idnits 2.17.1 draft-dulaunoy-misp-core-format-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 11 instances of too long lines in the document, the longest one being 18 characters in excess of 72. ** The abstract seems to contain references ([MISP-P]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 8, 2018) is 2082 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'MISP-R' is defined on line 2289, but no explicit reference was found in the text == Unused Reference: 'MISP-T' is defined on line 2293, but no explicit reference was found in the text ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) Summary: 4 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Intended status: Informational CIRCL 5 Expires: February 9, 2019 August 8, 2018 7 MISP core format 8 draft-dulaunoy-misp-core-format-05 10 Abstract 12 This document describes the MISP core format used to exchange 13 indicators and threat information between MISP (Malware Information 14 and threat Sharing Platform) instances. The JSON format includes the 15 overall structure along with the semantic associated for each 16 respective key. The format is described to support other 17 implementations which reuse the format and ensuring an 18 interoperability with existing MISP [MISP-P] software and other 19 Threat Intelligence Platforms. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on February 9, 2019. 38 Copyright Notice 40 Copyright (c) 2018 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 57 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3 61 2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 7 63 2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 8 64 2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8 65 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8 66 2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9 67 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 15 68 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 15 69 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 15 70 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 21 71 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 21 72 2.6.1. Sample Object object . . . . . . . . . . . . . . . . 22 73 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 23 74 2.7. Object References . . . . . . . . . . . . . . . . . . . . 25 75 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 26 76 2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 26 77 2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 78 2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 28 79 2.9. Sighting . . . . . . . . . . . . . . . . . . . . . . . . 28 80 2.9.1. Sample Sighting . . . . . . . . . . . . . . . . . . . 30 81 2.10. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 30 82 2.10.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 30 83 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 32 84 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 46 85 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 46 86 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 47 87 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 48 88 6. Security Considerations . . . . . . . . . . . . . . . . . . . 48 89 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 48 90 8. Sample MISP file . . . . . . . . . . . . . . . . . . . . . . 48 91 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 48 92 9.1. Normative References . . . . . . . . . . . . . . . . . . 48 93 9.2. Informative References . . . . . . . . . . . . . . . . . 49 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 96 1. Introduction 98 Sharing threat information became a fundamental requirements in the 99 Internet, security and intelligence community at large. Threat 100 information can include indicators of compromise, malicious file 101 indicators, financial fraud indicators or even detailed information 102 about a threat actor. MISP [MISP-P] started as an open source 103 project in late 2011 and the MISP format started to be widely used as 104 an exchange format within the community in the past years. The aim 105 of this document is to describe the specification and the MISP core 106 format. 108 1.1. Conventions and Terminology 110 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 111 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 112 document are to be interpreted as described in RFC 2119 [RFC2119]. 114 2. Format 116 2.1. Overview 118 The MISP core format is in the JSON [RFC4627] format. In MISP, an 119 event is composed of a single JSON object. 121 A capitalized key (like Event, Org) represent a data model and a non- 122 capitalised key is just an attribute. This nomenclature can support 123 an implementation to represent the MISP format in another data 124 structure. 126 2.2. Event 128 An event is a simple meta structure scheme where attributes and meta- 129 data are embedded to compose a coherent set of indicators. An event 130 can be composed from an incident, a security analysis report or a 131 specific threat actor analysis. The meaning of an event only depends 132 of the information embedded in the event. 