MISP
/
misp-standard.org
mirror of https://github.com/MISP/misp-standard.org
2
0
Fork 0
Code Issues Releases Wiki Activity

Compare commits

base: MISP:dac0ccfb830398c062424087f9d6bf8a0e34a8bf
Branches Tags
MISP:master
...
compare: MISP:5b3f32c5dd792d9f9a97bf0d6505186c479f27c7
Branches Tags
MISP:master

3 Commits
dac0ccfb83 ... 5b3f32c5dd

Author SHA1 Message Date
Alexandre Dulaunoy 5b3f32c5dd
chg: [rfc] updated to the latest version 2023-12-24 14:44:50 +01:00
Alexandre Dulaunoy 1f424a5a8b
chg: [rfc] updated to the latest version 2023-12-24 14:09:01 +01:00
Alexandre Dulaunoy 9b81c1e95b
chg: [misp-galaxy] format updated 2023-12-24 13:53:32 +01:00
8 changed files with 2305 additions and 1367 deletions
Show Stats Expand all files Collapse all files

24
rfc/misp-standard-core.html
View File

@ -15,7 +15,7 @@ respective key. The format is described to support other implementations which r
format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms.
" name="description">
<meta content="xml2rfc 3.12.1" name="generator">
<meta content="draft-16" name="ietf.draft">
<meta content="draft-17" name="ietf.draft">
<!-- Generator version information:
xml2rfc 3.12.1
Python 3.8.10
@ -26,13 +26,13 @@ format and ensuring an interoperability with existing MISP software and other
intervaltree 3.1.0
Jinja2 3.1.2
kitchen 1.2.6
lxml 4.9.1
lxml 4.9.2
pycairo 1.16.2
pycountry 22.3.5
pyflakes 2.4.0
PyYAML 6.0
requests 2.28.1
setuptools 65.4.0
requests 2.31.0
setuptools 68.1.2
six 1.16.0
-->
<link href="raw.md.xml" rel="alternate" type="application/rfc+xml">
@ -1190,11 +1190,11 @@ li > p:last-of-type {
<thead><tr>
<td class="left">Internet-Draft</td>
<td class="center">MISP core format</td>
<td class="right">February 2023</td>
<td class="right">December 2023</td>
</tr></thead>
<tfoot><tr>
<td class="left">Dulaunoy &amp; Iklody</td>
<td class="center">Expires 30 August 2023</td>
<td class="center">Expires 26 June 2024</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
@ -1204,15 +1204,15 @@ li > p:last-of-type {
<dt class="label-workgroup">Workgroup:</dt>
<dd class="workgroup">Network Working Group</dd>
<dt class="label-internet-draft">Internet-Draft:</dt>
<dd class="internet-draft">draft-16</dd>
<dd class="internet-draft">draft-17</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2023-02-26" class="published">26 February 2023</time>
<time datetime="2023-12-24" class="published">24 December 2023</time>
</dd>
<dt class="label-intended-status">Intended Status:</dt>
<dd class="intended-status">Informational</dd>
<dt class="label-expires">Expires:</dt>
<dd class="expires"><time datetime="2023-08-30">30 August 2023</time></dd>
<dd class="expires"><time datetime="2024-06-26">26 June 2024</time></dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
@ -1254,7 +1254,7 @@ format and ensuring an interoperability with existing MISP <span>[<a href="#MISP
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow"></a></p>
<p id="section-boilerplate.1-4">
This Internet-Draft will expire on 30 August 2023.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
This Internet-Draft will expire on 26 June 2024.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
</section>
</div>
<div id="copyright">
@ -2918,6 +2918,10 @@ be anonymised. Sighting is composed of a JSON array in which each element descri
<td class="text-left" rowspan="1" colspan="1">2</td>
<td class="text-center" rowspan="1" colspan="1">denotes an attribute which will be expired at the time of the sighting</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">3</td>
<td class="text-center" rowspan="1" colspan="1">denotes an attribute which has been seen and confirmed as a true-positive</td>
</tr>
</tbody>
</table>
<p id="section-2.9-4">uuid <span class="bcp14">MUST</span> be present. uuid references the uuid of the sighted attribute.<a href="#section-2.9-4" class="pilcrow"></a></p>

