idnits 2.17.1 draft-dulaunoy-misp-core-format-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 5 instances of too long lines in the document, the longest one being 18 characters in excess of 72. ** The abstract seems to contain references ([MISP-P]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 10, 2017) is 2566 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'MISP-T' is defined on line 1613, but no explicit reference was found in the text ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Intended status: Informational CIRCL 5 Expires: October 12, 2017 April 10, 2017 7 MISP core format 8 draft-dulaunoy-misp-core-format-01 10 Abstract 12 This document describes the MISP core format used to exchange 13 indicators and threat information between MISP (Malware Information 14 and threat Sharing Platform) instances. The JSON format includes the 15 overall structure along with the semantic associated for each 16 respective key. The format is described to support other 17 implementations which reuse the format and ensuring an 18 interoperability with existing MISP [MISP-P] software and other 19 Threat Intelligence Platforms. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on October 12, 2017. 38 Copyright Notice 40 Copyright (c) 2017 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 57 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3 61 2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 7 63 2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 7 64 2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8 65 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8 66 2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 8 67 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 14 68 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 14 69 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 14 70 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 19 71 2.6. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 72 2.6.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 20 73 2.7. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 21 74 2.7.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . . 21 75 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 23 76 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 32 77 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 32 78 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 33 79 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 35 80 6. Security Considerations . . . . . . . . . . . . . . . . . . . 35 81 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 82 8. Sample MISP file . . . . . . . . . . . . . . . . . . . . . . 35 83 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 84 9.1. Normative References . . . . . . . . . . . . . . . . . . 35 85 9.2. Informative References . . . . . . . . . . . . . . . . . 36 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 88 1. Introduction 90 Sharing threat information became a fundamental requirements in the 91 Internet, security and intelligence community at large. Threat 92 information can include indicators of compromise, malicious file 93 indicators, financial fraud indicators or even detailed information 94 about a threat actor. MISP [MISP-P] started as an open source 95 project in late 2011 and the MISP format started to be widely used as 96 an exchange format within the community in the past years. The aim 97 of this document is to describe the specification and the MISP core 98 format. 100 1.1. Conventions and Terminology 102 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 103 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 104 document are to be interpreted as described in RFC 2119 [RFC2119]. 106 2. Format 108 2.1. Overview 110 The MISP core format is in the JSON [RFC4627] format. In MISP, an 111 event is composed of a single JSON object. 113 A capitalized key (like Event, Org) represent a data model and a non- 114 capitalized key is just an attribute. This nomenclature can support 115 an implementation to represent the MISP format in another data 116 structure. 118 2.2. Event 120 An event is a simple meta structure scheme where attributes and meta- 121 data are embedded to compose a coherent set of indicators. An event 122 can be composed from an incident, a security analysis report or a 123 specific threat actor analysis. The meaning of an event only depends 124 of the information embedded in the event. 126 2.2.1. Event Attributes 128 2.2.1.1. uuid 130 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 131 the event. The uuid MUST be preserved for any updates or transfer of 132 the same event. UUID version 4 is RECOMMENDED when assigning it to a 133 new event. 135 uuid is represented as a JSON string. uuid MUST be present. 137 2.2.1.2. id 139 id represents the human-readable identifier associated to the event 140 for a specific MISP instance. 142 id is represented as a JSON string. id SHALL be present. 144 2.2.1.3. published 146 published represents the event publication state. If the event was 147 published, the published value MUST be true. In any other 148 publication state, the published value MUST be false. 150 published is represented as a JSON boolean. published MUST be 151 present. 153 2.2.1.4. info 155 info represents the information field of the event. info a free-text 156 value to provide a human-readable summary of the event. info SHOULD 157 NOT be bigger than 256 characters and SHOULD NOT include new-lines. 159 info is represented as a JSON string. info MUST be present. 161 2.2.1.5. threat_level_id 163 threat_level_id represents the threat level. 165 0: 166 Undefined 168 1: 169 Low 171 2: 172 Medium 174 3: 175 High 177 If a higher granularity is required, a MISP taxonomy applied as a Tag 178 SHOULD be preferred. 180 threat_level_id is represented as a JSON string. threat_level_id 181 SHALL be present. 183 2.2.1.6. analysis 185 analysis represents the analysis level. 