134 2.2.1. Event Attributes 136 2.2.1.1. uuid 138 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 139 the event. The uuid MUST be preserved for any updates or transfer of 140 the same event. UUID version 4 is RECOMMENDED when assigning it to a 141 new event. 143 uuid is represented as a JSON string. uuid MUST be present. 145 2.2.1.2. id 147 id represents the human-readable identifier associated to the event 148 for a specific MISP instance. A human-readable identifier MUST be 149 represented as an unsigned integer. 151 id is represented as a JSON string. id SHALL be present. 153 2.2.1.3. published 155 published represents the event publication state. If the event was 156 published, the published value MUST be true. In any other 157 publication state, the published value MUST be false. 159 published is represented as a JSON boolean. published MUST be 160 present. 162 2.2.1.4. info 164 info represents the information field of the event. info is a free- 165 text value to provide a human-readable summary of the event. info 166 SHOULD NOT be bigger than 256 characters and SHOULD NOT include new- 167 lines. 169 info is represented as a JSON string. info MUST be present. 171 2.2.1.5. threat_level_id 173 threat_level_id represents the threat level. 175 4: 176 Undefined 178 3: 179 Low 181 2: 182 Medium 184 1: 185 High 187 If a higher granularity is required, a MISP taxonomy applied as a Tag 188 SHOULD be preferred. 190 threat_level_id is represented as a JSON string. threat_level_id 191 SHALL be present. 193 2.2.1.6. analysis 195 analysis represents the analysis level. 197 0: 198 Initial 200 1: 201 Ongoing 203 2: 204 Complete 206 If a higher granularity is required, a MISP taxonomy applied as a Tag 207 SHOULD be preferred. 209 analysis is represented as a JSON string. analysis SHALL be present. 211 2.2.1.7. date 213 date represents a reference date to the event in ISO 8601 format 214 (date only: YYYY-MM-DD). This date corresponds to the date the event 215 occurred, which may be in the past. 217 date is represented as a JSON string. date MUST be present. 219 2.2.1.8. timestamp 221 timestamp represents a reference time when the event, or one of the 222 attributes within the event was created, or last updated/edited on 223 the instance. timestamp is expressed in seconds (decimal) since 1st 224 of January 1970 (Unix timestamp). The time zone MUST be UTC. 226 timestamp is represented as a JSON string. timestamp MUST be present. 228 2.2.1.9. publish_timestamp 230 publish_timestamp represents a reference time when the event was 231 published on the instance. published_timestamp is expressed in 232 seconds (decimal) since 1st of January 1970 (Unix timestamp). At 233 each publication of an event, publish_timestamp MUST be updated. The 234 time zone MUST be UTC. If the published_timestamp is present and the 235 published flag is set to false, the publish_timestamp represents the 236 previous publication timestamp. If the event was never published, 237 the published_timestamp MUST be set to 0. 239 publish_timestamp is represented as a JSON string. publish_timestamp 240 MUST be present. 242 2.2.1.10. org_id 244 org_id represents a human-readable identifier referencing an Org 245 object of the organisation which generated the event. A human- 246 readable identifier MUST be represented as an unsigned integer. 248 The org_id MUST be updated when the event is generated by a new 249 instance. 251 org_id is represented as a JSON string. org_id MUST be present. 253 2.2.1.11. orgc_id 255 orgc_id represents a human-readable identifier referencing an Orgc 256 object of the organisation which created the event. 258 The orgc_id and Org object MUST be preserved for any updates or 259 transfer of the same event. 261 orgc_id is represented as a JSON string. orgc_id MUST be present. 263 2.2.1.12. attribute_count 265 attribute_count represents the number of attributes in the event. 266 attribute_count is expressed in decimal. 268 attribute_count is represented as a JSON string. attribute_count 269 SHALL be present. 271 2.2.1.13. distribution 273 distribution represents the basic distribution rules of the event. 274 The system must adhere to the distribution setting for access control 275 and for dissemination of the event. 277 distribution is represented by a JSON string. distribution MUST be 278 present and be one of the following options: 280 0 281 Your Organisation Only 283 1 284 This Community Only 286 2 287 Connected Communities 289 3 290 All Communities 292 4 293 Sharing Group 295 2.2.1.14. sharing_group_id 297 sharing_group_id represents a human-readable identifier referencing a 298 Sharing Group object that defines the distribution of the event, if 299 distribution level "4" is set. A human-readable identifier MUST be 300 represented as an unsigned integer. 302 sharing_group_id is represented by a JSON string and SHOULD be 303 present. If a distribution level other than "4" is chosen the 304 sharing_group_id MUST be set to "0". 306 2.2.1.15. extends_uuid 308 extends_uuid represents which event is extended by this event. The 309 extends_uuid is described as a Universally Unique IDentifier (UUID) 310 [RFC4122] with the UUID of the extended event. 