"");L=C<y?"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>, ":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>, ":"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>",C++}a[e]=L}else if("errata_url"==e){var R="";R=a[e]?R+"<a href='"+a[e]+"'>Errata exist</a> | <a href='"+d+"/"+l+"'>Datatracker</a>| <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>":"<a href='"+d+"/"+l+"'>Datatracker</a> | <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>",a[e]=R}""!=a[e]?"Errata"==u[e]?h+=`<dt>More info:</dt><dd>${a[e]}</dd>`:h+=`<dt>${u[e]}:</dt><dd>${a[e]}</dd>`:"Errata"==u[e]&&(h+=`<dt>More info:</dt><dd>${a[e]}</dd>`)}),h+="</dl>",e.innerHTML=h}catch(e){console.log(e)}else console.log("Could not locate metadata <div> element");function r(e){return e.charAt(0).toUpperCase()+e.slice(1)}}window.removeEventListener("load",addMetadata),window.addEventListener("load",addMetadata);</script>
 </head>
-
 <body>
-
-  <table class="header">
-    <tbody>
-    
-    	<tr>
-<td class="left">Network Working Group</td>
-<td class="right">A. Dulaunoy</td>
-</tr>
-<tr>
+<script src="metadata.min.js"></script>
+<table class="ears">
+<thead><tr>
 <td class="left">Internet-Draft</td>
-<td class="right">A. Iklody</td>
-</tr>
-<tr>
-<td class="left">Expires: June 2, 2018</td>
-<td class="right">CIRCL</td>
-</tr>
-<tr>
-<td class="left"></td>
-<td class="right">November 29, 2017</td>
-</tr>
-
-    	
-    </tbody>
-  </table>
-
-  <p class="title">MISP taxonomy format<br />
-  <span class="filename"></span></p>
-  
-  <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
-<p>This document describes the MISP taxonomy format which describes a simple JSON format to represent machine tags (also called triple tags) vocabularies. A public directory of common vocabularies called MISP taxonomies is available and relies on the MISP taxonomy format. MISP taxonomies are used to classify cyber security events, threats, suspicious events, or indicators.</p>
-<h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1>
-<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
-<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF).  Note that other groups may also distribute working documents as Internet-Drafts.  The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
-<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.  It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
-<p>This Internet-Draft will expire on June 2, 2018.</p>
-<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
-<p>Copyright (c) 2017 IETF Trust and the persons identified as the document authors.  All rights reserved.</p>
-<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document.  Please review these documents carefully, as they describe your rights and restrictions with respect to this document.  Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
-
-  
-  <hr class="noprint" />
-  <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
-  <ul class="toc">
-
-  	<li>1.   <a href="#rfc.section.1">Introduction</a>
+<td class="center">MISP taxonomy format</td>
+<td class="right">November 2021</td>
+</tr></thead>
+<tfoot><tr>
+<td class="left">Dulaunoy &amp; Iklody</td>
+<td class="center">Expires 25 May 2022</td>
+<td class="right">[Page]</td>
+</tr></tfoot>
+</table>
+<div id="external-metadata" class="document-information"></div>
+<div id="internal-metadata" class="document-information">
+<dl id="identifiers">
+<dt class="label-workgroup">Workgroup:</dt>
+<dd class="workgroup">Network Working Group</dd>
+<dt class="label-internet-draft">Internet-Draft:</dt>
+<dd class="internet-draft">draft-00</dd>
+<dt class="label-published">Published:</dt>
+<dd class="published">
+<time datetime="2021-11-21" class="published">21 November 2021</time>
+    </dd>
+<dt class="label-intended-status">Intended Status:</dt>
+<dd class="intended-status">Informational</dd>
+<dt class="label-expires">Expires:</dt>
+<dd class="expires"><time datetime="2022-05-25">25 May 2022</time></dd>
+<dt class="label-authors">Authors:</dt>
+<dd class="authors">
+<div class="author">
+      <div class="author-name">A. Dulaunoy</div>
+<div class="org">CIRCL</div>
+</div>
+<div class="author">
+      <div class="author-name">A. Iklody</div>
+<div class="org">CIRCL</div>
+</div>
+</dd>
+</dl>
+</div>
+<h1 id="title">MISP taxonomy format</h1>
+<section id="section-abstract">
+      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
+<p id="section-abstract-1">This document describes the MISP taxonomy format which describes a simple JSON format to
+represent machine tags (also called triple tags) vocabularies. A public directory of common vocabularies
+called MISP taxonomies is available and relies on the MISP taxonomy format. MISP taxonomies are used to classify
+cyber security events, threats, suspicious events, or indicators.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
+</section>
+<div id="status-of-memo">
+<section id="section-boilerplate.1">
+        <h2 id="name-status-of-this-memo">
+<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
+        </h2>
+<p id="section-boilerplate.1-1">
+        This Internet-Draft is submitted in full conformance with the
+        provisions of BCP 78 and BCP 79.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-2">
+        Internet-Drafts are working documents of the Internet Engineering Task
+        Force (IETF). Note that other groups may also distribute working
+        documents as Internet-Drafts. The list of current Internet-Drafts is
+        at <span><a href="https://datatracker.ietf.org/drafts/current/">https://datatracker.ietf.org/drafts/current/</a></span>.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-3">
+        Internet-Drafts are draft documents valid for a maximum of six months
+        and may be updated, replaced, or obsoleted by other documents at any
+        time. It is inappropriate to use Internet-Drafts as reference
+        material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.1-4">
+        This Internet-Draft will expire on 25 May 2022.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="copyright">
+<section id="section-boilerplate.2">
+        <h2 id="name-copyright-notice">
+<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
+        </h2>
+<p id="section-boilerplate.2-1">
+            Copyright (c) 2021 IETF Trust and the persons identified as the
+            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
+<p id="section-boilerplate.2-2">
+            This document is subject to BCP 78 and the IETF Trust's Legal
+            Provisions Relating to IETF Documents
+            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
+            publication of this document. Please review these documents
+            carefully, as they describe your rights and restrictions with
+            respect to this document.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="toc">
+<section id="section-toc.1">
+        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
+<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
+        </h2>
+<nav class="toc"><ul class="ulEmpty compact toc ulBare">
+<li class="ulEmpty compact toc ulBare" id="section-toc.1-1.1">
+            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1.2.1">
+                <p id="section-toc.1-1.1.2.1.1" class="keepWithNext"><a href="#section-1.1" class="xref">1.1</a>.  <a href="#name-conventions-and-terminology" class="xref">Conventions and Terminology</a></p>
 </li>
-<ul><li>1.1.   <a href="#rfc.section.1.1">Conventions and Terminology</a>
+            </ul>
 </li>
-</ul><li>2.   <a href="#rfc.section.2">Format</a>
+          <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.2">
+            <p id="section-toc.1-1.2.1"><a href="#section-2" class="xref">2</a>.  <a href="#name-format" class="xref">Format</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.1">
+                <p id="section-toc.1-1.2.2.1.1" class="keepWithNext"><a href="#section-2.1" class="xref">2.1</a>.  <a href="#name-overview" class="xref">Overview</a></p>
 </li>
-<ul><li>2.1.   <a href="#rfc.section.2.1">Overview</a>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2">
+                <p id="section-toc.1-1.2.2.2.1"><a href="#section-2.2" class="xref">2.2</a>.  <a href="#name-predicates" class="xref">predicates</a></p>
 </li>
-<li>2.2.   <a href="#rfc.section.2.2">predicates</a>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.3">
+                <p id="section-toc.1-1.2.2.3.1"><a href="#section-2.3" class="xref">2.3</a>.  <a href="#name-values" class="xref">values</a></p>
 </li>
-<li>2.3.   <a href="#rfc.section.2.3">values</a>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.4">
+                <p id="section-toc.1-1.2.2.4.1"><a href="#section-2.4" class="xref">2.4</a>.  <a href="#name-optional-fields" class="xref">optional fields</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.4.2.1">
+                    <p id="section-toc.1-1.2.2.4.2.1.1"><a href="#section-2.4.1" class="xref">2.4.1</a>.  <a href="#name-colour" class="xref">colour</a></p>
 </li>
-<li>2.4.   <a href="#rfc.section.2.4">optional fields</a>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.4.2.2">
+                    <p id="section-toc.1-1.2.2.4.2.2.1"><a href="#section-2.4.2" class="xref">2.4.2</a>.  <a href="#name-description" class="xref">description</a></p>
 </li>
-<ul><li>2.4.1.   <a href="#rfc.section.2.4.1">colour</a>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.4.2.3">
+                    <p id="section-toc.1-1.2.2.4.2.3.1"><a href="#section-2.4.3" class="xref">2.4.3</a>.  <a href="#name-numerical_value" class="xref">numerical_value</a></p>
 </li>
-<li>2.4.2.   <a href="#rfc.section.2.4.2">description</a>
+                </ul>
 </li>
-<li>2.4.3.   <a href="#rfc.section.2.4.3">numerical_value</a>
+            </ul>
 </li>
-</ul></ul><li>3.   <a href="#rfc.section.3">Directory</a>
+          <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.3">
+            <p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>.  <a href="#name-directory" class="xref">Directory</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1">
+                <p id="section-toc.1-1.3.2.1.1"><a href="#section-3.1" class="xref">3.1</a>.  <a href="#name-sample-manifest" class="xref">Sample Manifest</a></p>
 </li>
-<ul><li>3.1.   <a href="#rfc.section.3.1">Sample Manifest</a>
+            </ul>
 </li>
-</ul><li>4.   <a href="#rfc.section.4">Sample Taxonomy in MISP taxonomy format</a>
+          <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.4">
+            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-sample-taxonomy-in-misp-tax" class="xref">Sample Taxonomy in MISP taxonomy format</a></p>
+<ul class="compact toc ulBare ulEmpty">
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.1">
+                <p id="section-toc.1-1.4.2.1.1"><a href="#section-4.1" class="xref">4.1</a>.  <a href="#name-admiralty-scale-taxonomy" class="xref">Admiralty Scale Taxonomy</a></p>
 </li>
-<ul><li>4.1.   <a href="#rfc.section.4.1">Admiralty Scale Taxonomy</a>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.2">
+                <p id="section-toc.1-1.4.2.2.1"><a href="#section-4.2" class="xref">4.2</a>.  <a href="#name-open-source-intelligence-cl" class="xref">Open Source Intelligence - Classification</a></p>
 </li>
-<li>4.2.   <a href="#rfc.section.4.2">Open Source Intelligence - Classification</a>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3">
+                <p id="section-toc.1-1.4.2.3.1"><a href="#section-4.3" class="xref">4.3</a>.  <a href="#name-available-taxonomies-in-the" class="xref">Available taxonomies in the public directory</a></p>
 </li>
-<li>4.3.   <a href="#rfc.section.4.3">Available taxonomies in the public directory</a>
+            </ul>
 </li>
-</ul><li>5.   <a href="#rfc.section.5">JSON Schema</a>
+          <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.5">
+            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-json-schema" class="xref">JSON Schema</a></p>
 </li>
-<li>6.   <a href="#rfc.section.6">Acknowledgements</a>
+          <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.6">
+            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-acknowledgements" class="xref">Acknowledgements</a></p>
 </li>
-<li>7.   <a href="#rfc.references">References</a>
+          <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.7">
+            <p id="section-toc.1-1.7.1"><a href="#section-7" class="xref">7</a>.  <a href="#name-normative-references" class="xref">Normative References</a></p>
 </li>
-<ul><li>7.1.   <a href="#rfc.references.1">Normative References</a>
+          <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.8">
+            <p id="section-toc.1-1.8.1"><a href="#section-8" class="xref">8</a>.  <a href="#name-informative-references" class="xref">Informative References</a></p>
 </li>
-<li>7.2.   <a href="#rfc.references.2">Informative References</a>
+          <li class="ulEmpty compact toc ulBare" id="section-toc.1-1.9">
+            <p id="section-toc.1-1.9.1"><a href="#appendix-A" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a></p>
 </li>
-</ul><li><a href="#rfc.authors">Authors' Addresses</a>
-</li>
-
-
-  </ul>
-
-  <h1 id="rfc.section.1">
-<a href="#rfc.section.1">1.</a> <a href="#introduction" id="introduction">Introduction</a>
-</h1>
-<p id="rfc.section.1.p.1">Sharing threat information became a fundamental requirements on the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. While sharing such indicators or information, classification plays an important role to ensure adequate distribution, understanding, validation or action of the shared information. MISP taxonomies is a public repository of known vocabularies that can be used in threat information sharing.</p>
-<p id="rfc.section.1.p.2">Machine tags were introduced in 2007 <a href="#machine-tags" class="xref">[machine-tags]</a> to allow users to be more precise when tagging their pictures with geolocation.  So a machine tag is a tag which uses a special syntax to provide more information to users and machines. Machine tags are also known as triple tags due to their format.</p>
-<p id="rfc.section.1.p.3">In the MISP taxonomy context, machine tags help analysts to classify their cybersecurity events, indicators or threats. MISP taxonomies can be used for classification, filtering, triggering actions or visualisation depending on their use in threat intelligence platforms such as MISP <a href="#MISP-P" class="xref">[MISP-P]</a>.</p>
-<h1 id="rfc.section.1.1">
-<a href="#rfc.section.1.1">1.1.</a> <a href="#conventions-and-terminology" id="conventions-and-terminology">Conventions and Terminology</a>
-</h1>
-<p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 <a href="#RFC2119" class="xref">[RFC2119]</a>.</p>
-<h1 id="rfc.section.2">
-<a href="#rfc.section.2">2.</a> <a href="#format" id="format">Format</a>
-</h1>
-<p id="rfc.section.2.p.1">A machine tag is composed of a namespace (MUST), a predicate (MUST) and an optional value (OPTIONAL).</p>
-<p id="rfc.section.2.p.2">Machine tags are represented as a string. Below listed are a set of sample machine tags for different namespaces such as tlp, admiralty-scale and osint.</p>
+        </ul>
+</nav>
+</section>
+</div>
+<div id="introduction">
+<section id="section-1">
+      <h2 id="name-introduction">
+<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
+      </h2>
+<p id="section-1-1">Sharing threat information became a fundamental requirements on the Internet, security and intelligence community at large. Threat
+information can include indicators of compromise, malicious file indicators, financial fraud indicators
+or even detailed information about a threat actor. While sharing such indicators or information, classification plays an important role
+to ensure adequate distribution, understanding, validation or action of the shared information. MISP taxonomies is a public repository
+of known vocabularies that can be used in threat information sharing.<a href="#section-1-1" class="pilcrow">¶</a></p>
+<p id="section-1-2">Machine tags were introduced in 2007 <span>[<a href="#machine-tags" class="xref">machine-tags</a>]</span> to allow users to be more precise when tagging their pictures with geolocation.
+So a machine tag is a tag which uses a special syntax to provide more information to users and machines. Machine tags are also known
+as triple tags due to their format.<a href="#section-1-2" class="pilcrow">¶</a></p>
+<p id="section-1-3">In the MISP taxonomy context, machine tags help analysts to classify their cybersecurity events, indicators or threats. MISP taxonomies can be used for classification, filtering, triggering actions or visualisation depending on their use in threat intelligence platforms such as MISP <span>[<a href="#MISP-P" class="xref">MISP-P</a>]</span>.<a href="#section-1-3" class="pilcrow">¶</a></p>
+<div id="conventions-and-terminology">
+<section id="section-1.1">
+        <h3 id="name-conventions-and-terminology">
+<a href="#section-1.1" class="section-number selfRef">1.1. </a><a href="#name-conventions-and-terminology" class="section-name selfRef">Conventions and Terminology</a>
+        </h3>
+<p id="section-1.1-1">The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>", "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>",
+"<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>", "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this