187 0: 188 Initial 190 1: 191 Ongoing 193 2: 194 Complete 196 If a higher granularity is required, a MISP taxonomy applied as a Tag 197 SHOULD be preferred. 199 analysis is represented as a JSON string. analysis SHALL be present. 201 2.2.1.7. date 203 date represents a reference date to the event in ISO 8601 format 204 (date only: YYYY-MM-DD). This date corresponds to the date the event 205 occured, which may be in the past. 207 date is represented as a JSON string. date MUST be present. 209 2.2.1.8. timestamp 211 timestamp represents a reference time when the event, or one of the 212 attributes within the event was created, or last updated/edited on 213 the instance. timestamp is expressed in seconds (decimal) since 1st 214 of January 1970 (Unix timestamp). The time zone MUST be UTC. 216 timestamp is represented as a JSON string. timestamp MUST be present. 218 2.2.1.9. publish_timestamp 220 publish_timestamp represents a reference time when the event was 221 published on the instance. published_timestamp is expressed in 222 seconds (decimal) since 1st of January 1970 (Unix timestamp). At 223 each publication of an event, publish_timestamp MUST be updated. The 224 time zone MUST be UTC. 226 publish_timestamp is represented as a JSON string. publish_timestamp 227 MUST be present. 229 2.2.1.10. org_id 231 org_id represents a human-readable identifier referencing an Org 232 object of the organization which generated the event. 234 The org_id MUST be updated when the event is generated by a new 235 instance. 237 org_id is represented as a JSON string. org_id MUST be present. 239 2.2.1.11. orgc_id 241 orgc_id represents a human-readable identifier referencing an Orgc 242 object of the organization which created the event. 244 The orgc_id and Orc object MUST be preserved for any updates or 245 transfer of the same event. 247 orgc_id is represented as a JSON string. orgc_id MUST be present. 249 2.2.1.12. attribute_count 251 attribute_count represents the number of attributes in the event. 252 attribute_count is expressed in decimal. 254 attribute_count is represented as a JSON string. attribute_count 255 SHALL be present. 257 2.2.1.13. distribution 259 distribution represents the basic distribution rules of the event. 260 The system must adhere to the distribution setting for access control 261 and for dissemination of the event. 263 distribution is represented by a JSON string. distribution MUST be 264 present and be one of the following options: 266 0 267 Your Organisation Only 269 1 270 This Community Only 272 2 273 Connected Communities 275 3 276 All Communities 278 4 279 Sharing Group 281 2.2.1.14. sharing_group_id 283 sharing_group_id represents a human-readable identifier referencing a 284 Sharing Group object that defines the distribution of the event, if 285 distribution level "4" is set. 287 sharing_group_id is represented by a JSON string and SHOULD be 288 present. If a distribution level other than "4" is chosen the 289 sharing_group_id MUST be set to "0". 291 2.3. Objects 293 2.3.1. Org 295 An Org object is composed of an uuid, name and id. 297 The uuid represents the Universally Unique IDentifier (UUID) 298 [RFC4122] of the organization. The organization UUID is globally 299 assigned to an organization and SHALL be kept overtime. 301 The name is a readable description of the organization and SHOULD be 302 present. The id is a human-readable identifier generated by the 303 instance and used as reference in the event. 305 uuid, name and id are represented as a JSON string. uuid, name and id 306 MUST be present. 308 2.3.1.1. Sample Org Object 310 "Org": { 311 "id": "2", 312 "name": "CIRCL", 313 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 314 } 316 2.3.2. Orgc 318 An Orgc object is composed of an uuid, name and id. 320 The uuid MUST be preserved for any updates or transfer of the same 321 event. UUID version 4 is RECOMMENDED when assigning it to a new 322 event. The organization UUID is globally assigned to an organization 323 and SHALL be kept overtime. 325 The name is a readable description of the organization and SHOULD be 326 present. The id is a human-readable identifier generated by the 327 instance and used as reference in the event. 329 uuid, name and id are represented as a JSON string. uuid, name and id 330 MUST be present. 332 2.4. Attribute 334 Attributes are used to describe the indicators and contextual data of 335 an event. The main information contained in an attribute is made up 336 of a category-type-value triplet, where the category and type give 337 meaning and context to the value. Through the various category-type 338 combinations a wide range of information can be conveyed. 340 A MISP document MUST at least includes category-type-value triplet 341 described in section "Attribute Attributes". 343 2.4.1. Sample Attribute Object 345 "Attribute": { 346 "id": "346056", 347 "type": "comment", 348 "category": "Other", 349 "to_ids": false, 350 "uuid": "57f4f6d9-cd20-458b-84fd-109ec0a83869", 351 "event_id": "3357", 352 "distribution": "5", 353 "timestamp": "1475679332", 354 "comment": "", 355 "sharing_group_id": "0", 356 "deleted": false, 357 "value": "Hello world", 358 "SharingGroup": [], 359 "ShadowAttribute": [], 360 "RelatedAttribute": [] 361 } 363 2.4.2. Attribute Attributes 365 2.4.2.1. uuid 367 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 368 the event. The uuid MUST be preserved for any updates or transfer of 369 the same event. UUID version 4 is RECOMMENDED when assigning it to a 370 new event. 372 uuid is represented as a JSON string. uuid MUST be present. 374 2.4.2.2. id 376 id represents the human-readable identifier associated to the event 377 for a specific MISP instance. 379 id is represented as a JSON string. id SHALL be present. 381 2.4.2.3. type 383 type represents the means through which an attribute tries to 384 describe the intent of the attribute creator, using a list of pre- 385 defined attribute types. 