312 extends_uuid is represented as a JSON string. extends_uuid SHOULD be 313 present. 315 2.3. Objects 317 2.3.1. Org 319 An Org object is composed of an uuid, name and id. 321 The uuid represents the Universally Unique IDentifier (UUID) 322 [RFC4122] of the organisation. The organisation UUID is globally 323 assigned to an organisation and SHALL be kept overtime. 325 The name is a readable description of the organisation and SHOULD be 326 present. The id is a human-readable identifier generated by the 327 instance and used as reference in the event. A human-readable 328 identifier MUST be represented as an unsigned integer. 330 uuid, name and id are represented as a JSON string. uuid, name and id 331 MUST be present. 333 2.3.1.1. Sample Org Object 334 "Org": { 335 "id": "2", 336 "name": "CIRCL", 337 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 338 } 340 2.3.2. Orgc 342 An Orgc object is composed of an uuid, name and id. 344 The uuid MUST be preserved for any updates or transfer of the same 345 event. UUID version 4 is RECOMMENDED when assigning it to a new 346 event. The organisation UUID is globally assigned to an organisation 347 and SHALL be kept overtime. 349 The name is a readable description of the organisation and SHOULD be 350 present. The id is a human-readable identifier generated by the 351 instance and used as reference in the event. A human-readable 352 identifier MUST be represented as an unsigned integer. 354 uuid, name and id are represented as a JSON string. uuid, name and id 355 MUST be present. 357 2.4. Attribute 359 Attributes are used to describe the indicators and contextual data of 360 an event. The main information contained in an attribute is made up 361 of a category-type-value triplet, where the category and type give 362 meaning and context to the value. Through the various category-type 363 combinations a wide range of information can be conveyed. 365 A MISP document MUST at least includes category-type-value triplet 366 described in section "Attribute Attributes". 368 2.4.1. Sample Attribute Object 369 "Attribute": { 370 "id": "346056", 371 "type": "comment", 372 "category": "Other", 373 "to_ids": false, 374 "uuid": "57f4f6d9-cd20-458b-84fd-109ec0a83869", 375 "event_id": "3357", 376 "distribution": "5", 377 "timestamp": "1475679332", 378 "comment": "", 379 "sharing_group_id": "0", 380 "deleted": false, 381 "value": "Hello world", 382 "SharingGroup": [], 383 "ShadowAttribute": [], 384 "RelatedAttribute": [] 385 } 387 2.4.2. Attribute Attributes 389 2.4.2.1. uuid 391 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 392 the event. The uuid MUST be preserved for any updates or transfer of 393 the same event. UUID version 4 is RECOMMENDED when assigning it to a 394 new event. 396 uuid is represented as a JSON string. uuid MUST be present. 398 2.4.2.2. id 400 id represents the human-readable identifier associated to the event 401 for a specific MISP instance. A human-readable identifier MUST be 402 represented as an unsigned integer. 404 id is represented as a JSON string. id SHALL be present. 406 2.4.2.3. type 408 type represents the means through which an attribute tries to 409 describe the intent of the attribute creator, using a list of pre- 410 defined attribute types. 412 type is represented as a JSON string. type MUST be present and it 413 MUST be a valid selection for the chosen category. The list of valid 414 category-type combinations is as follows: 416 Antivirus detection 417 link, comment, text, hex, attachment, other 419 Artifacts dropped 420 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 421 ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, 422 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 423 filename|sha512, filename|sha512/224, filename|sha512/256, 424 filename|authentihash, filename|ssdeep, filename|tlsh, 425 filename|imphash, filename|impfuzzy, filename|pehash, regkey, 426 regkey|value, pattern-in-file, pattern-in-memory, pdb, 427 stix2-pattern, yara, sigma, attachment, malware-sample, named 428 pipe, mutex, windows-scheduled-task, windows-service-name, 429 windows-service-displayname, comment, text, hex, x509-fingerprint- 430 sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, 431 cookie, gene, mime-type 433 Attribution 434 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 435 whois-registrant-email, whois-registrant-name, whois-registrant- 436 org, whois-registrar, whois-creation-date, comment, text, x509- 437 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 438 other, dns-soa-email 440 External analysis 441 md5, sha1, sha256, filename, filename|md5, filename|sha1, 442 filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 443 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 444 regkey, regkey|value, AS, snort, pattern-in-file, pattern-in- 445 traffic, pattern-in-memory, vulnerability, attachment, malware- 446 sample, link, comment, text, x509-fingerprint-sha1, x509- 447 fingerprint-md5, x509-fingerprint-sha256, github-repository, 448 