+document are to be interpreted as described in RFC 2119 <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span>.<a href="#section-1.1-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+</section>
+</div>
+<div id="format">
+<section id="section-2">
+      <h2 id="name-format">
+<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-format" class="section-name selfRef">Format</a>
+      </h2>
+<p id="section-2-1">A machine tag is composed of a namespace (<span class="bcp14">MUST</span>), a predicate (<span class="bcp14">MUST</span>) and an optional value (<span class="bcp14">OPTIONAL</span>).<a href="#section-2-1" class="pilcrow">¶</a></p>
+<p id="section-2-2">Machine tags are represented as a string. Below listed are a set of sample machine tags for different namespaces such as tlp, admiralty-scale and osint.<a href="#section-2-2" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-2-3">
 <pre>tlp:amber
 admiralty-scale:information-credibility="1"
 osint:source-type="blog-post"
-</pre>
-<p id="rfc.section.2.p.3">The MISP taxonomy format describes how to define a machine tag namespace in a parseable format. The objective is to provide a simple format to describe machine tag (aka triple tag) vocabularies.</p>
-<h1 id="rfc.section.2.1">
-<a href="#rfc.section.2.1">2.1.</a> <a href="#overview" id="overview">Overview</a>
-</h1>
-<p id="rfc.section.2.1.p.1">The MISP taxonomy format uses the JSON <a href="#RFC8259" class="xref">[RFC8259]</a> format. Each namespace is represented as a JSON object with meta information including the following fields: namespace, description, version, type.</p>
-<p id="rfc.section.2.1.p.2">namespace defines the overall namespace of the machine tag. The namespace is represented as a string and MUST be present. The description is represented as a string and MUST be present. A version is represented as a unsigned integer MUST be present. A type defines where a specific taxonomy is applicable and a type can be applicable at event, user or org level. The type is represented as an array containing one or more type and SHOULD be present. If a type is not mentioned, by default, the taxonomy is applicable at event level only. An exclusive boolean property MAY be present and defines at namespace level if the predicates are mutually exclusive.</p>
-<p id="rfc.section.2.1.p.3">predicates defines all the predicates available in the namespace defined. predicates is represented as an array of JSON objects. predicates MUST be present and MUST at least content one element.</p>
-<p id="rfc.section.2.1.p.4">values defines all the values for each predicate in the namespace defined. values SHOULD be present.</p>
-<h1 id="rfc.section.2.2">
-<a href="#rfc.section.2.2">2.2.</a> <a href="#predicates" id="predicates">predicates</a>
-</h1>
-<p id="rfc.section.2.2.p.1">The predicates array contains one or more JSON objects which lists all the possible predicates. The JSON object contains two fields: value and expanded. value MUST be present. expanded SHOULD be present. value is represented as a string and describes the predicate value. The predicate value MUST not contain spaces or colons. expanded is represented as a string and describes the human-readable version of the predicate value. An exclusive property MAY be present and defines at namespace level if the values are mutually exclusive.</p>
-<h1 id="rfc.section.2.3">
-<a href="#rfc.section.2.3">2.3.</a> <a href="#values" id="values">values</a>
-</h1>
-<p id="rfc.section.2.3.p.1">The values array contain one or more JSON objects which lists all the possible values of a predicate. The JSON object contains two fields: predicate and entry. predicate is represented as a string and describes the predicate value. entry is an array with one or more JSON objects. The JSON object contains two fields: value and expanded. value MUST be present. expanded SHOULD be present. value is represented as a string and describes the machine parsable value. expanded is represented as a string and describes the human-readable version of the value.</p>
-<h1 id="rfc.section.2.4">
-<a href="#rfc.section.2.4">2.4.</a> <a href="#optional-fields" id="optional-fields">optional fields</a>
-</h1>
-<h1 id="rfc.section.2.4.1">
-<a href="#rfc.section.2.4.1">2.4.1.</a> <a href="#colour" id="colour">colour</a>
-</h1>
-<p id="rfc.section.2.4.1.p.1">colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.</p>
-<p id="rfc.section.2.4.1.p.2">Example use of the colour field in the Traffic Light Protocol (TLP):</p>
+</pre><a href="#section-2-3" class="pilcrow">¶</a>
+</div>
+<p id="section-2-4">The MISP taxonomy format describes how to define a machine tag namespace in a parseable format. The objective is to provide a simple format
+to describe machine tag (aka triple tag) vocabularies.<a href="#section-2-4" class="pilcrow">¶</a></p>
+<div id="overview">
+<section id="section-2.1">
+        <h3 id="name-overview">
+<a href="#section-2.1" class="section-number selfRef">2.1. </a><a href="#name-overview" class="section-name selfRef">Overview</a>
+        </h3>
+<p id="section-2.1-1">The MISP taxonomy format uses the JSON <span>[<a href="#RFC8259" class="xref">RFC8259</a>]</span> format. Each namespace is represented as a JSON object with meta information including the following fields: namespace, description, version, type.<a href="#section-2.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.1-2">namespace defines the overall namespace of the machine tag. The namespace is represented as a string and <span class="bcp14">MUST</span> be present. The description is represented as a string and <span class="bcp14">MUST</span> be present. A version is represented as a unsigned integer <span class="bcp14">MUST</span> be present. A type defines where a specific taxonomy is applicable and a type can be applicable at event, user or org level. The type is represented as an array containing one or more type and <span class="bcp14">SHOULD</span> be present. If a type is not mentioned, by default, the taxonomy is applicable at event level only. An exclusive boolean property <span class="bcp14">MAY</span> be present and defines at namespace level if the predicates are mutually exclusive.<a href="#section-2.1-2" class="pilcrow">¶</a></p>
+<p id="section-2.1-3">predicates defines all the predicates available in the namespace defined. predicates is represented as an array of JSON objects. predicates <span class="bcp14">MUST</span> be present and <span class="bcp14">MUST</span> at least content one element.<a href="#section-2.1-3" class="pilcrow">¶</a></p>
+<p id="section-2.1-4">values defines all the values for each predicate in the namespace defined. values <span class="bcp14">SHOULD</span> be present.<a href="#section-2.1-4" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="predicates">
+<section id="section-2.2">
+        <h3 id="name-predicates">
+<a href="#section-2.2" class="section-number selfRef">2.2. </a><a href="#name-predicates" class="section-name selfRef">predicates</a>
+        </h3>
+<p id="section-2.2-1">The predicates array contains one or more JSON objects which lists all the possible predicates. The JSON object contains two fields: value and expanded. value <span class="bcp14">MUST</span> be present. expanded <span class="bcp14">SHOULD</span> be present. value is represented as a string and describes the predicate value. The predicate value <span class="bcp14">MUST</span> not contain spaces or colons. expanded is represented as a string and describes the human-readable version of the predicate value. An exclusive property <span class="bcp14">MAY</span> be present and defines at namespace level if the values are mutually exclusive.<a href="#section-2.2-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="values">
+<section id="section-2.3">
+        <h3 id="name-values">
+<a href="#section-2.3" class="section-number selfRef">2.3. </a><a href="#name-values" class="section-name selfRef">values</a>
+        </h3>
+<p id="section-2.3-1">The values array contain one or more JSON objects which lists all the possible values of a predicate. The JSON object contains two fields: predicate and entry. predicate is represented as a string and describes the predicate value. entry is an array with one or more JSON objects. The JSON object contains two fields: value and expanded. value <span class="bcp14">MUST</span> be present. expanded <span class="bcp14">SHOULD</span> be present. value is represented as a string and describes the machine parsable value. expanded is represented as a string and describes the human-readable version of the value.<a href="#section-2.3-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="optional-fields">
+<section id="section-2.4">
+        <h3 id="name-optional-fields">
+<a href="#section-2.4" class="section-number selfRef">2.4. </a><a href="#name-optional-fields" class="section-name selfRef">optional fields</a>
+        </h3>
+<div id="colour">
+<section id="section-2.4.1">
+          <h4 id="name-colour">
+<a href="#section-2.4.1" class="section-number selfRef">2.4.1. </a><a href="#name-colour" class="section-name selfRef">colour</a>
+          </h4>
+<p id="section-2.4.1-1">colour fields <span class="bcp14">MAY</span> be used at predicates or values level to set a specify colour that <span class="bcp14">MAY</span> be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.<a href="#section-2.4.1-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.1-2">Example use of the colour field in the Traffic Light Protocol (TLP):<a href="#section-2.4.1-2" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-2.4.1-3">
 <pre>"predicates": [
     {
       "colour": "#CC0033",
@@ -560,17 +1446,29 @@ osint:source-type="blog-post"
                    the organization to be effectively acted upon.",
       "value": "amber"
     }...]
-</pre>
-<h1 id="rfc.section.2.4.2">
-<a href="#rfc.section.2.4.2">2.4.2.</a> <a href="#description" id="description">description</a>
-</h1>
-<p id="rfc.section.2.4.2.p.1">description fields MAY be used at predicates or values level to add a descriptive and human-readable information about the specific predicate or value. The field is represented as a string. Implementations MAY use the description field to improve more contextual information. The description at the namespace level is a MUST as described above.</p>
-<h1 id="rfc.section.2.4.3">
-<a href="#rfc.section.2.4.3">2.4.3.</a> <a href="#numerical-value" id="numerical-value">numerical_value</a>
-</h1>
-<p id="rfc.section.2.4.3.p.1">numerical_value fields MAY be used at a predicate or value level to add a machine-readable numeric value to a specific predicate or value.  The field is represented as a JSON number. Implementations SHOULD use the decimal value provided to support scoring or filtering.</p>
-<p id="rfc.section.2.4.3.p.2">The decimal range for numerical_value SHOULD use a range from 0 up to 100. The range is recommended to support common mathematical properties among taxonomies.</p>
-<p id="rfc.section.2.4.3.p.3">Example use of the numerical_value in the MISP confidence level:</p>
+</pre><a href="#section-2.4.1-3" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="description">
+<section id="section-2.4.2">
+          <h4 id="name-description">
+<a href="#section-2.4.2" class="section-number selfRef">2.4.2. </a><a href="#name-description" class="section-name selfRef">description</a>
+          </h4>
+<p id="section-2.4.2-1">description fields <span class="bcp14">MAY</span> be used at predicates or values level to add a descriptive and human-readable information about the specific predicate or value. The field is represented as a string. Implementations <span class="bcp14">MAY</span> use the description field to improve more contextual information. The description at the namespace level is a <span class="bcp14">MUST</span> as described above.<a href="#section-2.4.2-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="numerical-value">
+<section id="section-2.4.3">
+          <h4 id="name-numerical_value">
+<a href="#section-2.4.3" class="section-number selfRef">2.4.3. </a><a href="#name-numerical_value" class="section-name selfRef">numerical_value</a>
+          </h4>
+<p id="section-2.4.3-1">numerical_value fields <span class="bcp14">MAY</span> be used at a predicate or value level to add a machine-readable numeric value to a specific predicate or value.
+The field is represented as a JSON number. Implementations <span class="bcp14">SHOULD</span> use the decimal value provided to support scoring or filtering.<a href="#section-2.4.3-1" class="pilcrow">¶</a></p>
+<p id="section-2.4.3-2">The decimal range for numerical_value <span class="bcp14">SHOULD</span> use a range from 0 up to 100. The range is recommended to support common mathematical properties
+among taxonomies.<a href="#section-2.4.3-2" class="pilcrow">¶</a></p>
+<p id="section-2.4.3-3">Example use of the numerical_value in the MISP confidence level:<a href="#section-2.4.3-3" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-2.4.3-4">
 <pre>    {
      "predicate": "confidence-level",
      "entry": [
@@ -605,15 +1503,31 @@ osint:source-type="blog-post"
         }
      ]
      }
-</pre>
-<h1 id="rfc.section.3">
-<a href="#rfc.section.3">3.</a> <a href="#directory" id="directory">Directory</a>
-</h1>
-<p id="rfc.section.3.p.1">The MISP taxonomies directory is publicly available <a href="#MISP-T" class="xref">[MISP-T]</a> in a git repository. The repository contains a directory per namespace then a file machinetag.json which contains the taxonomy as described in the format above. In the root of the repository, a MANIFEST.json exists containing a list of all the taxonomies.</p>
-<p id="rfc.section.3.p.2">The MANIFEST.json file is composed of an JSON object with metadata like version, license, description, url and path.  A taxonomies array describes the taxonomy available with the description, name and version field.</p>
-<h1 id="rfc.section.3.1">
-<a href="#rfc.section.3.1">3.1.</a> <a href="#sample-manifest" id="sample-manifest">Sample Manifest</a>
-</h1>
+</pre><a href="#section-2.4.3-4" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="directory">
+<section id="section-3">
+      <h2 id="name-directory">
+<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-directory" class="section-name selfRef">Directory</a>
+      </h2>
+<p id="section-3-1">The MISP taxonomies directory is publicly available <span>[<a href="#MISP-T" class="xref">MISP-T</a>]</span> in a git repository. The repository
+contains a directory per namespace then a file machinetag.json which contains the taxonomy as
+described in the format above. In the root of the repository, a MANIFEST.json exists containing
+a list of all the taxonomies.<a href="#section-3-1" class="pilcrow">¶</a></p>
+<p id="section-3-2">The MANIFEST.json file is composed of an JSON object with metadata like version, license, description, url and path.
+A taxonomies array describes the taxonomy available with the description, name and version field.<a href="#section-3-2" class="pilcrow">¶</a></p>
+<div id="sample-manifest">
+<section id="section-3.1">
+        <h3 id="name-sample-manifest">
+<a href="#section-3.1" class="section-number selfRef">3.1. </a><a href="#name-sample-manifest" class="section-name selfRef">Sample Manifest</a>
+        </h3>
+<div class="artwork art-text alignLeft" id="section-3.1-1">
 <pre>{
   "version": "20161009",
   "license": "CC-0",
@@ -635,13 +1549,23 @@ osint:source-type="blog-post"
       "version": 2
     }]
 }
-</pre>
-<h1 id="rfc.section.4">
-<a href="#rfc.section.4">4.</a> <a href="#sample-taxonomy-in-misp-taxonomy-format" id="sample-taxonomy-in-misp-taxonomy-format">Sample Taxonomy in MISP taxonomy format</a>
-</h1>
-<h1 id="rfc.section.4.1">
-<a href="#rfc.section.4.1">4.1.</a> <a href="#admiralty-scale-taxonomy" id="admiralty-scale-taxonomy">Admiralty Scale Taxonomy</a>
-</h1>
+</pre><a href="#section-3.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="sample-taxonomy-in-misp-taxonomy-format">
+<section id="section-4">
+      <h2 id="name-sample-taxonomy-in-misp-tax">
+<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-sample-taxonomy-in-misp-tax" class="section-name selfRef">Sample Taxonomy in MISP taxonomy format</a>
+      </h2>
+<div id="admiralty-scale-taxonomy">
+<section id="section-4.1">
+        <h3 id="name-admiralty-scale-taxonomy">
+<a href="#section-4.1" class="section-number selfRef">4.1. </a><a href="#name-admiralty-scale-taxonomy" class="section-name selfRef">Admiralty Scale Taxonomy</a>
+        </h3>
+<div class="artwork art-text alignLeft" id="section-4.1-1">
 <pre>  "namespace": "admiralty-scale",
   "description": "The Admiralty Scale (also called the NATO System)
                   is used to rank the reliability of a source and
@@ -718,10 +1642,16 @@ osint:source-type="blog-post"
     }
   ]
 }
-</pre>
-<h1 id="rfc.section.4.2">
-<a href="#rfc.section.4.2">4.2.</a> <a href="#open-source-intelligence-classification" id="open-source-intelligence-classification">Open Source Intelligence - Classification</a>
-</h1>
+</pre><a href="#section-4.1-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="open-source-intelligence-classification">
+<section id="section-4.2">
+        <h3 id="name-open-source-intelligence-cl">
+<a href="#section-4.2" class="section-number selfRef">4.2. </a><a href="#name-open-source-intelligence-cl" class="section-name selfRef">Open Source Intelligence - Classification</a>
+        </h3>
+<div class="artwork art-text alignLeft" id="section-4.2-1">
 <pre>{
   "values": [
     {
@@ -845,296 +1775,391 @@ osint:source-type="blog-post"
   ]
 }
 