387 type is represented as a JSON string. type MUST be present and it 388 MUST be a valid selection for the chosen category. The list of valid 389 category-type combinations is as follows: 391 Internal reference 392 text, link, comment, other, hex 394 Targeting data 395 target-user, target-email, target-machine, target-org, target- 396 location, target-external, comment 398 Antivirus detection 399 link, comment, text, hex, attachment, other 401 Payload delivery 402 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 403 ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, 404 filename|md5, filename|sha1, filename|sha224, filename|sha256, 405 filename|sha384, filename|sha512, filename|sha512/224, 406 filename|sha512/256, filename|authentihash, filename|ssdeep, 407 filename|tlsh, filename|imphash, filename|impfuzzy, 408 filename|pehash, ip-src, ip-dst, hostname, domain, email-src, 409 email-dst, email-subject, email-attachment, url, user-agent, AS, 410 pattern-in-file, pattern-in-traffic, yara, attachment, malware- 411 sample, link, malware-type, comment, text, vulnerability, x509- 412 fingerprint-sha1, other, ip-dst|port, ip-src|port, hostname|port, 413 email-dst-display-name, email-src-display-name, email-header, 414 email-reply-to, email-x-mailer, email-mime-boundary, email-thread- 415 index, email-message-id, mobile-application-id 417 Artifacts dropped 418 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 419 ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, 420 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 421 filename|sha512, filename|sha512/224, filename|sha512/256, 422 filename|authentihash, filename|ssdeep, filename|tlsh, 423 filename|imphash, filename|impfuzzy, filename|pehash, regkey, 424 regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, 425 sigma, attachment, malware-sample, named pipe, mutex, windows- 426 scheduled-task, windows-service-name, windows-service-displayname, 427 comment, text, hex, x509-fingerprint-sha1, other 429 Payload installation 430 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 431 ssdeep, imphash, authentihash, pehash, tlsh, filename, 432 filename|md5, filename|sha1, filename|sha224, filename|sha256, 433 filename|sha384, filename|sha512, filename|sha512/224, 434 filename|sha512/256, filename|authentihash, filename|ssdeep, 435 filename|tlsh, filename|imphash, filename|pehash, pattern-in-file, 436 pattern-in-traffic, pattern-in-memory, yara, vulnerability, 437 attachment, malware-sample, malware-type, comment, text, hex, 438 x509-fingerprint-sha1, mobile-application-id, other 440 Persistence mechanism 441 filename, regkey, regkey|value, comment, text, other, text 443 Network activity 444 ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri, 445 user-agent, http-method, AS, snort, pattern-in-file, pattern-in- 446 traffic, attachment, comment, text, x509-fingerprint-sha1, other, 447 hex 449 Payload type 450 comment, text, other 452 Attribution 453 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 454 whois-registrant-email, whois-registrant-name, whois-registrar, 455 whois-creation-date, comment, text, x509-fingerprint-sha1, other 457 External analysis 458 md5, sha1, sha256, filename, filename|md5, filename|sha1, 459 filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url, 460 user-agent, regkey, regkey|value, AS, snort, pattern-in-file, 461 pattern-in-traffic, pattern-in-memory, vulnerability, attachment, 462 malware-sample, link, comment, text, x509-fingerprint-sha1, 463 github-repository, other 465 Financial fraud 466 btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, 467 comment, text, other, hex 469 Support tool 470 attachment, link, comment, text, other, hex 472 Social network 473 github-username, github-repository, github-organisation, jabber- 474 id, twitter-id, email-src, email-dst, comment, text, other 476 Person 477 first-name, middle-name, last-name, date-of-birth, place-of-birth, 478 gender, passport-number, passport-country, passport-expiration, 479 redress-number, nationality, visa-number, issue-date-of-the-visa, 480 primary-residence, country-of-residence, special-service-request, 481 frequent-flyer-number, travel-details, payment-details, place- 482 port-of-original-embarkation, place-port-of-clearance, place-port- 483 of-onward-foreign-destination, passenger-name-record-locator- 484 number, comment, text, other 486 Other 487 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 488 float, hex 490 Attributes are based on the usage within their different communities. 491 Attributes can be extended on a regular basis and this reference 492 document is updated accordingly. 494 2.4.2.4. category 496 category represents the intent of what the attribute is describing as 497 selected by the attribute creator, using a list of pre-defined 498 attribute categories. 500 category is represented as a JSON string. category MUST be present 501 and it MUST be a valid selection for the chosen type. The list of 502 valid category-type combinations is mentioned above. 504 2.4.2.5. to_ids 506 to_ids represents whether the attribute is meant to be actionable. 507 Actionable defined attributes that can be used in automated processes 508 as a pattern for detection in Local or Network Intrusion Detection 509 System, log analysis tools or even filtering mechanisms. 511 to_ids is represented as a JSON boolean. to_ids MUST be present. 513 2.4.2.6. event_id 515 event_id represents a human-readable identifier referencing the Event 516 object that the attribute belongs to. 518 The event_id SHOULD be updated when the event is imported to reflect 519 the newly created event's id on the instance. 521 event_id is represented as a JSON string. event_id MUST be present. 523 2.4.2.7. distribution 525 distribution represents the basic distribution rules of the 526 attribute. The system must adhere to the distribution setting for 527 access control and for dissemination of the attribute. 