misp-website/_pages/datamodels.md

---
layout: page
title: MISP data models - MISP core format - MISP taxonomies
permalink: /datamodels/
toc: true
---

MISP is not only a software but also a series of data models created by the MISP community. MISP includes a simple and practical information sharing format expressed in JSON that can be used with MISP software or by any other software.

## MISP Core Format

### MISP default attributes and categories

## MISP Taxonomies

Along with the core format, [MISP taxonomies](https://www.github.com/MISP/misp-taxonomies/) provide a set of already defined classifications modeling estimative language, CSIRTs/CERTs classifications, national classifications or threat model classification. The fixed taxonomies provide a practical method to tag efficiently events and attributes within a set of MISP instances where taxonomies can be easily cherry-picked or extended to meet the local requirements of an organization or a specific sharing community. When using MISP, the MISP taxonomies are available and can be freely used based on the community practises.

- [Admiralty Scale](https://github.com/MISP/misp-taxonomies/admiralty-scale)
- [adversary](https://github.com/MISP/misp-taxonomies/adversary) - description of an adversary infrastructure
- CIRCL [Taxonomy - Schemes of Classification in Incident Response and Detection](https://github.com/MISP/misp-taxonomies/circl)
- [Cyber Kill Chain](https://github.com/MISP/misp-taxonomies/kill-chain) from Lockheed Martin
- DE German (DE) [Government classification markings (VS)](https://github.com/MISP/misp-taxonomies/de-vs)
- [DHS CIIP Sectors](https://github.com/MISP/misp-taxonomies/dhs-ciip-sectors)
- [eCSIRT](https://github.com/MISP/misp-taxonomies/ecsirt) and IntelMQ incident classification
- [ENISA](https://github.com/MISP/misp-taxonomies/enisa) ENISA Threat Taxonomy
- [Estimative Language](https://github.com/MISP/misp-taxonomies/estimative-language) Estimative Language (ICD 203)
- [EU critical sectors](https://github.com/MISP/misp-taxonomies/eu-critical-sectors) - EU critical sectors
- [EUCI](https://github.com/MISP/misp-taxonomies/euci) - EU classified information marking
- [Europol Incident](https://github.com/MISP/misp-taxonomies/europol-incident) - Europol class of incident taxonomy
- [Europol Events](https://github.com/MISP/misp-taxonomies/europol-events) - Europol type of events taxonomy
- [FIRST CSIRT Case](https://github.com/MISP/misp-taxonomies/csirt_case_classification) classification
- [FIRST Information Exchange Policy (IEP)](https://github.com/MISP/misp-taxonomies/iep) framework
- [Information Security Indicators](https://github.com/MISP/misp-taxonomies/information-security-indicators) -  ETSI GS ISI 001-1 (V1.1.2): ISI Indicators 
- [Information Security Marking Metadata](https://github.com/MISP/misp-taxonomies/dni-ism) from DNI (Director of National Intelligence - US)
- [Malware](https://github.com/MISP/misp-taxonomies/malware) classification based on a SANS document
- [ms-caro-malware](https://github.com/MISP/misp-taxonomies/ms-caro-malware) Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organiza
tion (CARO) Naming Scheme and Malware Terminology.
- [NATO Classification Marking](https://github.com/MISP/misp-taxonomies/nato)
- [Open Threat Taxonomy v1.1 (SANS)](https://github.com/MISP/misp-taxonomies/open-threat)
- [OSINT Open Source Intelligence - Classification](https://github.com/MISP/misp-taxonomies/osint)
- [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](https://github.com/MISP/misp-taxonomies/pap)
- [TLP - Traffic Light Protocol](https://github.com/MISP/misp-taxonomies/tlp)
- Vocabulary for Event Recording and Incident Sharing [VERIS](https://github.com/MISP/misp-taxonomies/veris)