-</pre>
-<h1 id="rfc.section.4.3">
-<a href="#rfc.section.4.3">4.3.</a> <a href="#available-taxonomies-in-the-public-directory" id="available-taxonomies-in-the-public-directory">Available taxonomies in the public directory</a>
-</h1>
-<p id="rfc.section.4.3.p.1">The public directory of MISP taxonomies <a href="#MISP-T" class="xref">[MISP-T]</a> contains a variety of taxonomy in various fields such as:</p>
-<p></p>
-
-<dl>
-<dt>CERT-XLM:</dt>
-<dd style="margin-left: 8">
-<br>CERT-XLM Security Incident Classification.</dd>
-<dt>DML:</dt>
-<dd style="margin-left: 8">
-<br>The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks.  It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program.</dd>
-<dt>PAP:</dt>
-<dd style="margin-left: 8">
-<br>The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.</dd>
-<dt>access-method:</dt>
-<dd style="margin-left: 8">
-<br>The access method used to remotely access a system.</dd>
-<dt>accessnow:</dt>
-<dd style="margin-left: 8">
-<br>Access Now classification to classify an issue (such as security, human rights, youth rights).</dd>
-<dt>action-taken:</dt>
-<dd style="margin-left: 8">
-<br>Action taken in the case of a security incident (CSIRT perspective).</dd>
-<dt>admiralty-scale:</dt>
-<dd style="margin-left: 8">
-<br>The Admiralty Scale (also called the NATO System) is used to rank the reliability of a source and the credibility of an information.</dd>
-<dt>adversary:</dt>
-<dd style="margin-left: 8">
-<br>An overview and description of the adversary infrastructure.</dd>
-<dt>ais-marking:</dt>
-<dd style="margin-left: 8">
-<br>AIS Marking Schema implementation is maintained by the National Cybersecurity and Communication Integration Center (NCCIC) of the U.S. Department of Homeland Security (DHS)</dd>
-<dt>analyst-assessment:</dt>
-<dd style="margin-left: 8">
-<br>A series of assessment predicates describing the analyst capabilities to perform analysis. These assessment can be assigned by the analyst him/herself or by another party evaluating the analyst.</dd>
-<dt>approved-category-of-action:</dt>
-<dd style="margin-left: 8">
-<br>A pre-approved category of action for indicators being shared with partners (MIMIC).</dd>
-<dt>binary-class:</dt>
-<dd style="margin-left: 8">
-<br>Custom taxonomy for types of binary file.</dd>
-<dt>cccs:</dt>
-<dd style="margin-left: 8">
-<br>Internal taxonomy for CCCS.</dd>
-<dt>circl:</dt>
-<dd style="margin-left: 8">
-<br>CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place.</dd>
-<dt>collaborative-intelligence:</dt>
-<dd style="margin-left: 8">
-<br>Collaborative intelligence support language is a common language to support analysts to perform their analysis to get crowdsourced support when using threat intelligence sharing platform like MISP.</dd>
-<dt>common-taxonomy:</dt>
-<dd style="margin-left: 8">
-<br>The Common Taxonomy for Law Enforcement and The National Network of CSIRTs bridges the gap between the CSIRTs and international Law Enforcement communities by adding a legislative framework to facilitate the harmonisation of incident reporting to competent authorities, the development of useful statistics and sharing information within the entire cybercrime ecosystem.</dd>
-<dt>copine-scale:</dt>
-<dd style="margin-left: 8">
-<br>The COPINE Scale is a rating system created in Ireland and used in the United Kingdom to categorise the severity of images of child sex abuse.</dd>
-<dt>cryptocurrency-threat:</dt>
-<dd style="margin-left: 8">
-<br>Threats targetting cryptocurrency, based on CipherTrace report.</dd>
-<dt>csirtcaseclassification:</dt>
-<dd style="margin-left: 8">
-<br>FIRST CSIRT Case Classification.</dd>
-<dt>cssa:</dt>
-<dd style="margin-left: 8">
-<br>The CSSA agreed sharing taxonomy.</dd>
-<dt>cyber-threat-framework:</dt>
-<dd style="margin-left: 8">
-<br>Cyber Threat Framework was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries. <a href="https://www.dni.gov/index.php/cyber-threat-framework">https://www.dni.gov/index.php/cyber-threat-framework</a>
+</pre><a href="#section-4.2-1" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="available-taxonomies-in-the-public-directory">
+<section id="section-4.3">
+        <h3 id="name-available-taxonomies-in-the">
+<a href="#section-4.3" class="section-number selfRef">4.3. </a><a href="#name-available-taxonomies-in-the" class="section-name selfRef">Available taxonomies in the public directory</a>
+        </h3>
+<p id="section-4.3-1">The public directory of MISP taxonomies <span>[<a href="#MISP-T" class="xref">MISP-T</a>]</span> contains a variety of taxonomy in various fields such as:<a href="#section-4.3-1" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlParallel" id="section-4.3-2">
+          <dt id="section-4.3-2.1">CERT-XLM:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.2">CERT-XLM Security Incident Classification.<a href="#section-4.3-2.2" class="pilcrow">¶</a>
 </dd>
-<dt>data-classification:</dt>
-<dd style="margin-left: 8">
-<br>Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk book.</dd>
-<dt>dcso-sharing:</dt>
-<dd style="margin-left: 8">
-<br>DCSO Sharing Taxonomy to classify certain types of MISP events using the DCSO Event Guide</dd>
-<dt>ddos:</dt>
-<dd style="margin-left: 8">
-<br>Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too.</dd>
-<dt>de-vs:</dt>
-<dd style="margin-left: 8">
-<br>Taxonomy for the handling of protectively marked information in MISP with German (DE) Government classification markings (VS)</dd>
-<dt>dhs-ciip-sectors:</dt>
-<dd style="margin-left: 8">
-<br>DHS critical sectors as described in <a href="https://www.dhs.gov/critical-infrastructure-sectors">https://www.dhs.gov/critical-infrastructure-sectors</a>.</dd>
-<dt>diamond-model:</dt>
-<dd style="margin-left: 8">
-<br>The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack.</dd>
-<dt>dni-ism:</dt>
-<dd style="margin-left: 8">
-<br>ISM (Information Security Marking Metadata) V13 as described by DNI.gov (Director of National Intelligence - US).</dd>
-<dt>domain-abuse:</dt>
-<dd style="margin-left: 8">
-<br>Taxonomy to tag domain names used for cybercrime.</dd>
-<dt>drugs:</dt>
-<dd style="margin-left: 8">
-<br>A taxonomy based on the superclass and class of drugs, based on <a href="https://www.drugbank.ca/releases/latest">https://www.drugbank.ca/releases/latest</a>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.3">DML:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.4">The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks.  It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program.<a href="#section-4.3-2.4" class="pilcrow">¶</a>
 </dd>
-<dt>economical-impact:</dt>
-<dd style="margin-left: 8">
-<br>Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information.</dd>
-<dt>ecsirt:</dt>
-<dd style="margin-left: 8">
-<br>eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.</dd>
-<dt>enisa:</dt>
-<dd style="margin-left: 8">
-<br>ENISA Threat Taxonomy - A tool for structuring threat information as published in <a href="https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-threat-information">https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-threat-information</a>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.5">PAP:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.6">The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.<a href="#section-4.3-2.6" class="pilcrow">¶</a>
 </dd>
-<dt>estimative-language:</dt>
-<dd style="margin-left: 8">
-<br>Estimative language - including likelihood or probability of event based on the Intelligence Community Directive 203 (ICD 203) (6.2.(a)) and JP 2-0, Joint Intelligence.</dd>
-<dt>eu-marketop-and-publicadmin:</dt>
-<dd style="margin-left: 8">
-<br>Market operators and public administrations that must comply to some notifications requirements under EU NIS directive.</dd>
-<dt>eu-nis-sector-and-subsectors:</dt>
-<dd style="margin-left: 8">
-<br>Sectors and sub sectors as identified by the NIS Directive.</dd>
-<dt>euci:</dt>
-<dd style="margin-left: 8">
-<br>EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described in COUNCIL DECISION of 23 September 2013 on the security rules for protecting EU classified information</dd>
-<dt>europol-event:</dt>
-<dd style="margin-left: 8">
-<br>EUROPOL type of events taxonomy.</dd>
-<dt>europol-incident:</dt>
-<dd style="margin-left: 8">
-<br>EUROPOL class of incident taxonomy.</dd>
-<dt>event-assessment:</dt>
-<dd style="margin-left: 8">
-<br>A series of assessment predicates describing the event assessment performed to make judgement(s) under a certain level of uncertainty.</dd>
-<dt>event-classification:</dt>
-<dd style="margin-left: 8">
-<br>Event Classification.</dd>
-<dt>exercise:</dt>
-<dd style="margin-left: 8">
-<br>Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.</dd>
-<dt>false-positive:</dt>
-<dd style="margin-left: 8">
-<br>This taxonomy aims to ballpark the expected amount of false positives.</dd>
-<dt>file-type:</dt>
-<dd style="margin-left: 8">
-<br>List of known file types.</dd>
-<dt>flesch-reading-ease:</dt>
-<dd style="margin-left: 8">
-<br>Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).</dd>
-<dt>fpf:</dt>
-<dd style="margin-left: 8">
-<br>The Future of Privacy Forum (FPF) <a href="https://fpf.org/2016/04/25/a-visual-guide-to-practical-data-de-identification/">visual guide to practical de-identification</a> taxonomy is used to evaluate the degree of identifiability of personal data and the types of pseudonymous data, de-identified data and anonymous data. The work of FPF is licensed under a creative commons attribution 4.0 international license.</dd>
-<dt>fr-classif:</dt>
-<dd style="margin-left: 8">
-<br>French gov information classification system.</dd>
-<dt>gdpr:</dt>
-<dd style="margin-left: 8">
-<br>Taxonomy related to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)</dd>
-<dt>gsma-attack-category:</dt>
-<dd style="margin-left: 8">
-<br>Taxonomy used by GSMA for their information sharing program with telco describing the attack categories</dd>
-<dt>gsma-fraud:</dt>
-<dd style="margin-left: 8">
-<br>Taxonomy used by GSMA for their information sharing program with telco describing the various aspects of fraud</dd>
-<dt>gsma-network-technology:</dt>
-<dd style="margin-left: 8">
-<br>Taxonomy used by GSMA for their information sharing program with telco describing the types of infrastructure. WiP</dd>
-<dt>honeypot-basic:</dt>
-<dd style="margin-left: 8">
-<br>Christian Seifert, Ian Welch, Peter Komisarczuk, &#8216;Taxonomy of Honeypots&#8217;, Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF WELLINGTON, School of Mathematical and Computing Sciences, June 2006, <a href="http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf">http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf</a>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.7">access-method:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.8">The access method used to remotely access a system.<a href="#section-4.3-2.8" class="pilcrow">¶</a>
 </dd>
-<dt>iep:</dt>
-<dd style="margin-left: 8">
-<br>Forum of Incident Response and Security Teams (FIRST) Information Exchange Policy (IEP) framework.</dd>
-<dt>ifx-vetting:</dt>
-<dd style="margin-left: 8">
-<br>The IFX taxonomy is used to categorise information (MISP events and attributes) to aid in the intelligence vetting process</dd>
-<dt>incident-disposition:</dt>
-<dd style="margin-left: 8">
-<br>How an incident is classified in its process to be resolved. The taxonomy is inspired from NASA Incident Response and Management Handbook.</dd>
-<dt>infoleak:</dt>
-<dd style="margin-left: 8">
-<br>A taxonomy describing information leaks and especially information classified as being potentially leaked.</dd>
-<dt>information-security-data-source:</dt>
-<dd style="margin-left: 8">
-<br>Taxonomy to classify the information security data sources</dd>
-<dt>information-security-indicators:</dt>
-<dd style="margin-left: 8">
-<br>Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework). ETSI GS ISI 001-1 (V1.1.2): ISI Indicators</dd>
-<dt>interception-method:</dt>
-<dd style="margin-left: 8">
-<br>The interception method used to intercept traffic.</dd>
-<dt>kill-chain:</dt>
-<dd style="margin-left: 8">
-<br>Cyber Kill Chain from Lockheed Martin as described in Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.</dd>
-<dt>maec-delivery-vectors:</dt>
-<dd style="margin-left: 8">
-<br>Vectors used to deliver malware based on MAEC 5.0</dd>
-<dt>maec-malware-behavior:</dt>
-<dd style="margin-left: 8">
-<br>Malware behaviours based on MAEC 5.0</dd>
-<dt>maec-malware-capabilities:</dt>
-<dd style="margin-left: 8">
-<br>Malware Capabilities based on MAEC 5.0</dd>
-<dt>maec-malware-obfuscation-methods:</dt>
-<dd style="margin-left: 8">
-<br>Obfuscation methods used by malware based on MAEC 5.0</dd>
-<dt>malware_classification:</dt>
-<dd style="margin-left: 8">
-<br>Malware classification based on a SANS whitepaper about malware.</dd>
-<dt>misp:</dt>
-<dd style="margin-left: 8">
-<br>Internal MISP taxonomy.</dd>
-<dt>monarc-threat:</dt>
-<dd style="margin-left: 8">
-<br>MONARC threat taxonomy.</dd>
-<dt>ms-caro-malware:</dt>
-<dd style="margin-left: 8">
-<br>Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology.</dd>
-<dt>ms-caro-malware-full:</dt>
-<dd style="margin-left: 8">
-<br>Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology.</dd>
-<dt>nato:</dt>
-<dd style="margin-left: 8">
-<br>Marking of Classified and Unclassified materials as described by the North Atlantic Treaty Organization, NATO.</dd>
-<dt>nis:</dt>
-<dd style="margin-left: 8">
-<br>NIS Cybersecurity Incident Taxonomy.</dd>
-<dt>open_threat:</dt>
-<dd style="margin-left: 8">
-<br>Open Threat Taxonomy v1.1 base on James Tarala of SANS ref. - <a href="http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf">http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf</a>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.9">accessnow:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.10">Access Now classification to classify an issue (such as security, human rights, youth rights).<a href="#section-4.3-2.10" class="pilcrow">¶</a>
 </dd>
-<dt>osint:</dt>
-<dd style="margin-left: 8">
-<br>Open Source Intelligence - Classification (MISP taxonomies).</dd>
-<dt>passivetotal:</dt>
-<dd style="margin-left: 8">
-<br>Tags for RiskIQ's passivetotal service</dd>
-<dt>pentest:</dt>
-<dd style="margin-left: 8">
-<br>Penetration test (pentest) classification.</dd>
-<dt>priority-level:</dt>
-<dd style="margin-left: 8">
-<br>After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on <a href="https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System">https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System</a>.</dd>
-<dt>rsit:</dt>
-<dd style="margin-left: 8">
-<br>Reference Security Incident Classification Taxonomy.</dd>
-<dt>rteventstatus:</dt>
-<dd style="margin-left: 8">
-<br>Status of events used in Request Tracker.</dd>
-<dt>runtime-packer:</dt>
-<dd style="margin-left: 8">
-<br>Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.</dd>
-<dt>smart-airports-threats:</dt>
-<dd style="margin-left: 8">
-<br>Threat taxonomy in the scope of securing smart airports by ENISA.</dd>
-<dt>stealth_malware:</dt>
-<dd style="margin-left: 8">
-<br>Classification based on malware stealth techniques.</dd>
-<dt>stix-ttp:</dt>
-<dd style="margin-left: 8">
-<br>Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX</dd>
-<dt>targeted-threat-index:</dt>
-<dd style="margin-left: 8">
-<br>The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim&#8217;s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk &#8220;RATastrophe: Monitoring a Malware Menagerie&#8221; along with Katie Kleemola and Greg Wiseman.</dd>
-<dt>tlp:</dt>
-<dd style="margin-left: 8">
-<br>The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. Extended with TLP:EX:CHR.</dd>
-<dt>tor:</dt>
-<dd style="margin-left: 8">
-<br>Taxonomy to describe Tor network infrastructure</dd>
-<dt>type:</dt>
-<dd style="margin-left: 8">
-<br>Taxonomy to describe different types of intelligence gathering discipline which can be described the origin of intelligence.</dd>