529 distribution is represented by a JSON string. distribution MUST be 530 present and be one of the following options: 532 0 533 Your Organisation Only 535 1 536 This Community Only 538 2 539 Connected Communities 541 3 542 All Communities 544 4 545 Sharing Group 547 5 548 Inherit Event 550 2.4.2.8. timestamp 552 timestamp represents a reference time when the attribute was created 553 or last modified. timestamp is expressed in seconds (decimal) since 554 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 556 timestamp is represented as a JSON string. timestamp MUST be present. 558 2.4.2.9. comment 560 comment is a contextual comment field. 562 comment is represented by a JSON string. comment MAY be present. 564 2.4.2.10. sharing_group_id 566 sharing_group_id represents a human-readable identifier referencing a 567 Sharing Group object that defines the distribution of the attribute, 568 if distribution level "4" is set. 570 sharing_group_id is represented by a JSON string and SHOULD be 571 present. If a distribution level other than "4" is chosen the 572 sharing_group_id MUST be set to "0". 574 2.4.2.11. deleted 576 deleted represents a setting that allows attributes to be revoked. 577 Revoked attributes are not actionable and exist merely to inform 578 other instances of a revocation. 580 deleted is represented by a JSON boolean. deleted MUST be present. 582 2.4.2.12. data 584 data contains the base64 encoded contents of an attachment or a 585 malware sample. For malware samples, the sample MUST be encrypted 586 using a password protected zip archive, with the password being 587 "infected". 589 data is represented by a JSON string in base64 encoding. data MUST be 590 set for attributes of type malware-sample and attachment. 592 2.4.2.13. RelatedAttribute 594 RelatedAttribute is an array of attributes correlating with the 595 current attribute. Each element in the array represents an JSON 596 object which contains an Attribute dictionnary with the external 597 attributes who correlate. Each Attribute MUST include the id, 598 org_id, info and a value. Only the correlations found on the local 599 instance are shown in RelatedAttribute. 601 RelatedAttribute MAY be present. 603 2.4.2.14. ShadowAttribute 605 ShadowAttribute is an array of shadow attributes that serve as 606 proposals by third parties to alter the containing attribute. The 607 structure of a ShadowAttribute is similar to that of an Attribute, 608 which can be accepted or discarded by the event creator. If 609 accepted, the original attribute containing the shadow attribute is 610 removed and the shadow attribute is converted into an attribute. 612 Each shadow attribute that references an attribute MUST contain the 613 containing attribute's ID in the old_id field and the event's ID in 614 the event_id field. 616 2.4.2.15. value 618 value represents the payload of an attribute. The format of the 619 value is dependent on the type of the attribute. 621 value is represented by a JSON string. value MUST be present. 623 2.5. ShadowAttribute 625 ShadowAttributes are 3rd party created attributes that either propose 626 to add new information to an event or modify existing information. 627 They are not meant to be actionable until the event creator accepts 628 them - at which point they will be converted into attributes or 629 modify an existing attribute. 631 They are similar in structure to Attributes but additionally carry a 632 reference to the creator of the ShadowAttribute as well as a 633 revocation flag. 635 2.5.1. Sample Attribute Object 637 "ShadowAttribute": { 638 "id": "8", 639 "type": "ip-src", 640 "category": "Network activity", 641 "to_ids": false, 642 "uuid": "57d475f1-da78-4569-89de-1458c0a83869", 643 "event_uuid": "57d475e6-41c4-41ca-b450-145ec0a83869", 644 "event_id": "9", 645 "old_id": "319", 646 "comment": "", 647 "org_id": "1", 648 "proposal_to_delete": false, 649 "value": "5.5.5.5", 650 "deleted": false, 651 "Org": { 652 "id": "1", 653 "name": "MISP", 654 "uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869" 655 } 656 } 658 2.5.2. ShadowAttribute Attributes 659 2.5.2.1. uuid 661 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 662 the event. The uuid MUST be preserved for any updates or transfer of 663 the same event. UUID version 4 is RECOMMENDED when assigning it to a 664 new event. 666 uuid is represented as a JSON string. uuid MUST be present. 668 2.5.2.2. id 670 id represents the human-readable identifier associated to the event 671 for a specific MISP instance. 673 id is represented as a JSON string. id SHALL be present. 675 2.5.2.3. type 677 type represents the means through which an attribute tries to 678 describe the intent of the attribute creator, using a list of pre- 679 defined attribute types. 681 type is represented as a JSON string. type MUST be present and it 682 MUST be a valid selection for the chosen category. The list of valid 683 category-type combinations is as follows: 685 Internal reference 686 text, link, comment, other, hex 688 Targeting data 689 target-user, target-email, target-machine, target-org, target- 690 location, target-external, comment 692 Antivirus detection 693 link, comment, text, hex, attachment, other 695 Payload delivery 696 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 697 ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, 698 filename|md5, filename|sha1, filename|sha224, filename|sha256, 699 filename|sha384, filename|sha512, filename|sha512/224, 700 filename|sha512/256, filename|authentihash, filename|ssdeep, 701 filename|tlsh, filename|imphash, filename|impfuzzy, 702 filename|pehash, ip-src, ip-dst, hostname, domain, email-src, 703 email-dst, email-subject, email-attachment, url, user-agent, AS, 704 pattern-in-file, pattern-in-traffic, yara, attachment, malware- 705 sample, link, malware-type, comment, text, vulnerability, x509- 