other, cortex 450 Financial fraud 451 btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, 452 prtn, phone-number, comment, text, other, hex 454 Internal reference 455 text, link, comment, other, hex 457 Network activity 458 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, 459 domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user- 460 agent, http-method, AS, snort, pattern-in-file, stix2-pattern, 461 pattern-in-traffic, attachment, comment, text, x509-fingerprint- 462 sha1, other, hex, cookie, hostname|port 464 Other 465 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 466 float, hex, phone-number, boolean 468 Payload delivery 469 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 470 ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, 471 filename|md5, filename|sha1, filename|sha224, filename|sha256, 472 filename|sha384, filename|sha512, filename|sha512/224, 473 filename|sha512/256, filename|authentihash, filename|ssdeep, 474 filename|tlsh, filename|imphash, filename|impfuzzy, 475 filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip- 476 dst|port, ip-src|port, hostname, domain, email-src, email-dst, 477 email-subject, email-attachment, email-body, url, user-agent, AS, 478 pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, 479 mime-type, attachment, malware-sample, link, malware-type, 480 comment, text, hex, vulnerability, x509-fingerprint-sha1, x509- 481 fingerprint-md5, x509-fingerprint-sha256, other, hostname|port, 482 email-dst-display-name, email-src-display-name, email-header, 483 email-reply-to, email-x-mailer, email-mime-boundary, email-thread- 484 index, email-message-id, mobile-application-id, whois-registrant- 485 email 487 Payload installation 488 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 489 ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, 490 filename|md5, filename|sha1, filename|sha224, filename|sha256, 491 filename|sha384, filename|sha512, filename|sha512/224, 492 filename|sha512/256, filename|authentihash, filename|ssdeep, 493 filename|tlsh, filename|imphash, filename|impfuzzy, 494 filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in- 495 memory, stix2-pattern, yara, sigma, vulnerability, attachment, 496 malware-sample, malware-type, comment, text, hex, x509- 497 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 498 mobile-application-id, other, mime-type 500 Payload type 501 comment, text, other 503 Persistence mechanism 504 filename, regkey, regkey|value, comment, text, other, hex 506 Person 507 first-name, middle-name, last-name, date-of-birth, place-of-birth, 508 gender, passport-number, passport-country, passport-expiration, 509 redress-number, nationality, visa-number, issue-date-of-the-visa, 510 primary-residence, country-of-residence, special-service-request, 511 frequent-flyer-number, travel-details, payment-details, place- 512 port-of-original-embarkation, place-port-of-clearance, place-port- 513 of-onward-foreign-destination, passenger-name-record-locator- 514 number, comment, text, other, phone-number, identity-card-number 516 Social network 517 github-username, github-repository, github-organisation, jabber- 518 id, twitter-id, email-src, email-dst, comment, text, other, whois- 519 registrant-email 521 Support Tool 522 link, text, attachment, comment, other, hex 524 Targeting data 525 target-user, target-email, target-machine, target-org, target- 526 location, target-external, comment 528 Attributes are based on the usage within their different communities. 529 Attributes can be extended on a regular basis and this reference 530 document is updated accordingly. 532 2.4.2.4. category 534 category represents the intent of what the attribute is describing as 535 selected by the attribute creator, using a list of pre-defined 536 attribute categories. 538 category is represented as a JSON string. category MUST be present 539 and it MUST be a valid selection for the chosen type. The list of 540 valid category-type combinations is mentioned above. 542 2.4.2.5. to_ids 544 to_ids represents whether the attribute is meant to be actionable. 545 Actionable defined attributes that can be used in automated processes 546 as a pattern for detection in Local or Network Intrusion Detection 547 System, log analysis tools or even filtering mechanisms. 549 to_ids is represented as a JSON boolean. to_ids MUST be present. 551 2.4.2.6. event_id 553 event_id represents a human-readable identifier referencing the Event 554 object that the attribute belongs to. A human-readable identifier 555 MUST be represented as an unsigned integer. 557 The event_id SHOULD be updated when the event is imported to reflect 558 the newly created event's id on the instance. 560 event_id is represented as a JSON string. event_id MUST be present. 562 2.4.2.7. distribution 564 distribution represents the basic distribution rules of the 565 attribute. The system must adhere to the distribution setting for 566 access control and for dissemination of the attribute. 