chg: [misp] ids predicate added following discussion in a MISP user-group.

A new predicate has been added to potentially influence IDS flag at
event or attribute level. This is often a desired option to overwrite
existing IDS flag set by the event creator by a local preference.

- `misp:ids="true"` -> set the IDS flag
- `misp:ids="force"` -> force the use of the ids predicate (over the IDS flag set)
- `misp:ids="false"` -> unset the IDS flag

This predicates is not currently used in MISP directly but must be
used for external tools using it. Those tags can be set at local or
global level depending of the use-case.
pull/176/head
Alexandre Dulaunoy 2019-11-18 10:12:51 +01:00
parent d0e03885fa
commit 9cff26078e
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 25 additions and 1 deletions

26
misp/machinetag.json Executable file → Normal file
View File

@ -153,6 +153,26 @@
"value": "invalid" "value": "invalid"
} }
] ]
},
{
"predicate": "ids",
"entry": [
{
"expanded": "force",
"value": "force",
"description": "Force the IDS flag to be the one from the tag."
},
{
"expanded": "true",
"value": "true",
"description": "Overwrite the current IDS flag of the information tag by IDS true."
},
{
"expanded": "false",
"value": "false",
"description": "Overwrite the current IDS flag of the information tag by IDS false."
}
]
} }
], ],
"predicates": [ "predicates": [
@ -164,6 +184,10 @@
"expanded": "API related tag influencing the MISP behavior of the API.", "expanded": "API related tag influencing the MISP behavior of the API.",
"value": "api" "value": "api"
}, },
{
"expanded": "IDS related tag unfluencing the MISP behavior of the IDS flag.",
"value": "ids"
},
{ {
"description": "Expansion tag incluencing the MISP behavior using expansion modules", "description": "Expansion tag incluencing the MISP behavior using expansion modules",
"expanded": "Expansion", "expanded": "Expansion",
@ -204,7 +228,7 @@
"exclusive": true "exclusive": true
} }
], ],
"version": 10, "version": 11,
"description": "MISP taxonomy to infer with MISP behavior or operation.", "description": "MISP taxonomy to infer with MISP behavior or operation.",
"expanded": "MISP", "expanded": "MISP",
"namespace": "misp" "namespace": "misp"