706 fingerprint-sha1, other, ip-dst|port, ip-src|port, hostname|port, 707 email-dst-display-name, email-src-display-name, email-header, 708 email-reply-to, email-x-mailer, email-mime-boundary, email-thread- 709 index, email-message-id, mobile-application-id 711 Artifacts dropped 712 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 713 ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, 714 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 715 filename|sha512, filename|sha512/224, filename|sha512/256, 716 filename|authentihash, filename|ssdeep, filename|tlsh, 717 filename|imphash, filename|impfuzzy, filename|pehash, regkey, 718 regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, 719 sigma, attachment, malware-sample, named pipe, mutex, windows- 720 scheduled-task, windows-service-name, windows-service-displayname, 721 comment, text, hex, x509-fingerprint-sha1, other 723 Payload installation 724 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 725 ssdeep, imphash, authentihash, pehash, tlsh, filename, 726 filename|md5, filename|sha1, filename|sha224, filename|sha256, 727 filename|sha384, filename|sha512, filename|sha512/224, 728 filename|sha512/256, filename|authentihash, filename|ssdeep, 729 filename|tlsh, filename|imphash, filename|pehash, pattern-in-file, 730 pattern-in-traffic, pattern-in-memory, yara, vulnerability, 731 attachment, malware-sample, malware-type, comment, text, hex, 732 x509-fingerprint-sha1, mobile-application-id, other 734 Persistence mechanism 735 filename, regkey, regkey|value, comment, text, other, text 737 Network activity 738 ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri, 739 user-agent, http-method, AS, snort, pattern-in-file, pattern-in- 740 traffic, attachment, comment, text, x509-fingerprint-sha1, other, 741 hex 743 Payload type 744 comment, text, other 746 Attribution 747 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 748 whois-registrant-email, whois-registrant-name, whois-registrar, 749 whois-creation-date, comment, text, x509-fingerprint-sha1, other 751 External analysis 752 md5, sha1, sha256, filename, filename|md5, filename|sha1, 753 filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url, 754 user-agent, regkey, regkey|value, AS, snort, pattern-in-file, 755 pattern-in-traffic, pattern-in-memory, vulnerability, attachment, 756 malware-sample, link, comment, text, x509-fingerprint-sha1, 757 github-repository, other 759 Financial fraud 760 btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, 761 comment, text, other, hex 763 Support tool 764 attachment, link, comment, text, other, hex 766 Social network 767 github-username, github-repository, github-organisation, jabber- 768 id, twitter-id, email-src, email-dst, comment, text, other 770 Person 771 first-name, middle-name, last-name, date-of-birth, place-of-birth, 772 gender, passport-number, passport-country, passport-expiration, 773 redress-number, nationality, visa-number, issue-date-of-the-visa, 774 primary-residence, country-of-residence, special-service-request, 775 frequent-flyer-number, travel-details, payment-details, place- 776 port-of-original-embarkation, place-port-of-clearance, place-port- 777 of-onward-foreign-destination, passenger-name-record-locator- 778 number, comment, text, other 780 Other 781 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 782 float, hex 784 Attributes are based on the usage within their different communities. 785 Attributes can be extended on a regular basis and this reference 786 document is updated accordingly. 788 2.5.2.4. category 790 category represents the intent of what the attribute is describing as 791 selected by the attribute creator, using a list of pre-defined 792 attribute categories. 794 category is represented as a JSON string. category MUST be present 795 and it MUST be a valid selection for the chosen type. The list of 796 valid category-type combinations is mentioned above. 798 2.5.2.5. to_ids 800 to_ids represents whether the Attribute to be created if the 801 ShadowAttribute is accepted is meant to be actionable. Actionable 802 defined attributes that can be used in automated processes as a 803 pattern for detection in Local or Network Intrusion Detection System, 804 log analysis tools or even filtering mechanisms. 806 to_ids is represented as a JSON boolean. to_ids MUST be present. 808 2.5.2.6. event_id 810 event_id represents a human-readable identifier referencing the Event 811 object that the ShadowAttribute belongs to. 813 The event_id SHOULD be updated when the event is imported to reflect 814 the newly created event's id on the instance. 816 event_id is represented as a JSON string. event_id MUST be present. 818 2.5.2.7. old_id 820 old_id represents a human-readable identifier referencing the 821 Attribute object that the ShadowAttribute belongs to. A 822 ShadowAttribute can this way target an existing Attribute, implying 823 that it is a proposal to modify an existing Attribute, or 824 alternatively it can be a proposal to create a new Attribute for the 825 containing Event. 827 The old_id SHOULD be updated when the event is imported to reflect 828 the newly created Attribute's id on the instance. Alternatively, if 829 the ShadowAttribute proposes the creation of a new Attribute, it 830 should be set to 0. 832 old_id is represented as a JSON string. old_id MUST be present. 834 2.5.2.8. timestamp 836 timestamp represents a reference time when the attribute was created 837 or last modified. timestamp is expressed in seconds (decimal) since 838 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 840 timestamp is represented as a JSON string. timestamp MUST be present. 842 2.5.2.9. comment 844 comment is a contextual comment field. 846 comment is represented by a JSON string. comment MAY be present. 848 2.5.2.10. org_id 850 org_id represents a human-readable identifier referencing the 851 proposal creator's Organisation object. 