-<dt>use-case-applicability:</dt>
-<dd style="margin-left: 8">
-<br>The Use Case Applicability categories reflect standard resolution categories, to clearly display alerting rule configuration problems.</dd>
-<dt>veris:</dt>
-<dd style="margin-left: 8">
-<br>Vocabulary for Event Recording and Incident Sharing (VERIS).</dd>
-<dt>vocabulaire-des-probabilites-estimatives:</dt>
-<dd style="margin-left: 8">
-<br>Vocabulaire des probabilit&#233;s estimatives</dd>
-<dt>workflow:</dt>
-<dd style="margin-left: 8">
-<br>Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.11">action-taken:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.12">Action taken in the case of a security incident (CSIRT perspective).<a href="#section-4.3-2.12" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.13">admiralty-scale:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.14">The Admiralty Scale (also called the NATO System) is used to rank the reliability of a source and the credibility of an information.<a href="#section-4.3-2.14" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.15">adversary:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.16">An overview and description of the adversary infrastructure.<a href="#section-4.3-2.16" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.17">ais-marking:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.18">AIS Marking Schema implementation is maintained by the National Cybersecurity and Communication Integration Center (NCCIC) of the U.S. Department of Homeland Security (DHS)<a href="#section-4.3-2.18" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.19">analyst-assessment:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.20">A series of assessment predicates describing the analyst capabilities to perform analysis. These assessment can be assigned by the analyst him/herself or by another party evaluating the analyst.<a href="#section-4.3-2.20" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.21">approved-category-of-action:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.22">A pre-approved category of action for indicators being shared with partners (MIMIC).<a href="#section-4.3-2.22" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.23">binary-class:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.24">Custom taxonomy for types of binary file.<a href="#section-4.3-2.24" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.25">cccs:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.26">Internal taxonomy for CCCS.<a href="#section-4.3-2.26" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.27">circl:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.28">CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place.<a href="#section-4.3-2.28" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.29">collaborative-intelligence:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.30">Collaborative intelligence support language is a common language to support analysts to perform their analysis to get crowdsourced support when using threat intelligence sharing platform like MISP.<a href="#section-4.3-2.30" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.31">common-taxonomy:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.32">The Common Taxonomy for Law Enforcement and The National Network of CSIRTs bridges the gap between the CSIRTs and international Law Enforcement communities by adding a legislative framework to facilitate the harmonisation of incident reporting to competent authorities, the development of useful statistics and sharing information within the entire cybercrime ecosystem.<a href="#section-4.3-2.32" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.33">copine-scale:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.34">The COPINE Scale is a rating system created in Ireland and used in the United Kingdom to categorise the severity of images of child sex abuse.<a href="#section-4.3-2.34" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.35">cryptocurrency-threat:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.36">Threats targetting cryptocurrency, based on CipherTrace report.<a href="#section-4.3-2.36" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.37">csirt<em>case</em>classification:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.38">FIRST CSIRT Case Classification.<a href="#section-4.3-2.38" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.39">cssa:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.40">The CSSA agreed sharing taxonomy.<a href="#section-4.3-2.40" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.41">cyber-threat-framework:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.42">Cyber Threat Framework was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries. <a href="https://www.dni.gov/index.php/cyber-threat-framework">https://www.dni.gov/index.php/cyber-threat-framework</a><a href="#section-4.3-2.42" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.43">data-classification:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.44">Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk book.<a href="#section-4.3-2.44" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.45">dcso-sharing:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.46">DCSO Sharing Taxonomy to classify certain types of MISP events using the DCSO Event Guide<a href="#section-4.3-2.46" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.47">ddos:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.48">Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too.<a href="#section-4.3-2.48" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.49">de-vs:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.50">Taxonomy for the handling of protectively marked information in MISP with German (DE) Government classification markings (VS)<a href="#section-4.3-2.50" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.51">dhs-ciip-sectors:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.52">DHS critical sectors as described in <a href="https://www.dhs.gov/critical-infrastructure-sectors">https://www.dhs.gov/critical-infrastructure-sectors</a>.<a href="#section-4.3-2.52" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.53">diamond-model:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.54">The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack.<a href="#section-4.3-2.54" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.55">dni-ism:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.56">ISM (Information Security Marking Metadata) V13 as described by DNI.gov (Director of National Intelligence - US).<a href="#section-4.3-2.56" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.57">domain-abuse:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.58">Taxonomy to tag domain names used for cybercrime.<a href="#section-4.3-2.58" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.59">drugs:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.60">A taxonomy based on the superclass and class of drugs, based on <a href="https://www.drugbank.ca/releases/latest">https://www.drugbank.ca/releases/latest</a><a href="#section-4.3-2.60" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.61">economical-impact:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.62">Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information.<a href="#section-4.3-2.62" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.63">ecsirt:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.64">eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.<a href="#section-4.3-2.64" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.65">enisa:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.66">ENISA Threat Taxonomy - A tool for structuring threat information as published in <a href="https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-threat-information">https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-threat-information</a><a href="#section-4.3-2.66" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.67">estimative-language:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.68">Estimative language - including likelihood or probability of event based on the Intelligence Community Directive 203 (ICD 203) (6.2.(a)) and JP 2-0, Joint Intelligence.<a href="#section-4.3-2.68" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.69">eu-marketop-and-publicadmin:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.70">Market operators and public administrations that must comply to some notifications requirements under EU NIS directive.<a href="#section-4.3-2.70" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.71">eu-nis-sector-and-subsectors:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.72">Sectors and sub sectors as identified by the NIS Directive.<a href="#section-4.3-2.72" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.73">euci:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.74">EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described in COUNCIL DECISION of 23 September 2013 on the security rules for protecting EU classified information<a href="#section-4.3-2.74" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.75">europol-event:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.76">EUROPOL type of events taxonomy.<a href="#section-4.3-2.76" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.77">europol-incident:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.78">EUROPOL class of incident taxonomy.<a href="#section-4.3-2.78" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.79">event-assessment:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.80">A series of assessment predicates describing the event assessment performed to make judgement(s) under a certain level of uncertainty.<a href="#section-4.3-2.80" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.81">event-classification:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.82">Event Classification.<a href="#section-4.3-2.82" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.83">exercise:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.84">Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.<a href="#section-4.3-2.84" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.85">false-positive:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.86">This taxonomy aims to ballpark the expected amount of false positives.<a href="#section-4.3-2.86" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.87">file-type:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.88">List of known file types.<a href="#section-4.3-2.88" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.89">flesch-reading-ease:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.90">Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).<a href="#section-4.3-2.90" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.91">fpf:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.92">The Future of Privacy Forum (FPF) <a href="https://fpf.org/2016/04/25/a-visual-guide-to-practical-data-de-identification/">visual guide to practical de-identification</a> taxonomy is used to evaluate the degree of identifiability of personal data and the types of pseudonymous data, de-identified data and anonymous data. The work of FPF is licensed under a creative commons attribution 4.0 international license.<a href="#section-4.3-2.92" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.93">fr-classif:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.94">French gov information classification system.<a href="#section-4.3-2.94" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.95">gdpr:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.96">Taxonomy related to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)<a href="#section-4.3-2.96" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.97">gsma-attack-category:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.98">Taxonomy used by GSMA for their information sharing program with telco describing the attack categories<a href="#section-4.3-2.98" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.99">gsma-fraud:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.100">Taxonomy used by GSMA for their information sharing program with telco describing the various aspects of fraud<a href="#section-4.3-2.100" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.101">gsma-network-technology:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.102">Taxonomy used by GSMA for their information sharing program with telco describing the types of infrastructure. WiP<a href="#section-4.3-2.102" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.103">honeypot-basic:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.104">Christian Seifert, Ian Welch, Peter Komisarczuk, <span class="unicode">‘ (U+2018)</span>Taxonomy of Honeypots<span class="unicode">’ (U+2019)</span>, Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF WELLINGTON, School of Mathematical and Computing Sciences, June 2006, <a href="http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf">http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf</a><a href="#section-4.3-2.104" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.105">iep:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.106">Forum of Incident Response and Security Teams (FIRST) Information Exchange Policy (IEP) framework.<a href="#section-4.3-2.106" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.107">ifx-vetting:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.108">The IFX taxonomy is used to categorise information (MISP events and attributes) to aid in the intelligence vetting process<a href="#section-4.3-2.108" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.109">incident-disposition:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.110">How an incident is classified in its process to be resolved. The taxonomy is inspired from NASA Incident Response and Management Handbook.<a href="#section-4.3-2.110" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.111">infoleak:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.112">A taxonomy describing information leaks and especially information classified as being potentially leaked.<a href="#section-4.3-2.112" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.113">information-security-data-source:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.114">Taxonomy to classify the information security data sources<a href="#section-4.3-2.114" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.115">information-security-indicators:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.116">Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework). ETSI GS ISI 001-1 (V1.1.2): ISI Indicators<a href="#section-4.3-2.116" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.117">interception-method:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.118">The interception method used to intercept traffic.<a href="#section-4.3-2.118" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.119">kill-chain:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.120">Cyber Kill Chain from Lockheed Martin as described in Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.<a href="#section-4.3-2.120" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.121">maec-delivery-vectors:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.122">Vectors used to deliver malware based on MAEC 5.0<a href="#section-4.3-2.122" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.123">maec-malware-behavior:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.124">Malware behaviours based on MAEC 5.0<a href="#section-4.3-2.124" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.125">maec-malware-capabilities:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.126">Malware Capabilities based on MAEC 5.0<a href="#section-4.3-2.126" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.127">maec-malware-obfuscation-methods:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.128">Obfuscation methods used by malware based on MAEC 5.0<a href="#section-4.3-2.128" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.129">malware_classification:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.130">Malware classification based on a SANS whitepaper about malware.