568 distribution is represented by a JSON string. distribution MUST be 569 present and be one of the following options: 571 0 572 Your Organisation Only 574 1 575 This Community Only 577 2 578 Connected Communities 580 3 581 All Communities 583 4 584 Sharing Group 586 5 587 Inherit Event 589 2.4.2.8. timestamp 591 timestamp represents a reference time when the attribute was created 592 or last modified. timestamp is expressed in seconds (decimal) since 593 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 595 timestamp is represented as a JSON string. timestamp MUST be present. 597 2.4.2.9. comment 599 comment is a contextual comment field. 601 comment is represented by a JSON string. comment MAY be present. 603 2.4.2.10. sharing_group_id 605 sharing_group_id represents a human-readable identifier referencing a 606 Sharing Group object that defines the distribution of the attribute, 607 if distribution level "4" is set. A human-readable identifier MUST 608 be represented as an unsigned integer. 610 sharing_group_id is represented by a JSON string and SHOULD be 611 present. If a distribution level other than "4" is chosen the 612 sharing_group_id MUST be set to "0". 614 2.4.2.11. deleted 616 deleted represents a setting that allows attributes to be revoked. 617 Revoked attributes are not actionable and exist merely to inform 618 other instances of a revocation. 620 deleted is represented by a JSON boolean. deleted MUST be present. 622 2.4.2.12. data 624 data contains the base64 encoded contents of an attachment or a 625 malware sample. For malware samples, the sample MUST be encrypted 626 using a password protected zip archive, with the password being 627 "infected". 629 data is represented by a JSON string in base64 encoding. data MUST be 630 set for attributes of type malware-sample and attachment. 632 2.4.2.13. RelatedAttribute 634 RelatedAttribute is an array of attributes correlating with the 635 current attribute. Each element in the array represents an JSON 636 object which contains an Attribute dictionnary with the external 637 attributes who correlate. Each Attribute MUST include the id, 638 org_id, info and a value. Only the correlations found on the local 639 instance are shown in RelatedAttribute. 641 RelatedAttribute MAY be present. 643 2.4.2.14. ShadowAttribute 645 ShadowAttribute is an array of shadow attributes that serve as 646 proposals by third parties to alter the containing attribute. The 647 structure of a ShadowAttribute is similar to that of an Attribute, 648 which can be accepted or discarded by the event creator. If 649 accepted, the original attribute containing the shadow attribute is 650 removed and the shadow attribute is converted into an attribute. 652 Each shadow attribute that references an attribute MUST contain the 653 containing attribute's ID in the old_id field and the event's ID in 654 the event_id field. 656 2.4.2.15. value 658 value represents the payload of an attribute. The format of the 659 value is dependent on the type of the attribute. 661 value is represented by a JSON string. value MUST be present. 663 2.5. ShadowAttribute 665 ShadowAttributes are 3rd party created attributes that either propose 666 to add new information to an event or modify existing information. 667 They are not meant to be actionable until the event creator accepts 668 them - at which point they will be converted into attributes or 669 modify an existing attribute. 671 They are similar in structure to Attributes but additionally carry a 672 reference to the creator of the ShadowAttribute as well as a 673 revocation flag. 675 2.5.1. Sample Attribute Object 677 "ShadowAttribute": { 678 "id": "8", 679 "type": "ip-src", 680 "category": "Network activity", 681 "to_ids": false, 682 "uuid": "57d475f1-da78-4569-89de-1458c0a83869", 683 "event_uuid": "57d475e6-41c4-41ca-b450-145ec0a83869", 684 "event_id": "9", 685 "old_id": "319", 686 "comment": "", 687 "org_id": "1", 688 "proposal_to_delete": false, 689 "value": "5.5.5.5", 690 "deleted": false, 691 "Org": { 692 "id": "1", 693 "name": "MISP", 694 "uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869" 695 } 696 } 698 2.5.2. ShadowAttribute Attributes 699 2.5.2.1. uuid 701 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 702 the event. The uuid MUST be preserved for any updates or transfer of 703 the same event. UUID version 4 is RECOMMENDED when assigning it to a 704 new event. 706 uuid is represented as a JSON string. uuid MUST be present. 708 2.5.2.2. id 710 id represents the human-readable identifier associated to the event 711 for a specific MISP instance. human-readable identifier MUST be 712 represented as an unsigned integer. id is represented as a JSON 713 string. id SHALL be present. 715 2.5.2.3. type 717 type represents the means through which an attribute tries to 718 describe the intent of the attribute creator, using a list of pre- 719 defined attribute types. 