244
rfc/misp-standard-core.txt
View File

@ -5,11 +5,11 @@
Network Working Group A. Dulaunoy
Internet-Draft A. Iklody
Intended status: Informational CIRCL
Expires: 30 August 2023 26 February 2023
Expires: 26 June 2024 24 December 2023
MISP core format
draft-16
draft-17
Abstract
@ -37,7 +37,7 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 30 August 2023.
This Internet-Draft will expire on 26 June 2024.
Copyright Notice
@ -53,9 +53,9 @@ Copyright Notice
Dulaunoy & Iklody Expires 30 August 2023 [Page 1]
Dulaunoy & Iklody Expires 26 June 2024 [Page 1]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
Table of Contents
@ -109,9 +109,9 @@ Table of Contents
Dulaunoy & Iklody Expires 30 August 2023 [Page 2]
Dulaunoy & Iklody Expires 26 June 2024 [Page 2]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53
@ -165,9 +165,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 3]
Dulaunoy & Iklody Expires 26 June 2024 [Page 3]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
uuid is represented as a JSON string. uuid MUST be present.
@ -221,9 +221,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 4]
Dulaunoy & Iklody Expires 26 June 2024 [Page 4]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
1: Ongoing
@ -277,9 +277,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 5]
Dulaunoy & Iklody Expires 26 June 2024 [Page 5]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
org_id is represented as a JSON string. org_id MUST be present.
@ -333,9 +333,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 6]
Dulaunoy & Iklody Expires 26 June 2024 [Page 6]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.2.1.15. extends_uuid
@ -389,9 +389,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 7]
Dulaunoy & Iklody Expires 26 June 2024 [Page 7]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
uuid, name and id are represented as a JSON string. uuid, name and id
@ -445,9 +445,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 8]
Dulaunoy & Iklody Expires 26 June 2024 [Page 8]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.3.2.2. id
@ -501,9 +501,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 9]
Dulaunoy & Iklody Expires 26 June 2024 [Page 9]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
pattern-in-traffic, pattern-in-memory, filename-pattern,
@ -557,9 +557,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 10]
Dulaunoy & Iklody Expires 26 June 2024 [Page 10]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
@ -613,9 +613,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 11]
Dulaunoy & Iklody Expires 26 June 2024 [Page 11]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
category is represented as a JSON string. category MUST be present
@ -669,9 +669,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 12]
Dulaunoy & Iklody Expires 26 June 2024 [Page 12]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.3.2.9. comment
@ -725,9 +725,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 13]
Dulaunoy & Iklody Expires 26 June 2024 [Page 13]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.3.2.14. ShadowAttribute
@ -781,9 +781,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 14]
Dulaunoy & Iklody Expires 26 June 2024 [Page 14]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.4.1. Sample Attribute Object
@ -837,9 +837,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 15]
Dulaunoy & Iklody Expires 26 June 2024 [Page 15]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
type is represented as a JSON string. type MUST be present and it
@ -893,9 +893,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 16]
Dulaunoy & Iklody Expires 26 June 2024 [Page 16]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
hostname, domain, domain|ip, mac-address, mac-eui-64, email,
@ -949,9 +949,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 17]
Dulaunoy & Iklody Expires 26 June 2024 [Page 17]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
@ -1005,9 +1005,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 18]
Dulaunoy & Iklody Expires 26 June 2024 [Page 18]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
category is represented as a JSON string. category MUST be present
@ -1061,9 +1061,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 19]
Dulaunoy & Iklody Expires 26 June 2024 [Page 19]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.4.2.9. comment
@ -1117,9 +1117,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 20]
Dulaunoy & Iklody Expires 26 June 2024 [Page 20]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.4.2.14. first_seen
@ -1173,9 +1173,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 21]
Dulaunoy & Iklody Expires 26 June 2024 [Page 21]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"Org": {
@ -1229,9 +1229,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 22]
Dulaunoy & Iklody Expires 26 June 2024 [Page 22]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"Object": {
@ -1285,9 +1285,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 23]
Dulaunoy & Iklody Expires 26 June 2024 [Page 23]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.5.2.1. uuid
@ -1341,9 +1341,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 24]
Dulaunoy & Iklody Expires 26 June 2024 [Page 24]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
template_uuid is represented as a JSON string. template_uuid MUST be
@ -1397,9 +1397,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 25]
Dulaunoy & Iklody Expires 26 June 2024 [Page 25]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.5.2.11. sharing_group_id
@ -1453,9 +1453,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 26]
Dulaunoy & Iklody Expires 26 June 2024 [Page 26]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
last_seen is represented as a JSON string. last_seen MAY be present.
@ -1509,9 +1509,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 27]
Dulaunoy & Iklody Expires 26 June 2024 [Page 27]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.6.2.3. timestamp
@ -1565,9 +1565,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 28]