<a href="#section-4.3-2.130" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.131">misp:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.132">Internal MISP taxonomy.<a href="#section-4.3-2.132" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.133">monarc-threat:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.134">MONARC threat taxonomy.<a href="#section-4.3-2.134" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.135">ms-caro-malware:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.136">Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology.<a href="#section-4.3-2.136" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.137">ms-caro-malware-full:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.138">Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology.<a href="#section-4.3-2.138" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.139">nato:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.140">Marking of Classified and Unclassified materials as described by the North Atlantic Treaty Organization, NATO.<a href="#section-4.3-2.140" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.141">nis:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.142">NIS Cybersecurity Incident Taxonomy.<a href="#section-4.3-2.142" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.143">open_threat:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.144">Open Threat Taxonomy v1.1 base on James Tarala of SANS ref. - <a href="http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf">http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf</a><a href="#section-4.3-2.144" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.145">osint:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.146">Open Source Intelligence - Classification (MISP taxonomies).<a href="#section-4.3-2.146" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.147">passivetotal:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.148">Tags for RiskIQ's passivetotal service<a href="#section-4.3-2.148" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.149">pentest:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.150">Penetration test (pentest) classification.<a href="#section-4.3-2.150" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.151">priority-level:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.152">After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on <a href="https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System">https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System</a>.<a href="#section-4.3-2.152" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.153">rsit:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.154">Reference Security Incident Classification Taxonomy.<a href="#section-4.3-2.154" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.155">rt<em>event</em>status:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.156">Status of events used in Request Tracker.<a href="#section-4.3-2.156" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.157">runtime-packer:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.158">Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.<a href="#section-4.3-2.158" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.159">smart-airports-threats:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.160">Threat taxonomy in the scope of securing smart airports by ENISA.<a href="#section-4.3-2.160" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.161">stealth_malware:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.162">Classification based on malware stealth techniques.<a href="#section-4.3-2.162" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.163">stix-ttp:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.164">Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX<a href="#section-4.3-2.164" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.165">targeted-threat-index:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.166">The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim<span class="unicode">’ (U+2019)</span>s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk <span class="unicode">“ (U+201C)</span>RATastrophe: Monitoring a Malware Menagerie<span class="unicode">” (U+201D)</span> along with Katie Kleemola and Greg Wiseman.<a href="#section-4.3-2.166" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.167">tlp:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.168">The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. Extended with TLP:EX:CHR.<a href="#section-4.3-2.168" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.169">tor:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.170">Taxonomy to describe Tor network infrastructure<a href="#section-4.3-2.170" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.171">type:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.172">Taxonomy to describe different types of intelligence gathering discipline which can be described the origin of intelligence.<a href="#section-4.3-2.172" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.173">use-case-applicability:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.174">The Use Case Applicability categories reflect standard resolution categories, to clearly display alerting rule configuration problems.<a href="#section-4.3-2.174" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.175">veris:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.176">Vocabulary for Event Recording and Incident Sharing (VERIS).<a href="#section-4.3-2.176" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.177">vocabulaire-des-probabilites-estimatives:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.178">Vocabulaire des probabilit<span class="unicode">é (U+00E9)</span>s estimatives<a href="#section-4.3-2.178" class="pilcrow">¶</a>
+</dd>
+          <dd class="break"></dd>
+<dt id="section-4.3-2.179">workflow:</dt>
+          <dd style="margin-left: 1.5em" id="section-4.3-2.180">Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.<a href="#section-4.3-2.180" class="pilcrow">¶</a>
+</dd>
+        <dd class="break"></dd>
 </dl>
-
-<p> </p>
-<h1 id="rfc.section.5">
-<a href="#rfc.section.5">5.</a> <a href="#json-schema" id="json-schema">JSON Schema</a>
-</h1>
-<p id="rfc.section.5.p.1">The JSON Schema <a href="#JSON-SCHEMA" class="xref">[JSON-SCHEMA]</a> below defines the structure of the MISP taxonomy document as literally described before. The JSON Schema is used validating a MISP taxonomy. The validation is a <em>MUST</em> if the taxonomy is included in the MISP taxonomies directory.</p>
+</section>
+</div>
+</section>
+</div>
+<div id="json-schema">
+<section id="section-5">
+      <h2 id="name-json-schema">
+<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-json-schema" class="section-name selfRef">JSON Schema</a>
+      </h2>
+<p id="section-5-1">The JSON Schema <span>[<a href="#JSON-SCHEMA" class="xref">JSON-SCHEMA</a>]</span> below defines the structure of the MISP taxonomy document
+as literally described before. The JSON Schema is used validating a MISP taxonomy. The validation
+is a <em>MUST</em> if the taxonomy is included in the MISP taxonomies directory.<a href="#section-5-1" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-5-2">
 <pre>{
   "$schema": "http://json-schema.org/schema#",
   "title": "Validator for misp-taxonomies",
@@ -1271,101 +2296,103 @@ osint:source-type="blog-post"
     "predicates"
   ]
 }
-</pre>
-<h1 id="rfc.section.6">
-<a href="#rfc.section.6">6.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
-</h1>
-<p id="rfc.section.6.p.1">The authors wish to thank all the MISP community who are supporting the creation of open standards in threat intelligence sharing.</p>
-<h1 id="rfc.references">
-<a href="#rfc.references">7.</a> References</h1>
-<h1 id="rfc.references.1">
-<a href="#rfc.references.1">7.1.</a> Normative References</h1>
-<table><tbody>
-<tr>
-<td class="reference"><b id="RFC2119">[RFC2119]</b></td>
-<td class="top">
-<a>Bradner, S.</a>, "<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
-</tr>
-<tr>
-<td class="reference"><b id="RFC8259">[RFC8259]</b></td>
-<td class="top">
-<a>Bray, T.</a>, "<a href="https://tools.ietf.org/html/rfc8259">The JavaScript Object Notation (JSON) Data Interchange Format</a>", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017.</td>
-</tr>
-</tbody></table>
-<h1 id="rfc.references.2">
-<a href="#rfc.references.2">7.2.</a> Informative References</h1>
-<table><tbody>
-<tr>
-<td class="reference"><b id="JSON-SCHEMA">[JSON-SCHEMA]</b></td>
-<td class="top">
-<a>Wright, A.</a>, "<a href="https://tools.ietf.org/html/draft-wright-json-schema">JSON Schema: A Media Type for Describing JSON Documents</a>", 2016.</td>
-</tr>
-<tr>
-<td class="reference"><b id="machine-tags">[machine-tags]</b></td>
-<td class="top">
-<a>Cope, A. S.</a>, "<a href="https://www.flickr.com/groups/51035612836@N01/discuss/72157594497877875/">Machine tags</a>", 2007.</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-P">[MISP-P]</b></td>
-<td class="top">
-<a>Community, M.</a>, "<a href="https://github.com/MISP">MISP Project - Malware Information Sharing Platform and Threat Sharing</a>"</td>
-</tr>
-<tr>
-<td class="reference"><b id="MISP-T">[MISP-T]</b></td>
-<td class="top">
-<a>Community, M.</a>, "<a href="https://github.com/MISP/misp-taxonomies">MISP Taxonomies - shared and common vocabularies of tags</a>"</td>
-</tr>
-</tbody></table>
-<h1 id="rfc.authors"><a href="#rfc.authors">Authors' Addresses</a></h1>
-<div class="avoidbreak">
-  <address class="vcard">
-	<span class="vcardline">
-	  <span class="fn">Alexandre Dulaunoy</span> 
-	  <span class="n hidden">
-		<span class="family-name">Dulaunoy</span>
-	  </span>
-	</span>
-	<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
-	<span class="adr">
-	  <span class="vcardline">16, bd d'Avranches</span>
-
-	  <span class="vcardline">
-		<span class="locality">Luxembourg</span>,  
-		<span class="region"></span>
-		<span class="code">L-1611</span>
-	  </span>
-	  <span class="country-name vcardline">Luxembourg</span>
-	</span>
-	<span class="vcardline">Phone: +352 247 88444</span>
-
-<span class="vcardline">EMail: <a href="mailto:alexandre.dulaunoy@circl.lu">alexandre.dulaunoy@circl.lu</a></span>
-
-  </address>
-</div><div class="avoidbreak">
-  <address class="vcard">
-	<span class="vcardline">
-	  <span class="fn">Andras Iklody</span> 
-	  <span class="n hidden">
-		<span class="family-name">Iklody</span>
-	  </span>
-	</span>
-	<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
-	<span class="adr">
-	  <span class="vcardline">16, bd d'Avranches</span>
-
-	  <span class="vcardline">
-		<span class="locality">Luxembourg</span>,  
-		<span class="region"></span>
-		<span class="code">L-1611</span>
-	  </span>
-	  <span class="country-name vcardline">Luxembourg</span>
-	</span>
-	<span class="vcardline">Phone: +352 247 88444</span>
-
-<span class="vcardline">EMail: <a href="mailto:andras.iklody@circl.lu">andras.iklody@circl.lu</a></span>
-
-  </address>
+</pre><a href="#section-5-2" class="pilcrow">¶</a>
 </div>
-
+</section>
+</div>
+<div id="acknowledgements">
+<section id="section-6">
+      <h2 id="name-acknowledgements">
+<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
+      </h2>
+<p id="section-6-1">The authors wish to thank all the MISP community who are supporting the creation
+of open standards in threat intelligence sharing.<a href="#section-6-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<section id="section-7">
+      <h2 id="name-normative-references">
+<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
+      </h2>
+<dl class="references">
+<dt id="RFC2119">[RFC2119]</dt>
+      <dd>
+<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC8259">[RFC8259]</dt>
+    <dd>
+<span class="refAuthor">Bray, T., Ed.</span>, <span class="refTitle">"The JavaScript Object Notation (JSON) Data Interchange Format"</span>, <span class="seriesInfo">STD 90</span>, <span class="seriesInfo">RFC 8259</span>, <span class="seriesInfo">DOI 10.17487/RFC8259</span>, <time datetime="2017-12" class="refDate">December 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8259">https://www.rfc-editor.org/info/rfc8259</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+</dl>
+</section>
+<section id="section-8">
+      <h2 id="name-informative-references">
+<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
+      </h2>
+<dl class="references">
+<dt id="JSON-SCHEMA">[JSON-SCHEMA]</dt>
+      <dd>
+<span class="refAuthor">Wright, A.</span>, <span class="refTitle">"JSON Schema: A Media Type for Describing JSON Documents"</span>, <span class="refContent"></span>, <time datetime="2016" class="refDate">2016</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-wright-json-schema">https://tools.ietf.org/html/draft-wright-json-schema</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-P">[MISP-P]</dt>
+      <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Project - Malware Information Sharing Platform and Threat Sharing"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP">https://github.com/MISP</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="MISP-T">[MISP-T]</dt>
+      <dd>
+<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Taxonomies - shared and common vocabularies of tags"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP/misp-taxonomies">https://github.com/MISP/misp-taxonomies</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="machine-tags">[machine-tags]</dt>
+    <dd>
+<span class="refAuthor">Cope, A. S.</span>, <span class="refTitle">"Machine tags"</span>, <span class="refContent"></span>, <time datetime="2007" class="refDate">2007</time>, <span>&lt;<a href="https://www.flickr.com/groups/51035612836@N01/discuss/72157594497877875/">https://www.flickr.com/groups/51035612836@N01/discuss/72157594497877875/</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+</dl>
+</section>
+<div id="authors-addresses">
+<section id="appendix-A">
+      <h2 id="name-authors-addresses">
+<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
+      </h2>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">Alexandre Dulaunoy</span></div>
+<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
+<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1611</span> <span class="locality">Luxembourg</span>
+</div>
+<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
+<div class="tel">
+<span>Phone:</span>
+<a href="tel:+352%20247%2088444" class="tel">+352 247 88444</a>
+</div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:alexandre.dulaunoy@circl.lu" class="email">alexandre.dulaunoy@circl.lu</a>
+</div>
+</address>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">Andras Iklody</span></div>
+<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
+<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
+<div dir="auto" class="left">L-<span class="postal-code">L-1611</span> <span class="locality">Luxembourg</span>
+</div>
+<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
+<div class="tel">
+<span>Phone:</span>
+<a href="tel:+352%20247%2088444" class="tel">+352 247 88444</a>
+</div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:andras.iklody@circl.lu" class="email">andras.iklody@circl.lu</a>
+</div>
+</address>
+</section>
+</div>
+<script>const toc = document.getElementById("toc");
+toc.querySelector("h2").addEventListener("click", e => {
+  toc.classList.toggle("active");
+});
+toc.querySelector("nav").addEventListener("click", e => {
+  toc.classList.remove("active");
+});
+</script>
 </body>
 </html>
diff --git a/rfc/misp-standard-taxonomy-format.txt b/rfc/misp-standard-taxonomy-format.txt
index 2c89d5d..a632c51 100644
--- a/rfc/misp-standard-taxonomy-format.txt
+++ b/rfc/misp-standard-taxonomy-format.txt
@@ -4,11 +4,12 @@
 