853 Whilst attributes can only be created by the event creator 854 organisation, shadow attributes can be created by third parties. 855 org_id tracks the creator organisation. 857 org_id is represented by a JSON string and MUST be present. 859 2.5.2.11. proposal_to_delete 861 proposal_to_delete is a boolean flag that sets whether the shadow 862 attribute proposes to alter an attribute, or whether it proposes to 863 remove it completely. 865 Accepting a shadow attribute with this flag set will remove the 866 target attribute. 868 proposal_to_delete is a JSON boolean and it MUST be present. If 869 proposal_to_delete is set to true, old_id MUST NOT be 0. 871 2.5.2.12. deleted 873 deleted represents a setting that allows shadow attributes to be 874 revoked. Revoked shadow attributes only serve to inform other 875 instances that the shadow attribute is no longer active. 877 deleted is represented by a JSON boolean. deleted SHOULD be present. 879 2.5.2.13. data 881 data contains the base64 encoded contents of an attachment or a 882 malware sample. For malware samples, the sample MUST be encrypted 883 using a password protected zip archive, with the password being 884 "infected". 886 data is represented by a JSON string in base64 encoding. data MUST be 887 set for shadow attributes of type malware-sample and attachment. 889 2.5.3. Org 891 An Org object is composed of an uuid, name and id. 893 The uuid represents the Universally Unique IDentifier (UUID) 894 [RFC4122] of the organization. The organization UUID is globally 895 assigned to an organization and SHALL be kept overtime. 897 The name is a readable description of the organization and SHOULD be 898 present. The id is a human-readable identifier generated by the 899 instance and used as reference in the event. 901 uuid, name and id are represented as a JSON string. uuid, name and id 902 MUST be present. 904 2.5.3.1. Sample Org Object 906 "Org": { 907 "id": "2", 908 "name": "CIRCL", 909 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 910 } 912 2.5.3.2. value 914 value represents the payload of an attribute. The format of the 915 value is dependent on the type of the attribute. 917 value is represented by a JSON string. value MUST be present. 919 2.6. Tag 921 A tag is a simple method to classify an event with a simple string. 922 The tag name can be freely chosen. The tag name can be also chosen 923 from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. 924 When an event is distributed outside an organisation, the use of MISP 925 taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of 926 the tags. A tag is represented as a JSON array where each element 927 describes each tag associated. A tag array SHALL be at event level 928 or attribute level. A tag element is described with a name, id, 929 colour and exportable flag. 931 exportable represents a setting if the tag is kept local or 932 exportable to other MISP instances. exportable is represented by a 933 JSON boolean. id is a human-readable identifier that references the 934 tag on the local instance. colour represents an RGB value of the tag. 936 name MUST be present. colour, id and exportable SHALL be present. 938 2.6.1. Sample Tag 940 "Tag": [{ 941 "exportable": true, 942 "colour": "#ffffff", 943 "name": "tlp:white", 944 "id": "2" }] 946 2.7. Galaxy 948 A galaxy is a simple method to express a large object called cluster 949 that can be attached to MISP events. A cluster can be composed of 950 one or more elements. Elements are expressed as key-values. 952 2.7.1. Sample Galaxy 953 "Galaxy": [ { 954 "id": "18", 955 "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3", 956 "name": "Threat Actor", 957 "type": "threat-actor", 958 "description": "Threat actors are characteristics of malicious actors 959 (or adversaries) representing a cyber attack threat 960 including presumed intent and historically observed behaviour.", 961 "version": "1", 962 "GalaxyCluster": [ 963 { 964 "id": "1699", 965 "uuid": "7cdff317-a673-4474-84ec-4f1754947823", 966 "type": "threat-actor", 967 "value": "Anunak", 968 "tag_name": "misp-galaxy:threat-actor=\"Anunak\"", 969 "description": "Groups targeting financial organizations 970 or people with significant financial assets.", 971 "galaxy_id": "18", 972 "source": "MISP Project", 973 "authors": [ 974 "Alexandre Dulaunoy", 975 "Florian Roth", 976 "Thomas Schreck", 977 "Timo Steffens", 978 "Various" 979 ], 980 "tag_id": "111", 981 "meta": { 982 "synonyms": [ 983 "Carbanak", 984 "Carbon Spider" 985 ], 986 "country": [ 987 "RU" 988 ], 989 "motive": [ 990 "Cybercrime" 991 ] 992 } 993 } 994 ] 995 } 996 ] 998 3. JSON Schema 1000 The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP 1001 core format as literally described before. The JSON Schema is used 1002 to validate MISP events at creation time or parsing. 1004 { 1005 "$schema": "http://json-schema.org/draft-04/schema#", 1006 "title": "Validator for misp events", 1007 "id": "https://github.com/MISP/MISP/blob/2.4/format/2.4/schema.json", 1008 "defs": { 1009 "org": { 1010 "type": "object", 1011 "additionalProperties": false, 1012 "properties": { 1013 "id": { 1014 "type": "string" 1015 }, 1016 "name": { 1017 "type": "string" 1018 }, 1019 "uuid": { 1020 "type": "string" 1021 } 1022 }, 1023 "required": [ 1024 "uuid" 1025 ] 1026 }, 1027 "orgc": { 1028 "type": "object", 1029 "additionalProperties": false, 1030 "properties": { 1031 "id": { 1032 "type": "string" 1033 }, 1034 "name": { 1035 "type": "string" 1036 }, 1037 "uuid": { 1038 "type": "string" 1039 } 1040 }, 1041 "required": [ 1042 "uuid" 1043 ] 1044 }, 1045 "sharing_group": { 1046 "type": "object", 1047 "additionalProperties": false, 1048 "properties": { 1049 "id": { 1050 "type": "string" 1051 }, 1052 "name": { 1053 "type": "string" 1054 }, 1055 "releasability": { 1056 "type": "string" 1057 }, 1058 "description": { 1059 "type": "string" 1060 }, 1061 "uuid": { 1062 "type": "string" 1063 }, 