Dulaunoy & Iklody Expires 26 June 2024 [Page 28]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
relationship_type is represented as a JSON string. relationship_type
@ -1621,9 +1621,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 29]
Dulaunoy & Iklody Expires 26 June 2024 [Page 29]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.7.2. UUID
@ -1677,9 +1677,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 30]
Dulaunoy & Iklody Expires 26 June 2024 [Page 30]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2 Connected Communities
@ -1733,9 +1733,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 31]
Dulaunoy & Iklody Expires 26 June 2024 [Page 31]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
2.8.1. Sample Tag
@ -1768,6 +1768,9 @@ Internet-Draft MISP core format February 2023
+---------------+------------------------------------------+
| 2 | denotes an attribute which will be |
| | expired at the time of the sighting |
+---------------+------------------------------------------+
| 3 | denotes an attribute which has been seen |
| | and confirmed as a true-positive |
+---------------+------------------------------------------+
Table 1
@ -1780,20 +1783,22 @@ Internet-Draft MISP core format February 2023
date_sighting represents when the referenced attribute, designated by
its uuid, is sighted.
Dulaunoy & Iklody Expires 26 June 2024 [Page 32]
Internet-Draft MISP core format December 2023
source MAY be present. source is represented as a JSON string and
represents the human-readable version of the sighting source, which
can be a given piece of software (e.g. SIEM), device or a specific
analytical process.
Dulaunoy & Iklody Expires 30 August 2023 [Page 32]
Internet-Draft MISP core format February 2023
id, event_id and attribute_id are represented as a JSON string and
MAY be present.
@ -1840,14 +1845,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 33]
Dulaunoy & Iklody Expires 26 June 2024 [Page 33]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"Sighting": [
@ -1901,9 +1901,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 34]
Dulaunoy & Iklody Expires 26 June 2024 [Page 34]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"Galaxy": [ {
@ -1957,9 +1957,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 35]
Dulaunoy & Iklody Expires 26 June 2024 [Page 35]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
3. JSON Schema
@ -2013,9 +2013,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 36]
Dulaunoy & Iklody Expires 26 June 2024 [Page 36]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"type": "object",
@ -2069,9 +2069,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 37]
Dulaunoy & Iklody Expires 26 June 2024 [Page 37]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"items": {
@ -2125,9 +2125,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 38]
Dulaunoy & Iklody Expires 26 June 2024 [Page 38]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"type": "string"
@ -2181,9 +2181,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 39]
Dulaunoy & Iklody Expires 26 June 2024 [Page 39]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"type": "string"
@ -2237,9 +2237,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 40]
Dulaunoy & Iklody Expires 26 June 2024 [Page 40]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"properties": {
@ -2293,9 +2293,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 41]
Dulaunoy & Iklody Expires 26 June 2024 [Page 41]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"properties": {
@ -2349,9 +2349,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 42]
Dulaunoy & Iklody Expires 26 June 2024 [Page 42]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"properties": {
@ -2405,9 +2405,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 43]
Dulaunoy & Iklody Expires 26 June 2024 [Page 43]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
},
@ -2461,9 +2461,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 44]
Dulaunoy & Iklody Expires 26 June 2024 [Page 44]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
},
@ -2517,9 +2517,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 45]
Dulaunoy & Iklody Expires 26 June 2024 [Page 45]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"type": "string"
@ -2573,9 +2573,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 46]
Dulaunoy & Iklody Expires 26 June 2024 [Page 46]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"uniqueItems": true,
@ -2629,9 +2629,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 47]
Dulaunoy & Iklody Expires 26 June 2024 [Page 47]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"type": "boolean"
@ -2685,9 +2685,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 48]
Dulaunoy & Iklody Expires 26 June 2024 [Page 48]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"type": "object",
@ -2741,9 +2741,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 49]
Dulaunoy & Iklody Expires 26 June 2024 [Page 49]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"Event": {
@ -2797,9 +2797,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 50]
Dulaunoy & Iklody Expires 26 June 2024 [Page 50]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
If a detached PGP signature is used for each MISP event, a detached
@ -2853,9 +2853,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 51]
Dulaunoy & Iklody Expires 26 June 2024 [Page 51]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
"name": "malware_classification:malware-category=\"Ransomware\""
@ -2909,9 +2909,9 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 52]
Dulaunoy & Iklody Expires 26 June 2024 [Page 52]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
@ -2965,9 +2965,9 @@ Authors' Addresses
Dulaunoy & Iklody Expires 30 August 2023 [Page 53]
Dulaunoy & Iklody Expires 26 June 2024 [Page 53]
Internet-Draft MISP core format February 2023
Internet-Draft MISP core format December 2023
Andras Iklody
@ -3021,4 +3021,4 @@ Internet-Draft MISP core format February 2023
Dulaunoy & Iklody Expires 30 August 2023 [Page 54]
Dulaunoy & Iklody Expires 26 June 2024 [Page 54]