721 type is represented as a JSON string. type MUST be present and it 722 MUST be a valid selection for the chosen category. The list of valid 723 category-type combinations is as follows: 725 Antivirus detection 726 link, comment, text, hex, attachment, other 728 Artifacts dropped 729 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 730 ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, 731 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 732 filename|sha512, filename|sha512/224, filename|sha512/256, 733 filename|authentihash, filename|ssdeep, filename|tlsh, 734 filename|imphash, filename|impfuzzy, filename|pehash, regkey, 735 regkey|value, pattern-in-file, pattern-in-memory, pdb, 736 stix2-pattern, yara, sigma, attachment, malware-sample, named 737 pipe, mutex, windows-scheduled-task, windows-service-name, 738 windows-service-displayname, comment, text, hex, x509-fingerprint- 739 sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, 740 cookie, gene, mime-type 742 Attribution 743 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 744 whois-registrant-email, whois-registrant-name, whois-registrant- 745 org, whois-registrar, whois-creation-date, comment, text, x509- 746 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 747 other, dns-soa-email 749 External analysis 750 md5, sha1, sha256, filename, filename|md5, filename|sha1, 751 filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 752 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 753 regkey, regkey|value, AS, snort, pattern-in-file, pattern-in- 754 traffic, pattern-in-memory, vulnerability, attachment, malware- 755 sample, link, comment, text, x509-fingerprint-sha1, x509- 756 fingerprint-md5, x509-fingerprint-sha256, github-repository, 757 other, cortex 759 Financial fraud 760 btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, 761 prtn, phone-number, comment, text, other, hex 763 Internal reference 764 text, link, comment, other, hex 766 Network activity 767 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, 768 domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user- 769 agent, http-method, AS, snort, pattern-in-file, stix2-pattern, 770 pattern-in-traffic, attachment, comment, text, x509-fingerprint- 771 sha1, other, hex, cookie, hostname|port 773 Other 774 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 775 float, hex, phone-number, boolean 777 Payload delivery 778 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 779 ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, 780 filename|md5, filename|sha1, filename|sha224, filename|sha256, 781 filename|sha384, filename|sha512, filename|sha512/224, 782 filename|sha512/256, filename|authentihash, filename|ssdeep, 783 filename|tlsh, filename|imphash, filename|impfuzzy, 784 filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip- 785 dst|port, ip-src|port, hostname, domain, email-src, email-dst, 786 email-subject, email-attachment, email-body, url, user-agent, AS, 787 pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, 788 mime-type, attachment, malware-sample, link, malware-type, 789 comment, text, hex, vulnerability, x509-fingerprint-sha1, x509- 790 fingerprint-md5, x509-fingerprint-sha256, other, hostname|port, 791 email-dst-display-name, email-src-display-name, email-header, 792 email-reply-to, email-x-mailer, email-mime-boundary, email-thread- 793 index, email-message-id, mobile-application-id, whois-registrant- 794 email 796 Payload installation 797 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 798 ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, 799 filename|md5, filename|sha1, filename|sha224, filename|sha256, 800 filename|sha384, filename|sha512, filename|sha512/224, 801 filename|sha512/256, filename|authentihash, filename|ssdeep, 802 filename|tlsh, filename|imphash, filename|impfuzzy, 803 filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in- 804 memory, stix2-pattern, yara, sigma, vulnerability, attachment, 805 malware-sample, malware-type, comment, text, hex, x509- 806 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 807 mobile-application-id, other, mime-type 809 Payload type 810 comment, text, other 812 Persistence mechanism 813 filename, regkey, regkey|value, comment, text, other, hex 815 Person 816 first-name, middle-name, last-name, date-of-birth, place-of-birth, 817 gender, passport-number, passport-country, passport-expiration, 818 redress-number, nationality, visa-number, issue-date-of-the-visa, 819 primary-residence, country-of-residence, special-service-request, 820 frequent-flyer-number, travel-details, payment-details, place- 821 port-of-original-embarkation, place-port-of-clearance, place-port- 822 of-onward-foreign-destination, passenger-name-record-locator- 823 number, comment, text, other, phone-number, identity-card-number 825 Social network 826 github-username, github-repository, github-organisation, jabber- 827 id, twitter-id, email-src, email-dst, comment, text, other, whois- 828 registrant-email 830 Support Tool 831 link, text, attachment, comment, other, hex 833 Targeting data 834 target-user, target-email, target-machine, target-org, target- 835 location, target-external, comment 837 Attributes are based on the usage within their different communities. 838 Attributes can be extended on a regular basis and this reference 839 document is updated accordingly. 