 Network Working Group                                        A. Dulaunoy
 Internet-Draft                                                 A. Iklody
-Expires: June 2, 2018                                              CIRCL
-                                                       November 29, 2017
+Intended status: Informational                                     CIRCL
+Expires: 25 May 2022                                    21 November 2021
 
 
                           MISP taxonomy format
+                                draft-00
 
 Abstract
 
@@ -34,28 +35,27 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on June 2, 2018.
+   This Internet-Draft will expire on 25 May 2022.
 
 Copyright Notice
 
-   Copyright (c) 2017 IETF Trust and the persons identified as the
+   Copyright (c) 2021 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents
-   (https://trustee.ietf.org/license-info) in effect on the date of
-   publication of this document.  Please review these documents
-   carefully, as they describe your rights and restrictions with respect
-   to this document.  Code Components extracted from this document must
-   include Simplified BSD License text as described in Section 4.e of
-   the Trust Legal Provisions and are provided without warranty as
-   described in the Simplified BSD License.
+   Provisions Relating to IETF Documents (https://trustee.ietf.org/
+   license-info) in effect on the date of publication of this document.
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                  [Page 1]
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 1]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
 Table of Contents
@@ -76,13 +76,11 @@ Table of Contents
      4.1.  Admiralty Scale Taxonomy  . . . . . . . . . . . . . . . .   7
      4.2.  Open Source Intelligence - Classification . . . . . . . .   9
      4.3.  Available taxonomies in the public directory  . . . . . .  11
-   5.  JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . .  20
-   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  23
-   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  23
-     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  23
-     7.2.  Informative References  . . . . . . . . . . . . . . . . .  23
-     7.3.  URIs  . . . . . . . . . . . . . . . . . . . . . . . . . .  23
-   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  24
+   5.  JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . .  18
+   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  21
+   7.  Normative References  . . . . . . . . . . . . . . . . . . . .  21
+   8.  Informative References  . . . . . . . . . . . . . . . . . . .  22
+   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  22
 
 1.  Introduction
 
@@ -105,18 +103,17 @@ Table of Contents
    In the MISP taxonomy context, machine tags help analysts to classify
    their cybersecurity events, indicators or threats.  MISP taxonomies
    can be used for classification, filtering, triggering actions or
-
-
-
-
-Dulaunoy & Iklody         Expires June 2, 2018                  [Page 2]
-
-Internet-Draft            MISP taxonomy format             November 2017
-
-
    visualisation depending on their use in threat intelligence platforms
    such as MISP [MISP-P].
 
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 2]
+
+Internet-Draft            MISP taxonomy format             November 2021
+
+
 1.1.  Conventions and Terminology
 
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
@@ -162,17 +159,17 @@ Internet-Draft            MISP taxonomy format             November 2017
    defined. predicates is represented as an array of JSON objects.
    predicates MUST be present and MUST at least content one element.
 
-
-
-
-Dulaunoy & Iklody         Expires June 2, 2018                  [Page 3]
-
-Internet-Draft            MISP taxonomy format             November 2017
-
-
    values defines all the values for each predicate in the namespace
    defined. values SHOULD be present.
 
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 3]
+
+Internet-Draft            MISP taxonomy format             November 2021
+
+
 2.2.  predicates
 
    The predicates array contains one or more JSON objects which lists
@@ -221,9 +218,12 @@ Internet-Draft            MISP taxonomy format             November 2017
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                  [Page 4]
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 4]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
    "predicates": [
@@ -277,9 +277,9 @@ Internet-Draft            MISP taxonomy format             November 2017
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                  [Page 5]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 5]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
        {
@@ -333,9 +333,9 @@ Internet-Draft            MISP taxonomy format             November 2017
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                  [Page 6]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 6]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
 3.1.  Sample Manifest
@@ -389,9 +389,9 @@ Internet-Draft            MISP taxonomy format             November 2017
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                  [Page 7]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 7]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
              "value": "a",
@@ -445,9 +445,9 @@ Internet-Draft            MISP taxonomy format             November 2017
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                  [Page 8]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 8]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
            {
@@ -501,9 +501,9 @@ Internet-Draft            MISP taxonomy format             November 2017
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                  [Page 9]
+Dulaunoy & Iklody          Expires 25 May 2022                  [Page 9]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
        "predicate": "source-type"
@@ -557,9 +557,9 @@ Internet-Draft            MISP taxonomy format             November 2017
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 10]
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 10]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
            "description": "30% Probably not"
@@ -600,474 +600,395 @@ Internet-Draft            MISP taxonomy format             November 2017
    ]
  }
 
-
 4.3.  Available taxonomies in the public directory
 
    The public directory of MISP taxonomies [MISP-T] contains a variety
    of taxonomy in various fields such as:
 
-   CERT-XLM:
-      CERT-XLM Security Incident Classification.
+   CERT-XLM:  CERT-XLM Security Incident Classification.
 
-   DML:
+   DML:  The Detection Maturity Level (DML) model is a capability
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 11]
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 11]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
-      The Detection Maturity Level (DML) model is a capability maturity
-      model for referencing ones maturity in detecting cyber attacks.
-      It's designed for organizations who perform intel-driven detection
-      and response and who put an emphasis on having a mature detection
-      program.
+      maturity model for referencing ones maturity in detecting cyber
+      attacks.  It's designed for organizations who perform intel-driven
+      detection and response and who put an emphasis on having a mature
+      detection program.
 
-   PAP:
-      The Permissible Actions Protocol - or short: PAP - was designed to
-      indicate how the received information can be used.
+   PAP:  The Permissible Actions Protocol - or short: PAP - was designed
+      to indicate how the received information can be used.
 
-   access-method:
-      The access method used to remotely access a system.
+   access-method:  The access method used to remotely access a system.
 
-   accessnow:
-      Access Now classification to classify an issue (such as security,
-      human rights, youth rights).
+   accessnow:  Access Now classification to classify an issue (such as
+      security, human rights, youth rights).
 
-   action-taken:
-      Action taken in the case of a security incident (CSIRT
+   action-taken:  Action taken in the case of a security incident (CSIRT
       perspective).
 
-   admiralty-scale:
-      The Admiralty Scale (also called the NATO System) is used to rank
-      the reliability of a source and the credibility of an information.
+   admiralty-scale:  The Admiralty Scale (also called the NATO System)
+      is used to rank the reliability of a source and the credibility of
+      an information.
 
-   adversary:
-      An overview and description of the adversary infrastructure.
+   adversary:  An overview and description of the adversary
+      infrastructure.
 
-   ais-marking:
-      AIS Marking Schema implementation is maintained by the National
-      Cybersecurity and Communication Integration Center (NCCIC) of the
-      U.S.  Department of Homeland Security (DHS)
+   ais-marking:  AIS Marking Schema implementation is maintained by the
+      National Cybersecurity and Communication Integration Center
+      (NCCIC) of the U.S.  Department of Homeland Security (DHS)
 
-   analyst-assessment:
-      A series of assessment predicates describing the analyst
-      capabilities to perform analysis.  These assessment can be
+   analyst-assessment:  A series of assessment predicates describing the
+      analyst capabilities to perform analysis.  These assessment can be
       assigned by the analyst him/herself or by another party evaluating
       the analyst.
 
-   approved-category-of-action:
-      A pre-approved category of action for indicators being shared with
-      partners (MIMIC).
+   approved-category-of-action:  A pre-approved category of action for
+      indicators being shared with partners (MIMIC).
 
-   binary-class:
-      Custom taxonomy for types of binary file.
+   binary-class:  Custom taxonomy for types of binary file.
 
-   cccs:
-      Internal taxonomy for CCCS.
+   cccs:  Internal taxonomy for CCCS.
+
+   circl:  CIRCL Taxonomy is a simple scheme for incident classification
+      and area topic where the incident took place.
+
+   collaborative-intelligence:  Collaborative intelligence support
+      language is a common language to support analysts to perform their
+      analysis to get crowdsourced support when using threat
+      intelligence sharing platform like MISP.
+
+   common-taxonomy:  The Common Taxonomy for Law Enforcement and The
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 12]
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 12]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
-   circl:
-      CIRCL Taxonomy is a simple scheme for incident classification and
-      area topic where the incident took place.
+      National Network of CSIRTs bridges the gap between the CSIRTs and
+      international Law Enforcement communities by adding a legislative
+      framework to facilitate the harmonisation of incident reporting to
+      competent authorities, the development of useful statistics and
+      sharing information within the entire cybercrime ecosystem.
 
-   collaborative-intelligence:
-      Collaborative intelligence support language is a common language
-      to support analysts to perform their analysis to get crowdsourced
-      support when using threat intelligence sharing platform like MISP.
+   copine-scale:  The COPINE Scale is a rating system created in Ireland
+      and used in the United Kingdom to categorise the severity of
+      images of child sex abuse.
 
-   common-taxonomy:
-      The Common Taxonomy for Law Enforcement and The National Network
-      of CSIRTs bridges the gap between the CSIRTs and international Law
-      Enforcement communities by adding a legislative framework to
-      facilitate the harmonisation of incident reporting to competent
-      authorities, the development of useful statistics and sharing
-      information within the entire cybercrime ecosystem.
+   cryptocurrency-threat:  Threats targetting cryptocurrency, based on
+      CipherTrace report.
 
-   copine-scale:
-      The COPINE Scale is a rating system created in Ireland and used in
-      the United Kingdom to categorise the severity of images of child
-      sex abuse.
+   csirt_case_classification:  FIRST CSIRT Case Classification.
 
-   cryptocurrency-threat:
-      Threats targetting cryptocurrency, based on CipherTrace report.
+   cssa:  The CSSA agreed sharing taxonomy.
 