141
rfc/misp-standard-galaxy-format.html
View File

@ -11,29 +11,28 @@
<meta content="
This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.
" name="description">
<meta content="xml2rfc 3.9.1" name="generator">
<meta content="draft-00" name="ietf.draft">
<meta content="xml2rfc 3.12.1" name="generator">
<meta content="draft-08" name="ietf.draft">
<!-- Generator version information:
xml2rfc 3.9.1
Python 3.6.9
xml2rfc 3.12.1
Python 3.8.10
appdirs 1.4.4
ConfigArgParse 1.5.2
google-i18n-address 2.3.5
html5lib 1.0.1
intervaltree 2.1.0
Jinja2 2.11.2
ConfigArgParse 1.5.3
google-i18n-address 2.5.0
html5lib 1.1
intervaltree 3.1.0
Jinja2 3.1.2
kitchen 1.2.6
lxml 4.6.3
lxml 4.9.2
pycairo 1.16.2
pycountry 18.12.8
pyflakes 2.1.1
PyYAML 5.4.1
requests 2.25.1
setuptools 57.1.0
six 1.15.0
WeasyPrint 48
pycountry 22.3.5
pyflakes 2.4.0
PyYAML 6.0
requests 2.31.0
setuptools 68.1.2
six 1.16.0
-->
<link href="misp-standard-galaxy-format.xml" rel="alternate" type="application/rfc+xml">
<link href="raw.md.xml" rel="alternate" type="application/rfc+xml">
<link href="#copyright" rel="license">
<style type="text/css">/*
@ -387,6 +386,12 @@ hr {
float: left;
margin-bottom: 0;
}
/* Fix PDF info block run off issue */
@media print {
#identifiers dd {
float: none;
}
}
#identifiers .authors .author {
display: inline-block;
margin-right: 1.5em;
@ -1081,7 +1086,7 @@ tr:nth-child(2n+1) > td {
}
/* Change the approach to avoiding breaks inside artwork etc. */
figure, pre, table, .artwork, .sourcecode {
break-before: avoid-page;
break-before: auto;
break-after: auto;
}
/* Avoid breaks between <dt> and <dd> */
@ -1182,11 +1187,11 @@ li > p:last-of-type {
<thead><tr>
<td class="left">Internet-Draft</td>
<td class="center">MISP galaxy format</td>
<td class="right">November 2021</td>
<td class="right">December 2023</td>
</tr></thead>
<tfoot><tr>
<td class="left">Dulaunoy, et al.</td>
<td class="center">Expires 25 May 2022</td>
<td class="center">Expires 26 June 2024</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
@ -1196,15 +1201,15 @@ li > p:last-of-type {
<dt class="label-workgroup">Workgroup:</dt>
<dd class="workgroup">Network Working Group</dd>
<dt class="label-internet-draft">Internet-Draft:</dt>
<dd class="internet-draft">draft-00</dd>
<dd class="internet-draft">draft-08</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2021-11-21" class="published">21 November 2021</time>
<time datetime="2023-12-24" class="published">24 December 2023</time>
</dd>
<dt class="label-intended-status">Intended Status:</dt>
<dd class="intended-status">Informational</dd>
<dt class="label-expires">Expires:</dt>
<dd class="expires"><time datetime="2022-05-25">25 May 2022</time></dd>
<dd class="expires"><time datetime="2024-06-26">26 June 2024</time></dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
@ -1246,7 +1251,7 @@ li > p:last-of-type {
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow"></a></p>
<p id="section-boilerplate.1-4">
This Internet-Draft will expire on 25 May 2022.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
This Internet-Draft will expire on 26 June 2024.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
</section>
</div>
<div id="copyright">
@ -1255,7 +1260,7 @@ li > p:last-of-type {
<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
</h2>
<p id="section-boilerplate.2-1">
Copyright (c) 2021 IETF Trust and the persons identified as the
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow"></a></p>
<p id="section-boilerplate.2-2">
This document is subject to BCP 78 and the IETF Trust's Legal
@ -1271,53 +1276,53 @@ li > p:last-of-type {
<a href="#" onclick="scroll(0,0)" class="toplink"></a><h2 id="name-table-of-contents">
<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
</h2>
<nav class="toc"><ul class="ulEmpty ulBare compact toc">
<li class="ulEmpty ulBare compact toc" id="section-toc.1-1.1">
<nav class="toc"><ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
<p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a></p>
<ul class="ulEmpty compact toc ulBare">
<li class="ulEmpty compact toc ulBare" id="section-toc.1-1.1.2.1">
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1.2.1">
<p id="section-toc.1-1.1.2.1.1" class="keepWithNext"><a href="#section-1.1" class="xref">1.1</a>.  <a href="#name-conventions-and-terminology" class="xref">Conventions and Terminology</a></p>
</li>
</ul>
</li>
<li class="ulEmpty ulBare compact toc" id="section-toc.1-1.2">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
<p id="section-toc.1-1.2.1"><a href="#section-2" class="xref">2</a>.  <a href="#name-format" class="xref">Format</a></p>
<ul class="ulEmpty compact toc ulBare">
<li class="ulEmpty compact toc ulBare" id="section-toc.1-1.2.2.1">
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.1">
<p id="section-toc.1-1.2.2.1.1" class="keepWithNext"><a href="#section-2.1" class="xref">2.1</a>.  <a href="#name-overview" class="xref">Overview</a></p>
</li>
<li class="ulEmpty compact toc ulBare" id="section-toc.1-1.2.2.2">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2">
<p id="section-toc.1-1.2.2.2.1"><a href="#section-2.2" class="xref">2.2</a>.  <a href="#name-values" class="xref">values</a></p>
</li>
<li class="ulEmpty compact toc ulBare" id="section-toc.1-1.2.2.3">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.3">
<p id="section-toc.1-1.2.2.3.1"><a href="#section-2.3" class="xref">2.3</a>.  <a href="#name-related" class="xref">related</a></p>
</li>
<li class="ulEmpty compact toc ulBare" id="section-toc.1-1.2.2.4">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.4">
<p id="section-toc.1-1.2.2.4.1"><a href="#section-2.4" class="xref">2.4</a>.  <a href="#name-meta" class="xref">meta</a></p>
</li>
</ul>
</li>
<li class="ulEmpty ulBare compact toc" id="section-toc.1-1.3">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
<p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>.  <a href="#name-json-schema" class="xref">JSON Schema</a></p>
<ul class="ulEmpty compact toc ulBare">
<li class="ulEmpty compact toc ulBare" id="section-toc.1-1.3.2.1">
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1">
<p id="section-toc.1-1.3.2.1.1"><a href="#section-3.1" class="xref">3.1</a>.  <a href="#name-misp-galaxy-format-galaxy" class="xref">MISP galaxy format - galaxy</a></p>
</li>
<li class="ulEmpty compact toc ulBare" id="section-toc.1-1.3.2.2">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2">