1064 "organisation_uuid": { 1065 "type": "string" 1066 }, 1067 "org_id": { 1068 "type": "string" 1069 }, 1070 "sync_user_id": { 1071 "type": "string" 1072 }, 1073 "active": { 1074 "type": "boolean" 1075 }, 1076 "created": { 1077 "type": "string" 1078 }, 1079 "modified": { 1080 "type": "string" 1081 }, 1082 "local": { 1083 "type": "boolean" 1084 }, 1085 "roaming": { 1086 "type": "boolean" 1087 }, 1088 "Organisation": { 1089 "$ref": "#/defs/org" 1090 }, 1091 "SharingGroupOrg": { 1092 "type": "array", 1093 "uniqueItems": true, 1094 "items": { 1095 "$ref": "#/defs/sharing_group_org" 1096 } 1097 }, 1098 "SharingGroupServer": { 1099 "type": "array", 1100 "uniqueItems": true, 1101 "items": { 1102 "$ref": "#/defs/sharing_group_server" 1103 } 1104 }, 1105 "required": [ 1106 "uuid" 1107 ] 1108 }, 1109 "required": [ 1110 "uuid" 1111 ] 1112 }, 1113 "sharing_group_org": { 1114 "type": "object", 1115 "additionalProperties": false, 1116 "properties": { 1117 "id": { 1118 "type": "string" 1119 }, 1120 "sharing_group_id": { 1121 "type": "string" 1122 }, 1123 "org_id": { 1124 "type": "string" 1125 }, 1126 "extend": { 1127 "type": "boolean" 1128 }, 1129 "Organisation": { 1130 "$ref": "#/defs/org" 1131 } 1132 } 1133 }, 1134 "sharing_group_server": { 1135 "type": "object", 1136 "additionalProperties": false, 1137 "properties": { 1138 "id": { 1139 "type": "string" 1140 }, 1141 "sharing_group_id": { 1142 "type": "string" 1143 }, 1144 "server_id": { 1145 "type": "string" 1146 }, 1147 "all_orgs": { 1148 "type": "boolean" 1149 }, 1150 "Server": { 1151 "$ref": "#/defs/server" 1152 } 1153 } 1154 }, 1155 "server": { 1156 "type": "object", 1157 "additionalProperties": false, 1158 "properties": { 1159 "id": { 1160 "type": "string" 1161 }, 1162 "url": { 1163 "type": "string" 1164 }, 1165 "name": { 1166 "type": "string" 1167 } 1168 } 1169 }, 1170 "attribute": { 1171 "type": "object", 1172 "additionalProperties": false, 1173 "properties": { 1174 "id": { 1175 "type": "string" 1176 }, 1177 "type": { 1178 "type": "string" 1179 }, 1180 "category": { 1181 "type": "string" 1182 }, 1183 "to_ids": { 1184 "type": "boolean" 1185 }, 1186 "uuid": { 1187 "type": "string" 1188 }, 1189 "event_id": { 1190 "type": "string" 1191 }, 1192 "distribution": { 1193 "type": "string" 1194 }, 1195 "timestamp": { 1196 "type": "string" 1197 }, 1198 "comment": { 1199 "type": "string" 1200 }, 1201 "sharing_group_id": { 1202 "type": "string" 1203 }, 1204 "deleted": { 1205 "type": "boolean" 1206 }, 1207 "disable_correlation": { 1208 "type": "boolean" 1209 }, 1210 "value": { 1211 "type": "string" 1212 }, 1213 "data": { 1214 "type": "string" 1215 }, 1216 "SharingGroup": { 1217 "$ref": "#/defs/sharing_group" 1218 }, 1219 "ShadowAttribute": { 1220 "type": "array", 1221 "uniqueItems": true, 1222 "items": { 1223 "$ref": "#/defs/attribute" 1224 } 1225 }, 1226 "Tag": { 1227 "type": "array", 1228 "uniqueItems": true, 1229 "items": { 1230 "$ref": "#/defs/tag" 1231 } 1232 } 1233 } 1234 }, 1235 "event": { 1236 "type": "object", 1237 "additionalProperties": false, 1238 "properties": { 1239 "id": { 1240 "type": "string" 1241 }, 1242 "orgc_id": { 1243 "type": "string" 1244 }, 1245 "org_id": { 1246 "type": "string" 1247 }, 1248 "date": { 1249 "type": "string" 1250 }, 1251 "threat_level_id": { 1252 "type": "string" 1253 }, 1254 "info": { 1255 "type": "string" 1256 }, 1257 "published": { 1258 "type": "boolean" 1259 }, 1260 "uuid": { 1261 "type": "string" 1262 }, 1263 "attribute_count": { 1264 "type": "string" 1265 }, 1266 "analysis": { 1267 "type": "string" 1268 }, 1269 "timestamp": { 1270 "type": "string" 1271 }, 1272 "distribution": { 1273 "type": "string" 1274 }, 1275 "proposal_email_lock": { 1276 "type": "boolean" 1277 }, 1278 "locked": { 1279 "type": "boolean" 1280 }, 1281 "publish_timestamp": { 1282 "type": "string" 1283 }, 1284 "sharing_group_id": { 1285 "type": "string" 1287 }, 1288 "disable_correlation": { 1289 "type": "boolean" 1290 }, 1291 "event_creator_email": { 1292 "type": "string" 1293 }, 1294 "Org": { 1295 "$ref": "#/defs/org" 1296 }, 1297 "Orgc": { 1298 "$ref": "#/defs/org" 1299 }, 1300 "SharingGroup": { 1301 "$ref": "#/defs/sharing_group" 1302 }, 1303 "Attribute": { 1304 "type": "array", 1305 "uniqueItems": true, 1306 "items": { 1307 "$ref": "#/defs/attribute" 1308 } 1309 }, 1310 "ShadowAttribute": { 1311 "type": "array", 1312 "uniqueItems": true, 1313 "items": { 1314 "$ref": "#/defs/attribute" 1315 } 1316 }, 1317 "RelatedEvent": { 1318 "type": "array", 1319 "uniqueItems": true, 1320 "items": { 1321 "type": "object", 1322 "additionalProperties": false, 1323 "properties": { 1324 "Event":{ 1325 "$ref": "#/defs/event" 1326 } 1327 } 1328 } 1329 }, 1330 "Galaxy": { 1331 "type": "array", 1332 "uniqueItems": true, 1333 "items": { 1334 "$ref": "#/defs/galaxy" 1336 } 1337 }, 1338 "Tag": { 1339 "type": "array", 1340 "uniqueItems": true, 1341 "items": { 1342 "$ref": "#/defs/tag" 1343 } 1344 } 1345 } 1346 }, 1347 "tag": { 1348 "type": "object", 1349 "additionalProperties": false, 1350 "properties": { 1351 "id": { 1352 "type": "string" 1353 }, 1354 "name": { 1355 "type": "string" 1356 }, 1357 "colour": { 1358 "type": "string" 1359 }, 1360 "exportable": { 1361 "type": "boolean" 1362 }, 1363 "hide_tag": { 1364 "type": "boolean" 1365 } 1366 } 1367 }, 1368 "galaxy": { 1369 "type": "object", 1370 "additionalProperties": false, 1371 "properties": { 1372 "id": { 1373 "type": "string" 1374 }, 1375 "uuid": { 1376 "type": "string" 1377 }, 1378 "name": { 1379 "type": "string" 1380 }, 1381 "type": { 1382 "type": "string" 1383 }, 1384 "description": { 1385 "type": "string" 1386 }, 1387 "version": { 1388 "type": "string" 1389 }, 1390 "GalaxyCluster": { 1391 "type": "array", 1392 "uniqueItems": true, 1393 "items": { 1394 "$ref": "#/defs/galaxy_cluster" 1395 } 1396 } 1397 } 1398 }, 1399 "galaxy_cluster": { 1400 "type": "object", 1401 "additionalProperties": false, 1402 "properties": { 1403 "id": { 1404 "type": "string" 1405 }, 