-   csirtcaseclassification:
-      FIRST CSIRT Case Classification.
+   cyber-threat-framework:  Cyber Threat Framework was developed by the
+      US Government to enable consistent characterization and
+      categorization of cyber threat events, and to identify trends or
+      changes in the activities of cyber adversaries.
+      https://www.dni.gov/index.php/cyber-threat-framework
+      (https://www.dni.gov/index.php/cyber-threat-framework)
 
-   cssa:
-      The CSSA agreed sharing taxonomy.
+   data-classification:  Data classification for data potentially at
+      risk of exfiltration based on table 2.1 of Solving Cyber Risk
+      book.
 
-   cyber-threat-framework:
-      Cyber Threat Framework was developed by the US Government to
-      enable consistent characterization and categorization of cyber
-      threat events, and to identify trends or changes in the activities
-      of cyber adversaries. https://www.dni.gov/index.php/cyber-threat-
-      framework [1]
+   dcso-sharing:  DCSO Sharing Taxonomy to classify certain types of
+      MISP events using the DCSO Event Guide
 
-   data-classification:
-      Data classification for data potentially at risk of exfiltration
-      based on table 2.1 of Solving Cyber Risk book.
+   ddos:  Distributed Denial of Service - or short: DDoS - taxonomy
+      supports the description of Denial of Service attacks and
+      especially the types they belong too.
 
-   dcso-sharing:
-      DCSO Sharing Taxonomy to classify certain types of MISP events
-      using the DCSO Event Guide
+   de-vs:  Taxonomy for the handling of protectively marked information
+      in MISP with German (DE) Government classification markings (VS)
 
-   ddos:
+   dhs-ciip-sectors:  DHS critical sectors as described in
+      https://www.dhs.gov/critical-infrastructure-sectors
+      (https://www.dhs.gov/critical-infrastructure-sectors).
+
+   diamond-model:  The Diamond Model for Intrusion Analysis, a phase-
+      based model developed by Lockheed Martin, aims to help categorise
+      and identify the stage of an attack.
+
+   dni-ism:  ISM (Information Security Marking Metadata) V13 as
+      described by DNI.gov (Director of National Intelligence - US).
 
 
 
-
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 13]
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 13]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
-      Distributed Denial of Service - or short: DDoS - taxonomy supports
-      the description of Denial of Service attacks and especially the
-      types they belong too.
+   domain-abuse:  Taxonomy to tag domain names used for cybercrime.
 
-   de-vs:
-      Taxonomy for the handling of protectively marked information in
-      MISP with German (DE) Government classification markings (VS)
+   drugs:  A taxonomy based on the superclass and class of drugs, based
+      on https://www.drugbank.ca/releases/latest
+      (https://www.drugbank.ca/releases/latest)
 
-   dhs-ciip-sectors:
-      DHS critical sectors as described in https://www.dhs.gov/critical-
-      infrastructure-sectors [2].
+   economical-impact:  Economical impact is a taxonomy to describe the
+      financial impact as positive or negative gain to the tagged
+      information.
 
-   diamond-model:
-      The Diamond Model for Intrusion Analysis, a phase-based model
-      developed by Lockheed Martin, aims to help categorise and identify
-      the stage of an attack.
+   ecsirt:  eCSIRT incident classification Appendix C of the eCSIRT EU
+      project including IntelMQ updates.
 
-   dni-ism:
-      ISM (Information Security Marking Metadata) V13 as described by
-      DNI.gov (Director of National Intelligence - US).
+   enisa:  ENISA Threat Taxonomy - A tool for structuring threat
+      information as published in https://www.enisa.europa.eu/topics/
+      threat-risk-management/threats-and-trends/enisa-threat-
+      landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-
+      threat-information (https://www.enisa.europa.eu/topics/threat-
+      risk-management/threats-and-trends/enisa-threat-landscape/etl2015/
+      enisa-threat-taxonomy-a-tool-for-structuring-threat-information)
 
-   domain-abuse:
-      Taxonomy to tag domain names used for cybercrime.
+   estimative-language:  Estimative language - including likelihood or
+      probability of event based on the Intelligence Community Directive
+      203 (ICD 203) (6.2.(a)) and JP 2-0, Joint Intelligence.
 
-   drugs:
-      A taxonomy based on the superclass and class of drugs, based on
-      https://www.drugbank.ca/releases/latest [3]
+   eu-marketop-and-publicadmin:  Market operators and public
+      administrations that must comply to some notifications
+      requirements under EU NIS directive.
 
-   economical-impact:
-      Economical impact is a taxonomy to describe the financial impact
-      as positive or negative gain to the tagged information.
+   eu-nis-sector-and-subsectors:  Sectors and sub sectors as identified
+      by the NIS Directive.
 
-   ecsirt:
-      eCSIRT incident classification Appendix C of the eCSIRT EU project
-      including IntelMQ updates.
-
-   enisa:
-      ENISA Threat Taxonomy - A tool for structuring threat information
-      as published in https://www.enisa.europa.eu/topics/threat-risk-
-      management/threats-and-trends/enisa-threat-landscape/etl2015/
-      enisa-threat-taxonomy-a-tool-for-structuring-threat-information
-      [4]
-
-   estimative-language:
-      Estimative language - including likelihood or probability of event
-      based on the Intelligence Community Directive 203 (ICD 203)
-      (6.2.(a)) and JP 2-0, Joint Intelligence.
-
-
-
-
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 14]
-
-Internet-Draft            MISP taxonomy format             November 2017
-
-
-   eu-marketop-and-publicadmin:
-      Market operators and public administrations that must comply to
-      some notifications requirements under EU NIS directive.
-
-   eu-nis-sector-and-subsectors:
-      Sectors and sub sectors as identified by the NIS Directive.
-
-   euci:
-      EU classified information (EUCI) means any information or material
-      designated by a EU security classification, the unauthorised
-      disclosure of which could cause varying degrees of prejudice to
-      the interests of the European Union or of one or more of the
-      Member States as described in COUNCIL DECISION of 23 September
-      2013 on the security rules for protecting EU classified
+   euci:  EU classified information (EUCI) means any information or
+      material designated by a EU security classification, the
+      unauthorised disclosure of which could cause varying degrees of
+      prejudice to the interests of the European Union or of one or more
+      of the Member States as described in COUNCIL DECISION of 23
+      September 2013 on the security rules for protecting EU classified
       information
 
-   europol-event:
-      EUROPOL type of events taxonomy.
+   europol-event:  EUROPOL type of events taxonomy.
 
-   europol-incident:
-      EUROPOL class of incident taxonomy.
+   europol-incident:  EUROPOL class of incident taxonomy.
 
-   event-assessment:
-      A series of assessment predicates describing the event assessment
-      performed to make judgement(s) under a certain level of
-      uncertainty.
-
-   event-classification:
-      Event Classification.
-
-   exercise:
-      Exercise is a taxonomy to describe if the information is part of
-      one or more cyber or crisis exercise.
-
-   false-positive:
-      This taxonomy aims to ballpark the expected amount of false
-      positives.
-
-   file-type:
-      List of known file types.
-
-   flesch-reading-ease:
-      Flesch Reading Ease is a revised system for determining the
-      comprehension difficulty of written material.  The scoring of the
-      flesh score can have a maximum of 121.22 and there is no limit on
-      how low a score can be (negative score are valid).
-
-   fpf:
+   event-assessment:  A series of assessment predicates describing the
+      event assessment performed to make judgement(s) under a certain
+      level of uncertainty.
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 15]
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 14]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
-      The Future of Privacy Forum (FPF) visual guide to practical de-
-      identification [5] taxonomy is used to evaluate the degree of
-      identifiability of personal data and the types of pseudonymous
-      data, de-identified data and anonymous data.  The work of FPF is
-      licensed under a creative commons attribution 4.0 international
-      license.
+   event-classification:  Event Classification.
 
-   fr-classif:
-      French gov information classification system.
+   exercise:  Exercise is a taxonomy to describe if the information is
+      part of one or more cyber or crisis exercise.
 
-   gdpr:
-      Taxonomy related to the REGULATION (EU) 2016/679 OF THE EUROPEAN
-      PARLIAMENT AND OF THE COUNCIL on the protection of natural persons
-      with regard to the processing of personal data and on the free
-      movement of such data, and repealing Directive 95/46/EC (General
-      Data Protection Regulation)
+   false-positive:  This taxonomy aims to ballpark the expected amount
+      of false positives.
 
-   gsma-attack-category:
-      Taxonomy used by GSMA for their information sharing program with
-      telco describing the attack categories
+   file-type:  List of known file types.
 
-   gsma-fraud:
-      Taxonomy used by GSMA for their information sharing program with
-      telco describing the various aspects of fraud
+   flesch-reading-ease:  Flesch Reading Ease is a revised system for
+      determining the comprehension difficulty of written material.  The
+      scoring of the flesh score can have a maximum of 121.22 and there
+      is no limit on how low a score can be (negative score are valid).
 
-   gsma-network-technology:
-      Taxonomy used by GSMA for their information sharing program with
-      telco describing the types of infrastructure.  WiP
+   fpf:  The Future of Privacy Forum (FPF) visual guide to practical de-
+      identification (https://fpf.org/2016/04/25/a-visual-guide-to-
+      practical-data-de-identification/) taxonomy is used to evaluate
+      the degree of identifiability of personal data and the types of
+      pseudonymous data, de-identified data and anonymous data.  The
+      work of FPF is licensed under a creative commons attribution 4.0
+      international license.
 
-   honeypot-basic:
-      Christian Seifert, Ian Welch, Peter Komisarczuk, 'Taxonomy of
-      Honeypots', Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF
-      WELLINGTON, School of Mathematical and Computing Sciences, June
-      2006, http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/
-      CS-TR-06-12.pdf [6]
+   fr-classif:  French gov information classification system.
 
-   iep:
-      Forum of Incident Response and Security Teams (FIRST) Information
-      Exchange Policy (IEP) framework.
+   gdpr:  Taxonomy related to the REGULATION (EU) 2016/679 OF THE
+      EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of
+      natural persons with regard to the processing of personal data and
+      on the free movement of such data, and repealing Directive 95/46/
+      EC (General Data Protection Regulation)
 
-   ifx-vetting:
-      The IFX taxonomy is used to categorise information (MISP events
-      and attributes) to aid in the intelligence vetting process
+   gsma-attack-category:  Taxonomy used by GSMA for their information
+      sharing program with telco describing the attack categories
 
-   incident-disposition:
-      How an incident is classified in its process to be resolved.  The
-      taxonomy is inspired from NASA Incident Response and Management
-      Handbook.
+   gsma-fraud:  Taxonomy used by GSMA for their information sharing
+      program with telco describing the various aspects of fraud
+
+   gsma-network-technology:  Taxonomy used by GSMA for their information
+      sharing program with telco describing the types of infrastructure.
+      WiP
+
+   honeypot-basic:  Christian Seifert, Ian Welch, Peter Komisarczuk, ‘
+      (U+2018)Taxonomy of Honeypots’ (U+2019), Technical Report CS-TR-
+      06/12, VICTORIA UNIVERSITY OF WELLINGTON, School of Mathematical
+      and Computing Sciences, June 2006,
+      http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-
+      06-12.pdf (http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-
+      TR-06/CS-TR-06-12.pdf)
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 16]
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 15]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
-   infoleak:
-      A taxonomy describing information leaks and especially information
-      classified as being potentially leaked.
+   iep:  Forum of Incident Response and Security Teams (FIRST)
+      Information Exchange Policy (IEP) framework.
 
-   information-security-data-source:
-      Taxonomy to classify the information security data sources
+   ifx-vetting:  The IFX taxonomy is used to categorise information
+      (MISP events and attributes) to aid in the intelligence vetting
+      process
 
-   information-security-indicators:
-      Information security indicators have been standardized by the ETSI
-      Industrial Specification Group (ISG) ISI.  These indicators
-      provide the basis to switch from a qualitative to a quantitative
-      culture in IT Security Scope of measurements: External and
-      internal threats (attempt and success), user's deviant behaviours,
-      nonconformities and/or vulnerabilities (software, configuration,
-      behavioural, general security framework).  ETSI GS ISI 001-1
-      (V1.1.2): ISI Indicators
+   incident-disposition:  How an incident is classified in its process
+      to be resolved.  The taxonomy is inspired from NASA Incident
+      Response and Management Handbook.
 
-   interception-method:
-      The interception method used to intercept traffic.
+   infoleak:  A taxonomy describing information leaks and especially
+      information classified as being potentially leaked.
 
-   kill-chain:
-      Cyber Kill Chain from Lockheed Martin as described in
+   information-security-data-source:  Taxonomy to classify the
+      information security data sources
+
+   information-security-indicators:  Information security indicators
+      have been standardized by the ETSI Industrial Specification Group
+      (ISG) ISI.  These indicators provide the basis to switch from a
+      qualitative to a quantitative culture in IT Security Scope of
+      measurements: External and internal threats (attempt and success),
+      user's deviant behaviours, nonconformities and/or vulnerabilities
+      (software, configuration, behavioural, general security
+      framework).  ETSI GS ISI 001-1 (V1.1.2): ISI Indicators
+
+   interception-method:  The interception method used to intercept
+      traffic.
+
+   kill-chain:  Cyber Kill Chain from Lockheed Martin as described in
       Intelligence-Driven Computer Network Defense Informed by Analysis
       of Adversary Campaigns and Intrusion Kill Chains.
 