<p id="section-toc.1-1.3.2.2.1"><a href="#section-3.2" class="xref">3.2</a>.  <a href="#name-misp-galaxy-format-clusters" class="xref">MISP galaxy format - clusters</a></p>
</li>
</ul>
</li>
<li class="ulEmpty ulBare compact toc" id="section-toc.1-1.4">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
<p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-acknowledgements" class="xref">Acknowledgements</a></p>
</li>
<li class="ulEmpty ulBare compact toc" id="section-toc.1-1.5">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
<p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-normative-references" class="xref">Normative References</a></p>
</li>
<li class="ulEmpty ulBare compact toc" id="section-toc.1-1.6">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
<p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-informative-references" class="xref">Informative References</a></p>
</li>
<li class="ulEmpty ulBare compact toc" id="section-toc.1-1.7">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
<p id="section-toc.1-1.7.1"><a href="#appendix-A" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a></p>
</li>
</ul>
@ -1376,7 +1381,7 @@ The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RF
<a href="#section-2.3" class="section-number selfRef">2.3. </a><a href="#name-related" class="section-name selfRef">related</a>
</h3>
<p id="section-2.3-1">Related contains a list of JSON key value pairs which describe the related values in this galaxy cluster or to other galaxy clusters. The JSON object contains three fields, dest-uuid, type and tags. The dest-uuid represents the target UUID which encompasses a relation of some type. The dest-uuid is represented as a string and <span class="bcp14">MUST</span> be present. The type is represented as a string and <span class="bcp14">MUST</span> be present and <span class="bcp14">SHOULD</span> be selected from the relationship types available in MISP objects <span>[<a href="#MISP-R" class="xref">MISP-R</a>]</span>. The tags is a list of string which labels the related relationship such as the level of similarities, level of certainty, trust or confidence in the relationship, false-positive. A tag is represented in machine tag format which is a string an <span class="bcp14">SHOULD</span> be present.<a href="#section-2.3-1" class="pilcrow"></a></p>
<div class="artwork art-text alignLeft" id="section-2.3-2">
<div class="alignLeft art-text artwork" id="section-2.3-2">
<pre>"related": [ {
"dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
"type": "similar",
@ -1391,13 +1396,13 @@ The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RF
<h3 id="name-meta">
<a href="#section-2.4" class="section-number selfRef">2.4. </a><a href="#name-meta" class="section-name selfRef">meta</a>
</h3>
<p id="section-2.4-1">Meta contains a list of custom defined JSON key value pairs. Users <span class="bcp14">SHOULD</span> reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, suspected-victims, suspected-state-sponsor, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field <span class="bcp14">MAY</span> be added without the need to be referenced or registered in advance.<a href="#section-2.4-1" class="pilcrow"></a></p>
<p id="section-2.4-1">Meta contains a list of custom defined JSON key value pairs. Users <span class="bcp14">SHOULD</span> reuse commonly used keys such as complexity, effectiveness, country, external_id, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, suspected-victims, suspected-state-sponsor, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field <span class="bcp14">MAY</span> be added without the need to be referenced or registered in advance.<a href="#section-2.4-1" class="pilcrow"></a></p>
<p id="section-2.4-2">refs, synonyms, official-refs <span class="bcp14">SHALL</span> be used to give further informations. refs is represented as an array containing one or more strings and <span class="bcp14">SHALL</span> be present. synonyms is represented as an array containing one or more strings and <span class="bcp14">SHALL</span> be present. official-refs is represented as an array containing one or more strings and <span class="bcp14">SHALL</span> be present.<a href="#section-2.4-2" class="pilcrow"></a></p>
<p id="section-2.4-3">date, status <span class="bcp14">MAY</span> be used to give time information about an cluster. date is represented as a string describing a time or period and <span class="bcp14">SHALL</span> be present. status is represented as a string describing the current status of the clusters. It <span class="bcp14">MAY</span> also describe a time or period and <span class="bcp14">SHALL</span> be present.<a href="#section-2.4-3" class="pilcrow"></a></p>
<p id="section-2.4-4">colour fields <span class="bcp14">MAY</span> be used at predicates or values level to set a specify colour that <span class="bcp14">MAY</span> be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.<a href="#section-2.4-4" class="pilcrow"></a></p>
<p id="section-2.4-5">complexity, effectiveness, impact, possible<em>issues <span class="bcp14">MAY</span> be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and <span class="bcp14">SHALL</span> be present. effectiveness is represented by an enumerated value from a fixed vocabulary and <span class="bcp14">SHALL</span> be present. impact is represented by an enumerated value from a fixed vocabulary and <span class="bcp14">SHALL</span> be present. possible</em>issues is represented as a string and <span class="bcp14">SHOULD</span> be present.<a href="#section-2.4-5" class="pilcrow"></a></p>
<p id="section-2.4-5">complexity, effectiveness, impact, possible_issues <span class="bcp14">MAY</span> be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and <span class="bcp14">SHALL</span> be present. effectiveness is represented by an enumerated value from a fixed vocabulary and <span class="bcp14">SHALL</span> be present. impact is represented by an enumerated value from a fixed vocabulary and <span class="bcp14">SHALL</span> be present. possible_issues is represented as a string and <span class="bcp14">SHOULD</span> be present.<a href="#section-2.4-5" class="pilcrow"></a></p>
<p id="section-2.4-6">Example use of the complexity, effectiveness, impact, possible_issues fields in the preventive-measure galaxy:<a href="#section-2.4-6" class="pilcrow"></a></p>
<div class="artwork art-text alignLeft" id="section-2.4-7">
<div class="alignLeft art-text artwork" id="section-2.4-7">
<pre>{
"meta": {
"refs": [