1406 "uuid": { 1407 "type": "string" 1408 }, 1409 "type": { 1410 "type": "string" 1411 }, 1412 "value": { 1413 "type": "string" 1414 }, 1415 "tag_name": { 1416 "type": "string" 1417 }, 1418 "description": { 1419 "type": "string" 1420 }, 1421 "galaxy_id": { 1422 "type": "string" 1423 }, 1424 "source": { 1425 "type": "string" 1426 }, 1427 "authors": { 1428 "type": "array", 1429 "uniqueItems": true, 1430 "items": { 1431 "type": "string" 1433 } 1434 }, 1435 "tag_id": { 1436 "type": "string" 1437 }, 1438 "meta": { 1439 "type": "object" 1440 } 1441 } 1442 } 1443 }, 1444 "type": "object", 1445 "properties": { 1446 "Event": { 1447 "$ref": "#/defs/event" 1448 } 1449 }, 1450 "required": [ 1451 "Event" 1452 ] 1453 } 1455 4. Manifest 1457 MISP events can be shared over an HTTP repository, a file package or 1458 USB key. A manifest file is used to provide an index of MISP events 1459 allowing to only fetch the recently updated files without the need to 1460 parse each json file. 1462 4.1. Format 1464 A manifest file is a simple JSON file named manifest.json in a 1465 directory where the MISP events are located. Each MISP event is a 1466 file located in the same directory with the event uuid as filename 1467 with the json extension. 1469 The manifest format is a JSON object composed of a dictionary where 1470 the field is the uuid of the event. 1472 Each uuid is composed of a JSON object with the following fields 1473 which came from the original event referenced by the same uuid: 1475 o info (MUST) 1477 o Orgc object (MUST) 1479 o analysis (SHALL) 1480 o timestamp (MUST) 1482 o date (MUST) 1484 o threat_level_id (SHALL) 1486 In addition to the fields originating from the event, the following 1487 fields can be added: 1489 o integrity:sha256 represents the SHA256 value in hexadecimal 1490 representation of the associated MISP event file to ensure 1491 integrity of the file. (SHOULD) 1493 o integrity:pgp represents a detached PGP signature [RFC4880] of the 1494 associated MISP event file to ensure integrity of the file. 1495 (SHOULD) 1497 If a detached PGP signature is used for each MISP event, a detached 1498 PGP signature is a MUST to ensure integrity of the manifest file. A 1499 detached PGP signature for a manifest file is a manifest.json.pgp 1500 file containing the PGP signature. 1502 4.1.1. Sample Manifest 1503 { 1504 "57c6ac4c-c60c-4f79-a38f-b666950d210f": { 1505 "info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo", 1506 "Orgc": { 1507 "id": "2", 1508 "name": "CIRCL" 1509 }, 1510 "analysis": "0", 1511 "Tag": [ 1512 { 1513 "colour": "#3d7a00", 1514 "name": "circl:incident-classification=\"malware\"" 1515 }, 1516 { 1517 "colour": "#ffffff", 1518 "name": "tlp:white" 1519 } 1520 ], 1521 "timestamp": "1472638251", 1522 "date": "2016-08-31", 1523 "threat_level_id": "3" 1524 }, 1525 "5720accd-dd28-45f8-80e5-4605950d210f": { 1526 "info": "Malspam 2016-04-27 - Locky", 1527 "Orgc": { 1528 "id": "2", 1529 "name": "CIRCL" 1530 }, 1531 "analysis": "2", 1532 "Tag": [ 1533 { 1534 "colour": "#ffffff", 1535 "name": "tlp:white" 1536 }, 1537 { 1538 "colour": "#3d7a00", 1539 "name": "circl:incident-classification=\"malware\"" 1540 }, 1541 { 1542 "colour": "#2c4f00", 1543 "name": "malware_classification:malware-category=\"Ransomware\"" 1544 } 1545 ], 1546 "timestamp": "1461764231", 1547 "date": "2016-04-27", 1548 "threat_level_id": "3" 1549 } 1550 } 1551 5. Implementation 1553 MISP format is implemented by different software including the MISP 1554 threat sharing platform and libraries like PyMISP [MISP-P]. 1555 Implementations use the format as an export/import mechanism, staging 1556 transport format or synchronisation format as used in the MISP core 1557 platform. MISP format doesn't impose any restriction on the data 1558 representation of the format in data-structure of other 1559 implementations. 1561 6. Security Considerations 1563 MISP events might contain sensitive or confidential information. 1564 Adequate access control and encryption measures shall be implemented 1565 to ensure the confidentiality of the MISP events. 1567 Adversaries might include malicious content in MISP events and 1568 attributes. Implementation MUST consider the input of malicious 1569 inputs beside the standard threat information that might already 1570 include malicious intended inputs. 1572 7. Acknowledgements 1574 The authors wish to thank all the MISP community to support the 1575 creation of open standards in threat intelligence sharing. 1577 8. Sample MISP file 1579 9. References 1581 9.1. Normative References 1583 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1584 Requirement Levels", BCP 14, RFC 2119, 1585 DOI 10.17487/RFC2119, March 1997, 1586 . 1588 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 1589 Unique IDentifier (UUID) URN Namespace", RFC 4122, 1590 DOI 10.17487/RFC4122, July 2005, 1591 . 1593 [RFC4627] Crockford, D., "The application/json Media Type for 1594 JavaScript Object Notation (JSON)", RFC 4627, 1595 DOI 10.17487/RFC4627, July 2006, 1596 . 1598 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. 1599 Thayer, "OpenPGP Message Format", RFC 4880, 1600 DOI 10.17487/RFC4880, November 2007, 1601 . 1603 9.2. Informative References 1605 [JSON-SCHEMA] 1606 "JSON Schema: A Media Type for Describing JSON Documents", 1607 2016, . 1610 [MISP-P] MISP, , "MISP Project - Malware Information Sharing 1611 Platform and Threat Sharing", . 1613 [MISP-T] MISP, , "MISP Taxonomies - shared and common vocabularies 1614 of tags", . 1616 Authors' Addresses 1618 Alexandre Dulaunoy 1619 Computer Incident Response Center Luxembourg 1620 41, avenue de la gare 1621 Luxembourg L-1611 1622 Luxembourg 1624 Phone: +352 247 88444 1625 Email: alexandre.dulaunoy@circl.lu 1627 Andras Iklody 1628 Computer Incident Response Center Luxembourg 1629 41, avenue de la gare 1630 Luxembourg L-1611 1631 Luxembourg 1633 Phone: +352 247 88444 1634 Email: andras.iklody@circl.lu