841 2.5.2.4. category 843 category represents the intent of what the attribute is describing as 844 selected by the attribute creator, using a list of pre-defined 845 attribute categories. 847 category is represented as a JSON string. category MUST be present 848 and it MUST be a valid selection for the chosen type. The list of 849 valid category-type combinations is mentioned above. 851 2.5.2.5. to_ids 853 to_ids represents whether the Attribute to be created if the 854 ShadowAttribute is accepted is meant to be actionable. Actionable 855 defined attributes that can be used in automated processes as a 856 pattern for detection in Local or Network Intrusion Detection System, 857 log analysis tools or even filtering mechanisms. 859 to_ids is represented as a JSON boolean. to_ids MUST be present. 861 2.5.2.6. event_id 863 event_id represents a human-readable identifier referencing the Event 864 object that the ShadowAttribute belongs to. 866 The event_id SHOULD be updated when the event is imported to reflect 867 the newly created event's id on the instance. 869 event_id is represented as a JSON string. event_id MUST be present. 871 2.5.2.7. old_id 873 old_id represents a human-readable identifier referencing the 874 Attribute object that the ShadowAttribute belongs to. A 875 ShadowAttribute can this way target an existing Attribute, implying 876 that it is a proposal to modify an existing Attribute, or 877 alternatively it can be a proposal to create a new Attribute for the 878 containing Event. 880 The old_id SHOULD be updated when the event is imported to reflect 881 the newly created Attribute's id on the instance. Alternatively, if 882 the ShadowAttribute proposes the creation of a new Attribute, it 883 should be set to 0. 885 old_id is represented as a JSON string. old_id MUST be present. 887 2.5.2.8. timestamp 889 timestamp represents a reference time when the attribute was created 890 or last modified. timestamp is expressed in seconds (decimal) since 891 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 893 timestamp is represented as a JSON string. timestamp MUST be present. 895 2.5.2.9. comment 897 comment is a contextual comment field. 899 comment is represented by a JSON string. comment MAY be present. 901 2.5.2.10. org_id 903 org_id represents a human-readable identifier referencing the 904 proposal creator's Organisation object. A human-readable identifier 905 MUST be represented as an unsigned integer. 907 Whilst attributes can only be created by the event creator 908 organisation, shadow attributes can be created by third parties. 909 org_id tracks the creator organisation. 911 org_id is represented by a JSON string and MUST be present. 913 2.5.2.11. proposal_to_delete 915 proposal_to_delete is a boolean flag that sets whether the shadow 916 attribute proposes to alter an attribute, or whether it proposes to 917 remove it completely. 919 Accepting a shadow attribute with this flag set will remove the 920 target attribute. 922 proposal_to_delete is a JSON boolean and it MUST be present. If 923 proposal_to_delete is set to true, old_id MUST NOT be 0. 925 2.5.2.12. deleted 927 deleted represents a setting that allows shadow attributes to be 928 revoked. Revoked shadow attributes only serve to inform other 929 instances that the shadow attribute is no longer active. 931 deleted is represented by a JSON boolean. deleted SHOULD be present. 933 2.5.2.13. data 935 data contains the base64 encoded contents of an attachment or a 936 malware sample. For malware samples, the sample MUST be encrypted 937 using a password protected zip archive, with the password being 938 "infected". 940 data is represented by a JSON string in base64 encoding. data MUST be 941 set for shadow attributes of type malware-sample and attachment. 943 2.5.3. Org 945 An Org object is composed of an uuid, name and id. 947 The uuid represents the Universally Unique IDentifier (UUID) 948 [RFC4122] of the organization. The organization UUID is globally 949 assigned to an organization and SHALL be kept overtime. 951 The name is a readable description of the organization and SHOULD be 952 present. The id is a human-readable identifier generated by the 953 instance and used as reference in the event. A human-readable 954 identifier MUST be represented as an unsigned integer. 956 uuid, name and id are represented as a JSON string. uuid, name and id 957 MUST be present. 959 2.5.3.1. Sample Org Object 961 "Org": { 962 "id": "2", 963 "name": "CIRCL", 964 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 965 } 967 2.5.3.2. value 969 value represents the payload of an attribute. The format of the 970 value is dependent on the type of the attribute. 972 value is represented by a JSON string. value MUST be present. 974 2.6. Object 976 Objects serve as a contextual bond between a list of attributes 977 within an event. Their main purpose is to describe more complex 978 structures than can be described by a single attribute Each object is 979 created using an Object Template and carries the meta-data of the 980 template used for its creation within. Objects belong to a meta- 981 category and are defined by a name. 983 The schema used is described by the template_uuid and 984 template_version fields. 