@ -1419,7 +1424,7 @@ The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RF
</div>
<p id="section-2.4-8">country, motive, spoken-language <span class="bcp14">MAY</span> be used to give further information in threat-actor galaxy. country is represented as a string and <span class="bcp14">SHOULD</span> be present. motive is represented as a string and <span class="bcp14">SHOULD</span> be present. spoken-language is represented as an array containing one or more strings describing a language using ISO 639-2 code and <span class="bcp14">SHALL</span> be present.<a href="#section-2.4-8" class="pilcrow"></a></p>
<p id="section-2.4-9">Example use of the country, motive fields in the threat-actor galaxy:<a href="#section-2.4-9" class="pilcrow"></a></p>
<div class="artwork art-text alignLeft" id="section-2.4-10">
<div class="alignLeft art-text artwork" id="section-2.4-10">
<pre>{
"meta": {
"country": "CN",
@ -1443,7 +1448,7 @@ The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RF
</div>
<p id="section-2.4-11">encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, payment-method, price <span class="bcp14">MAY</span> be used to give further information in ransomware galaxy. encryption is represented as a string and <span class="bcp14">SHALL</span> be present. extensions is represented as an array containing one or more strings and <span class="bcp14">SHALL</span> be present. ransomnotes is represented as an array containing one or more strings ans <span class="bcp14">SHALL</span> be present. ransomnotes-filenames is represented as an array containing one or more strings ans <span class="bcp14">SHALL</span> be present. ransomnotes-refs is represented as an array containing one or more strings ans <span class="bcp14">SHALL</span> be present. payment-method is represented as a string and <span class="bcp14">SHALL</span> be present. price is represented as a string and <span class="bcp14">SHALL</span> be present.<a href="#section-2.4-11" class="pilcrow"></a></p>
<p id="section-2.4-12">Example use of the encryption, extensions, ransomnotes fields in the ransomware galaxy:<a href="#section-2.4-12" class="pilcrow"></a></p>
<div class="artwork art-text alignLeft" id="section-2.4-13">
<div class="alignLeft art-text artwork" id="section-2.4-13">
<pre>{
"description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuks appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
"meta": {
@ -1464,7 +1469,7 @@ The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RF
</pre><a href="#section-2.4-13" class="pilcrow"></a>
</div>
<p id="section-2.4-14">Example use of the payment-method, price fields in the ransomware galaxy:<a href="#section-2.4-14" class="pilcrow"></a></p>
<div class="artwork art-text alignLeft" id="section-2.4-15">
<div class="alignLeft art-text artwork" id="section-2.4-15">
<pre>{
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
"meta": {
@ -1489,7 +1494,7 @@ The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RF
</div>
<p id="section-2.4-16">source-uuid, target-uuid <span class="bcp14">SHALL</span> be used to describe relationships. source-uuid and target-uuid represent the Universally Unique IDentifier (UUID) <span>[<a href="#RFC4122" class="xref">RFC4122</a>]</span> of the value reference. source-uuid and target-uuid <span class="bcp14">MUST</span> be preserved.<a href="#section-2.4-16" class="pilcrow"></a></p>
<p id="section-2.4-17">Example use of the source-uuid, target-uuid fields in the mitre-enterprise-attack-relationship galaxy:<a href="#section-2.4-17" class="pilcrow"></a></p>
<div class="artwork art-text alignLeft" id="section-2.4-18">
<div class="alignLeft art-text artwork" id="section-2.4-18">
<pre>{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
@ -1502,7 +1507,7 @@ The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RF
</div>
<p id="section-2.4-19">cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category <span class="bcp14">MAY</span> be used to report information gathered from CFR's (Council on Foreign Relations) <span>[<a href="#CFR" class="xref">CFR</a>]</span> Cyber Operations Tracker. cfr-suspected-victims is represented as an array containing one or more strings and <span class="bcp14">SHALL</span> be present. cfr-suspected-state-sponsor is represented as a string and <span class="bcp14">SHALL</span> be present. cfr-type-of-incident is represented as a string or an array and <span class="bcp14">SHALL</span> be present. <span class="bcp14">RECOMMENDED</span> but not exhaustive list of possible values for cfr-type-of-incident includes "Espionage", "Denial of service", "Sabotage". cfr-target-category is represented as an array containing one or more strings ans <span class="bcp14">SHALL</span> be present. <span class="bcp14">RECOMMENDED</span> but not exhaustive list of possible values for cfr-target-category includes "Private sector", "Government", "Civil society", "Military".<a href="#section-2.4-19" class="pilcrow"></a></p>
<p id="section-2.4-20">Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category fields in the threat-actor galaxy:<a href="#section-2.4-20" class="pilcrow"></a></p>
<div class="artwork art-text alignLeft" id="section-2.4-21">
<div class="alignLeft art-text artwork" id="section-2.4-21">
<pre>{
"meta": {
"country": "CN",
@ -1527,7 +1532,7 @@ The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RF
</pre><a href="#section-2.4-21" class="pilcrow"></a>
</div>
<p id="section-2.4-22">attribution-confidence <span class="bcp14">MAY</span> be used to indicate the confidence about an attribution given by country or cfr-suspected-state-sponsor. attribution-confidence is represented on a scale from 0 to 100, where 50 means "no information", the values under 50 mean "probably not, almost certainly not to impossibility", the values above 50 means "from probable, almost certain to certainty" and <span class="bcp14">SHALL</span> be present if country or cfr-suspected-state-sponsor are present.<a href="#section-2.4-22" class="pilcrow"></a></p>
<div class="artwork art-text alignLeft" id="section-2.4-23">
<div class="alignLeft art-text artwork" id="section-2.4-23">
<pre>Impossibility no information Certainty
+
|
@ -1551,7 +1556,7 @@ The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RF
<h3 id="name-misp-galaxy-format-galaxy">
<a href="#section-3.1" class="section-number selfRef">3.1. </a><a href="#name-misp-galaxy-format-galaxy" class="section-name selfRef">MISP galaxy format - galaxy</a>
</h3>