-   maec-delivery-vectors:
-      Vectors used to deliver malware based on MAEC 5.0
+   maec-delivery-vectors:  Vectors used to deliver malware based on MAEC
+      5.0
 
-   maec-malware-behavior:
-      Malware behaviours based on MAEC 5.0
+   maec-malware-behavior:  Malware behaviours based on MAEC 5.0
 
-   maec-malware-capabilities:
-      Malware Capabilities based on MAEC 5.0
+   maec-malware-capabilities:  Malware Capabilities based on MAEC 5.0
 
-   maec-malware-obfuscation-methods:
-      Obfuscation methods used by malware based on MAEC 5.0
+   maec-malware-obfuscation-methods:  Obfuscation methods used by
+      malware based on MAEC 5.0
 
-   malware_classification:
-      Malware classification based on a SANS whitepaper about malware.
+   malware_classification:  Malware classification based on a SANS
+      whitepaper about malware.
 
-   misp:
-      Internal MISP taxonomy.
-
-   monarc-threat:
-      MONARC threat taxonomy.
-
-   ms-caro-malware:
+   misp:  Internal MISP taxonomy.
 
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 17]
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 16]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
-      Malware Type and Platform classification based on Microsoft's
-      implementation of the Computer Antivirus Research Organization
-      (CARO) Naming Scheme and Malware Terminology.
+   monarc-threat:  MONARC threat taxonomy.
 
-   ms-caro-malware-full:
-      Malware Type and Platform classification based on Microsoft's
-      implementation of the Computer Antivirus Research Organization
-      (CARO) Naming Scheme and Malware Terminology.
+   ms-caro-malware:  Malware Type and Platform classification based on
+      Microsoft's implementation of the Computer Antivirus Research
+      Organization (CARO) Naming Scheme and Malware Terminology.
 
-   nato:
-      Marking of Classified and Unclassified materials as described by
-      the North Atlantic Treaty Organization, NATO.
+   ms-caro-malware-full:  Malware Type and Platform classification based
+      on Microsoft's implementation of the Computer Antivirus Research
+      Organization (CARO) Naming Scheme and Malware Terminology.
 
-   nis:
-      NIS Cybersecurity Incident Taxonomy.
+   nato:  Marking of Classified and Unclassified materials as described
+      by the North Atlantic Treaty Organization, NATO.
 
-   open_threat:
-      Open Threat Taxonomy v1.1 base on James Tarala of SANS ref. -
-      http://www.auditscripts.com/resources/
-      open_threat_taxonomy_v1.1a.pdf [7]
+   nis:  NIS Cybersecurity Incident Taxonomy.
 
-   osint:
-      Open Source Intelligence - Classification (MISP taxonomies).
+   open_threat:  Open Threat Taxonomy v1.1 base on James Tarala of SANS
+      ref. - http://www.auditscripts.com/resources/
+      open_threat_taxonomy_v1.1a.pdf
+      (http://www.auditscripts.com/resources/
+      open_threat_taxonomy_v1.1a.pdf)
 
-   passivetotal:
-      Tags for RiskIQ's passivetotal service
+   osint:  Open Source Intelligence - Classification (MISP taxonomies).
 
-   pentest:
-      Penetration test (pentest) classification.
+   passivetotal:  Tags for RiskIQ's passivetotal service
 
-   priority-level:
-      After an incident is scored, it is assigned a priority level.  The
-      six levels listed below are aligned with NCCIC, DHS, and the CISS
-      to help provide a common lexicon when discussing incidents.  This
-      priority assignment drives NCCIC urgency, pre-approved incident
-      response offerings, reporting requirements, and recommendations
-      for leadership escalation.  Generally, incident priority
-      distribution should follow a similar pattern to the graph below.
-      Based on https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-
-      System [8].
+   pentest:  Penetration test (pentest) classification.
 
-   rsit:
-      Reference Security Incident Classification Taxonomy.
+   priority-level:  After an incident is scored, it is assigned a
+      priority level.  The six levels listed below are aligned with
+      NCCIC, DHS, and the CISS to help provide a common lexicon when
+      discussing incidents.  This priority assignment drives NCCIC
+      urgency, pre-approved incident response offerings, reporting
+      requirements, and recommendations for leadership escalation.
+      Generally, incident priority distribution should follow a similar
+      pattern to the graph below.  Based on https://www.us-cert.gov/
+      NCCIC-Cyber-Incident-Scoring-System (https://www.us-cert.gov/
+      NCCIC-Cyber-Incident-Scoring-System).
 
-   rteventstatus:
-      Status of events used in Request Tracker.
+   rsit:  Reference Security Incident Classification Taxonomy.
 
-   runtime-packer:
+   rt_event_status:  Status of events used in Request Tracker.
+
+   runtime-packer:  Runtime or software packer used to combine
+      compressed data with the decompression code.  The decompression
+      code can add additional obfuscations mechanisms including
+      polymorphic-packer or other obfuscation techniques.  This taxonomy
+      lists all the known or official packer used for legitimate use or
+      for packing malicious binaries.
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 18]
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 17]
 
-Internet-Draft            MISP taxonomy format             November 2017
+Internet-Draft            MISP taxonomy format             November 2021
 
 
-      Runtime or software packer used to combine compressed data with
-      the decompression code.  The decompression code can add additional
-      obfuscations mechanisms including polymorphic-packer or other
-      obfuscation techniques.  This taxonomy lists all the known or
-      official packer used for legitimate use or for packing malicious
-      binaries.
+   smart-airports-threats:  Threat taxonomy in the scope of securing
+      smart airports by ENISA.
 
-   smart-airports-threats:
-      Threat taxonomy in the scope of securing smart airports by ENISA.
+   stealth_malware:  Classification based on malware stealth techniques.
 
-   stealth_malware:
-      Classification based on malware stealth techniques.
-
-   stix-ttp:
-      Representation of the behavior or modus operandi of cyber
+   stix-ttp:  Representation of the behavior or modus operandi of cyber
       adversaries (a.k.a TTP) as normalized in STIX
 
-   targeted-threat-index:
-      The Targeted Threat Index is a metric for assigning an overall
-      threat ranking score to email messages that deliver malware to a
-      victim's computer.  The TTI metric was first introduced at SecTor
-      2013 by Seth Hardy as part of the talk "RATastrophe: Monitoring a
-      Malware Menagerie" along with Katie Kleemola and Greg Wiseman.
+   targeted-threat-index:  The Targeted Threat Index is a metric for
+      assigning an overall threat ranking score to email messages that
+      deliver malware to a victim’ (U+2019)s computer.  The TTI metric
+      was first introduced at SecTor 2013 by Seth Hardy as part of the
+      talk “ (U+201C)RATastrophe: Monitoring a Malware Menagerie”
+      (U+201D) along with Katie Kleemola and Greg Wiseman.
 
-   tlp:
-      The Traffic Light Protocol - or short: TLP - was designed with the
-      objective to create a favorable classification scheme for sharing
-      sensitive information while keeping the control over its
+   tlp:  The Traffic Light Protocol - or short: TLP - was designed with
+      the objective to create a favorable classification scheme for
+      sharing sensitive information while keeping the control over its
       distribution at the same time.  Extended with TLP:EX:CHR.
 
-   tor:
-      Taxonomy to describe Tor network infrastructure
+   tor:  Taxonomy to describe Tor network infrastructure
 
-   type:
-      Taxonomy to describe different types of intelligence gathering
+   type:  Taxonomy to describe different types of intelligence gathering
       discipline which can be described the origin of intelligence.
 
-   use-case-applicability:
-      The Use Case Applicability categories reflect standard resolution
-      categories, to clearly display alerting rule configuration
-      problems.
+   use-case-applicability:  The Use Case Applicability categories
+      reflect standard resolution categories, to clearly display
+      alerting rule configuration problems.
 
-   veris:
-      Vocabulary for Event Recording and Incident Sharing (VERIS).
+   veris:  Vocabulary for Event Recording and Incident Sharing (VERIS).
 
-   vocabulaire-des-probabilites-estimatives:
-      Vocabulaire des probabilites estimatives
+   vocabulaire-des-probabilites-estimatives:  Vocabulaire des
+      probabilité (U+00E9)s estimatives
 
-
-
-
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 19]
-
-Internet-Draft            MISP taxonomy format             November 2017
-
-
-   workflow:
-      Workflow support language is a common language to support
+   workflow:  Workflow support language is a common language to support
       intelligence analysts to perform their analysis on data and
       information.
 
@@ -1078,6 +999,17 @@ Internet-Draft            MISP taxonomy format             November 2017
    used validating a MISP taxonomy.  The validation is a _MUST_ if the
    taxonomy is included in the MISP taxonomies directory.
 
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 18]
+
+Internet-Draft            MISP taxonomy format             November 2021
+
+
    {
      "$schema": "http://json-schema.org/schema#",
      "title": "Validator for misp-taxonomies",
@@ -1114,14 +1046,6 @@ Internet-Draft            MISP taxonomy format             November 2017
        "values": {
          "type": "array",
          "uniqueItems": true,
-
-
-
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 20]
-
-Internet-Draft            MISP taxonomy format             November 2017
-
-
          "items": {
            "type": "object",
            "additionalProperties": false,
@@ -1134,6 +1058,14 @@ Internet-Draft            MISP taxonomy format             November 2017
              }
            },
            "required": [
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 19]
+
+Internet-Draft            MISP taxonomy format             November 2021
+
+
              "predicate"
            ]
          }
@@ -1170,14 +1102,6 @@ Internet-Draft            MISP taxonomy format             November 2017
          }
        }
      },
-
-
-
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 21]
-
-Internet-Draft            MISP taxonomy format             November 2017
-
-
      "type": "object",
      "additionalProperties": false,
      "properties": {
@@ -1190,6 +1114,14 @@ Internet-Draft            MISP taxonomy format             November 2017
        "expanded": {
          "type": "string"
        },
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 20]
+
+Internet-Draft            MISP taxonomy format             November 2021
+
+
        "namespace": {
          "type": "string"
        },
@@ -1226,14 +1158,6 @@ Internet-Draft            MISP taxonomy format             November 2017
      "required": [
        "namespace",
        "description",
-
-
-
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 22]
-
-Internet-Draft            MISP taxonomy format             November 2017
-
-
        "version",
        "predicates"
      ]
@@ -1244,9 +1168,15 @@ Internet-Draft            MISP taxonomy format             November 2017
    The authors wish to thank all the MISP community who are supporting
    the creation of open standards in threat intelligence sharing.
 
-7.  References
+7.  Normative References
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 21]
+
+Internet-Draft            MISP taxonomy format             November 2021
 
-7.1.  Normative References
 
    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119,
@@ -1258,18 +1188,13 @@ Internet-Draft            MISP taxonomy format             November 2017
               DOI 10.17487/RFC8259, December 2017,
               <https://www.rfc-editor.org/info/rfc8259>.
 
-7.2.  Informative References
+8.  Informative References
 
    [JSON-SCHEMA]
               Wright, A., "JSON Schema: A Media Type for Describing JSON
               Documents", 2016,
               <https://tools.ietf.org/html/draft-wright-json-schema>.
 
-   [machine-tags]
-              Cope, A. S., "Machine tags", 2007,
-              <https://www.flickr.com/groups/51035612836@N01/
-              discuss/72157594497877875/>.
-
    [MISP-P]   Community, M., "MISP Project - Malware Information Sharing
               Platform and Threat Sharing", <https://github.com/MISP>.
 
@@ -1277,42 +1202,17 @@ Internet-Draft            MISP taxonomy format             November 2017
               vocabularies of tags",
               <https://github.com/MISP/misp-taxonomies>.
 
-7.3.  URIs
-
-   [1] https://www.dni.gov/index.php/cyber-threat-framework
-
-   [2] https://www.dhs.gov/critical-infrastructure-sectors
-
-
-
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 23]
-
-Internet-Draft            MISP taxonomy format             November 2017
-
-
-   [3] https://www.drugbank.ca/releases/latest
-
-   [4] https://www.enisa.europa.eu/topics/threat-risk-management/
-       threats-and-trends/enisa-threat-landscape/etl2015/enisa-threat-
-       taxonomy-a-tool-for-structuring-threat-information
-
-   [5] https://fpf.org/2016/04/25/a-visual-guide-to-practical-data-de-
-       identification/
-
-   [6] http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-
-       TR-06-12.pdf
-
-   [7] http://www.auditscripts.com/resources/
-       open_threat_taxonomy_v1.1a.pdf
-
-   [8] https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System
+   [machine-tags]
+              Cope, A. S., "Machine tags", 2007,
+              <https://www.flickr.com/groups/51035612836@N01/
+              discuss/72157594497877875/>.
 
 Authors' Addresses
 
    Alexandre Dulaunoy
    Computer Incident Response Center Luxembourg
    16, bd d'Avranches
-   Luxembourg  L-1611
+   L-L-1611 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
@@ -1322,10 +1222,18 @@ Authors' Addresses
    Andras Iklody
    Computer Incident Response Center Luxembourg
    16, bd d'Avranches
-   Luxembourg  L-1611
+   L-L-1611 Luxembourg
    Luxembourg
 
    Phone: +352 247 88444
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 22]
+
+Internet-Draft            MISP taxonomy format             November 2021
+
+
    Email: andras.iklody@circl.lu
 
 
@@ -1341,4 +1249,40 @@ Authors' Addresses
 
 
 
-Dulaunoy & Iklody         Expires June 2, 2018                 [Page 24]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Iklody          Expires 25 May 2022                 [Page 23]