<div class="artwork art-text alignLeft" id="section-3.1-1">
<div class="alignLeft art-text artwork" id="section-3.1-1">
<pre>{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Galaxies",
@ -1601,7 +1606,7 @@ The uuid represents the Universally Unique IDentifier (UUID) <span>[<a href="#RF
<h3 id="name-misp-galaxy-format-clusters">
<a href="#section-3.2" class="section-number selfRef">3.2. </a><a href="#name-misp-galaxy-format-clusters" class="section-name selfRef">MISP galaxy format - clusters</a>
</h3>
<div class="artwork art-text alignLeft" id="section-3.2-1">
<div class="alignLeft art-text artwork" id="section-3.2-1">
<pre>{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Clusters",
@ -1806,27 +1811,27 @@ of open standards in threat intelligence sharing.<a href="#section-4-1" class="p
<dl class="references">
<dt id="CFR">[CFR]</dt>
<dd>
<span class="refAuthor">Relations, C. O. F.</span>, <span class="refTitle">"Cyber Operations Tracker - Council on Foreign Relations"</span>, <span class="refContent"></span>, <time datetime="2018" class="refDate">2018</time>, <span>&lt;<a href="https://www.cfr.org/interactive/cyber-operations">https://www.cfr.org/interactive/cyber-operations</a>&gt;</span>. </dd>
<span class="refAuthor">Relations, C. O. F.</span>, <span class="refTitle">"Cyber Operations Tracker - Council on Foreign Relations"</span>, <time datetime="2018" class="refDate">2018</time>, <span>&lt;<a href="https://www.cfr.org/interactive/cyber-operations">https://www.cfr.org/interactive/cyber-operations</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="JSON-SCHEMA">[JSON-SCHEMA]</dt>
<dd>
<span class="refAuthor">Wright, A.</span>, <span class="refTitle">"JSON Schema: A Media Type for Describing JSON Documents"</span>, <span class="refContent"></span>, <time datetime="2016" class="refDate">2016</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-wright-json-schema">https://tools.ietf.org/html/draft-wright-json-schema</a>&gt;</span>. </dd>
<span class="refAuthor">Wright, A.</span>, <span class="refTitle">"JSON Schema: A Media Type for Describing JSON Documents"</span>, <time datetime="2016" class="refDate">2016</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-wright-json-schema">https://tools.ietf.org/html/draft-wright-json-schema</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="MISP-G">[MISP-G]</dt>
<dd>
<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Galaxy - Public Repository"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP/misp-galaxy">https://github.com/MISP/misp-galaxy</a>&gt;</span>. </dd>
<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Galaxy - Public Repository"</span>, <span>&lt;<a href="https://github.com/MISP/misp-galaxy">https://github.com/MISP/misp-galaxy</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="MISP-G-DOC">[MISP-G-DOC]</dt>
<dd>
<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Galaxy - Documentation of the Public Repository"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://www.misp-project.org/galaxy.html">https://www.misp-project.org/galaxy.html</a>&gt;</span>. </dd>
<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Galaxy - Documentation of the Public Repository"</span>, <span>&lt;<a href="https://www.misp-project.org/galaxy.html">https://www.misp-project.org/galaxy.html</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="MISP-P">[MISP-P]</dt>
<dd>
<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Project - Malware Information Sharing Platform and Threat Sharing"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP">https://github.com/MISP</a>&gt;</span>. </dd>
<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Project - Malware Information Sharing Platform and Threat Sharing"</span>, <span>&lt;<a href="https://github.com/MISP">https://github.com/MISP</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="MISP-R">[MISP-R]</dt>
<dd>
<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Object Relationship Types - common vocabulary of relationships"</span>, <span class="refContent"></span>, <span>&lt;<a href="https://github.com/MISP/misp-objects/tree/master/relationships">https://github.com/MISP/misp-objects/tree/master/relationships</a>&gt;</span>. </dd>
<span class="refAuthor">Community, M.</span>, <span class="refTitle">"MISP Object Relationship Types - common vocabulary of relationships"</span>, <span>&lt;<a href="https://github.com/MISP/misp-objects/tree/master/relationships">https://github.com/MISP/misp-objects/tree/master/relationships</a>&gt;</span>. </dd>
<dd class="break"></dd>
</dl>
</section>
@ -1838,8 +1843,8 @@ of open standards in threat intelligence sharing.<a href="#section-4-1" class="p
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Alexandre Dulaunoy</span></div>
<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
<div dir="auto" class="left">L-<span class="postal-code">L-1611</span> <span class="locality">Luxembourg</span>
<div dir="auto" class="left"><span class="street-address">122, rue Adolphe Fischer</span></div>
<div dir="auto" class="left">L-<span class="postal-code">L-1521</span> <span class="locality">Luxembourg</span>
</div>
<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
<div class="tel">
@ -1854,8 +1859,8 @@ of open standards in threat intelligence sharing.<a href="#section-4-1" class="p
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Andras Iklody</span></div>
<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
<div dir="auto" class="left">L-<span class="postal-code">L-1611</span> <span class="locality">Luxembourg</span>
<div dir="auto" class="left"><span class="street-address">122, rue Adolphe Fischer</span></div>
<div dir="auto" class="left">L-<span class="postal-code">L-1521</span> <span class="locality">Luxembourg</span>
</div>
<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
<div class="tel">
@ -1870,8 +1875,8 @@ of open standards in threat intelligence sharing.<a href="#section-4-1" class="p
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Deborah Servili</span></div>
<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
<div dir="auto" class="left">L-<span class="postal-code">L-1611</span> <span class="locality">Luxembourg</span>
<div dir="auto" class="left"><span class="street-address">122, rue Adolphe Fischer</span></div>
<div dir="auto" class="left">L-<span class="postal-code">L-1521</span> <span class="locality">Luxembourg</span>
</div>
<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
<div class="tel">

102
rfc/misp-standard-galaxy-format.txt
View File

@ -5,12 +5,12 @@
Network Working Group A. Dulaunoy
Internet-Draft A. Iklody
Intended status: Informational D. Servili
Expires: 25 May 2022 CIRCL
21 November 2021
Expires: 26 June 2024 CIRCL
24 December 2023
MISP galaxy format
draft-00
draft-08
Abstract
@ -38,11 +38,11 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 25 May 2022.
This Internet-Draft will expire on 26 June 2024.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
@ -53,9 +53,9 @@ Copyright Notice
Dulaunoy, et al. Expires 25 May 2022 [Page 1]
Dulaunoy, et al. Expires 26 June 2024 [Page 1]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
Table of Contents
@ -109,9 +109,9 @@ Table of Contents
Dulaunoy, et al. Expires 25 May 2022 [Page 2]
Dulaunoy, et al. Expires 26 June 2024 [Page 2]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
2.1. Overview
@ -165,9 +165,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 3]
Dulaunoy, et al. Expires 26 June 2024 [Page 3]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
A tag is represented in machine tag format which is a string an
@ -183,15 +183,15 @@ Internet-Draft MISP galaxy format November 2021
Meta contains a list of custom defined JSON key value pairs. Users
SHOULD reuse commonly used keys such as complexity, effectiveness,
country, possible_issues, colour, motive, impact, refs, synonyms,
status, date, encryption, extensions, ransomnotes, ransomnotes-
filenames, ransomnotes-refs, suspected-victims, suspected-state-
sponsor, type-of-incident, target-category, cfr-suspected-victims,
cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-
category, suspected-victims, suspected-state-sponsor, attribution-
confidence, payment-method, price, spoken-language, official-refs
wherever applicable. Additional meta field MAY be added without the
need to be referenced or registered in advance.
country, external_id, possible_issues, colour, motive, impact, refs,
synonyms, status, date, encryption, extensions, ransomnotes,
ransomnotes-filenames, ransomnotes-refs, suspected-victims,
suspected-state-sponsor, type-of-incident, target-category, cfr-
suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident,
cfr-target-category, suspected-victims, suspected-state-sponsor,
attribution-confidence, payment-method, price, spoken-language,
official-refs wherever applicable. Additional meta field MAY be
added without the need to be referenced or registered in advance.
refs, synonyms, official-refs SHALL be used to give further
informations. refs is represented as an array containing one or more
@ -221,9 +221,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 4]
Dulaunoy, et al. Expires 26 June 2024 [Page 4]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
Example use of the complexity, effectiveness, impact, possible_issues
@ -277,9 +277,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 5]
Dulaunoy, et al. Expires 26 June 2024 [Page 5]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
{
@ -333,9 +333,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 6]
Dulaunoy, et al. Expires 26 June 2024 [Page 6]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
{
@ -389,9 +389,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 7]
Dulaunoy, et al. Expires 26 June 2024 [Page 7]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
Example use of the source-uuid, target-uuid fields in the mitre-
@ -445,9 +445,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 8]
Dulaunoy, et al. Expires 26 June 2024 [Page 8]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
{
@ -501,9 +501,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 9]
Dulaunoy, et al. Expires 26 June 2024 [Page 9]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
{
@ -557,9 +557,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 10]
Dulaunoy, et al. Expires 26 June 2024 [Page 10]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
{
@ -613,9 +613,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 11]
Dulaunoy, et al. Expires 26 June 2024 [Page 11]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
"type": "object"
@ -669,9 +669,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 12]
Dulaunoy, et al. Expires 26 June 2024 [Page 12]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
"type": "string"
@ -725,9 +725,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 13]
Dulaunoy, et al. Expires 26 June 2024 [Page 13]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
"type": "array",
@ -781,9 +781,9 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 14]
Dulaunoy, et al. Expires 26 June 2024 [Page 14]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
[JSON-SCHEMA]
@ -809,8 +809,8 @@ Authors' Addresses
Alexandre Dulaunoy
Computer Incident Response Center Luxembourg
16, bd d'Avranches
L-L-1611 Luxembourg
122, rue Adolphe Fischer
L-L-1521 Luxembourg
Luxembourg
Phone: +352 247 88444
@ -819,8 +819,8 @@ Authors' Addresses
Andras Iklody
Computer Incident Response Center Luxembourg
16, bd d'Avranches
L-L-1611 Luxembourg
122, rue Adolphe Fischer
L-L-1521 Luxembourg
Luxembourg
Phone: +352 247 88444
@ -829,17 +829,17 @@ Authors' Addresses
Deborah Servili
Computer Incident Response Center Luxembourg
16, bd d'Avranches
L-L-1611 Luxembourg
122, rue Adolphe Fischer
L-L-1521 Luxembourg
Luxembourg
Phone: +352 247 88444
Dulaunoy, et al. Expires 25 May 2022 [Page 15]
Dulaunoy, et al. Expires 26 June 2024 [Page 15]
Internet-Draft MISP galaxy format November 2021
Internet-Draft MISP galaxy format December 2023
Email: deborah.servili@circl.lu
@ -893,4 +893,4 @@ Internet-Draft MISP galaxy format November 2021
Dulaunoy, et al. Expires 25 May 2022 [Page 16]
Dulaunoy, et al. Expires 26 June 2024 [Page 16]

776
rfc/misp-standard-object-template-format.html
View File

File diff suppressed because it is too large Load Diff

860
rfc/misp-standard-object-template-format.txt
View File

File diff suppressed because it is too large Load Diff

705
rfc/misp-standard-taxonomy-format.html
View File

File diff suppressed because it is too large Load Diff

820
rfc/misp-standard-taxonomy-format.txt
View File

File diff suppressed because it is too large Load Diff