986 A MISP document containing an Object MUST contain a name, a meta- 987 category, a description, a template_uuid and a template_version as 988 described in the "Object Attributes" section. 990 2.6.1. Sample Object object 992 "Object": { 993 "id": "588", 994 "name": "file", 995 "meta-category": "file", 996 "description": "File object describing a file with meta-information", 997 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", 998 "template_version": "3", 999 "event_id": "56", 1000 "uuid": "398b0094-0384-4c48-9bf0-22b3dff9c4d3", 1001 "timestamp": "1505747965", 1002 "distribution": "5", 1003 "sharing_group_id": "0", 1004 "comment": "", 1005 "deleted": false, 1006 "ObjectReference": [], 1007 "Attribute": [ 1008 { 1009 "id": "7822", 1010 "type": "filename", 1011 "category": "Payload delivery", 1012 "to_ids": true, 1013 "uuid": "59bfe3fb-bde0-4dfe-b5b1-2b10a07724d1", 1014 "event_id": "56", 1015 "distribution": "0", 1016 "timestamp": "1505747963", 1017 "comment": "", 1018 "sharing_group_id": "0", 1019 "deleted": false, 1020 "disable_correlation": false, 1021 "object_id": "588", 1022 "object_relation": "filename", 1023 "value": "StarCraft.exe", 1024 "ShadowAttribute": [] 1025 } 1026 ] 1027 } 1028 2.6.2. Object Attributes 1030 2.6.2.1. uuid 1032 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1033 the object. The uuid MUST be preserved for any updates or transfer 1034 of the same object. UUID version 4 is RECOMMENDED when assigning it 1035 to a new object. 1037 2.6.2.2. id 1039 id represents the human-readable identifier associated to the object 1040 for a specific MISP instance. A human-readable identifier MUST be 1041 represented as an unsigned integer. 1043 id is represented as a JSON string. id SHALL be present. 1045 2.6.2.3. name 1047 name represents the human-readable name of the object describing the 1048 intent of the object package. 1050 name is represented as a JSON string. name MUST be present 1052 2.6.2.4. meta-category 1054 meta-category represents the sub-category of objects that the given 1055 object belongs to. meta-categories are not tied to a fixed list of 1056 options but can be created on the fly. 1058 meta-category is represented as a JSON string. meta-category MUST be 1059 present 1061 2.6.2.5. description 1063 description is a human-readable description of the given object type, 1064 as derived from the template used for creation. 1066 description is represented as a JSON string. id SHALL be present. 1068 2.6.2.6. template_uuid 1070 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1071 the template used to create the object. The uuid MUST be preserved 1072 to preserve the object's association with the correct template used 1073 for creation. UUID version 4 is RECOMMENDED when assigning it to a 1074 new object. 1076 2.6.2.7. template_version 1078 template_version represents a numeric incrementing version of the 1079 template used to create the object. It is used to associate the 1080 object to the correct version of the template and together with the 1081 template_uuid forms an association to the correct template type and 1082 version. 1084 version is represented as a JSON string. version MUST be present. 1086 2.6.2.8. event_id 1088 event_id represents the human-readable identifier of the event that 1089 the object belongs to on a specific MISP instance. A human-readable 1090 identifier MUST be represented as an unsigned integer. 1092 event_id is represented as a JSON string. event_id SHALL be present. 1094 2.6.2.9. timestamp 1096 timestamp represents a reference time when the object was created or 1097 last modified. timestamp is expressed in seconds (decimal) since 1st 1098 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1100 timestamp is represented as a JSON string. timestamp MUST be present. 1102 2.6.2.10. distribution 1104 distribution represents the basic distribution rules of the object. 1105 The system must adhere to the distribution setting for access control 1106 and for dissemination of the object. 1108 distribution is represented by a JSON string. distribution MUST be 1109 present and be one of the following options: 1111 0 1112 Your Organisation Only 1114 1 1115 This Community Only 1117 2 1118 Connected Communities 1120 3 1121 All Communities 1123 4 1124 Sharing Group 1126 2.6.2.11. sharing_group_id 1128 sharing_group_id represents a human-readable identifier referencing a 1129 Sharing Group object that defines the distribution of the object, if 1130 distribution level "4" is set. A human-readable identifier MUST be 1131 represented as an unsigned integer. 1133 sharing_group_id is represented by a JSON string and SHOULD be 1134 present. If a distribution level other than "4" is chosen the 1135 sharing_group_id MUST be set to "0". 1137 2.6.2.12. comment 1139 comment is a contextual comment field. 1141 comment is represented by a JSON string. comment MAY be present. 1143 2.6.2.13. deleted 1145 deleted represents a setting that allows attributes to be revoked. 1146 Revoked attributes are not actionable and exist merely to inform 1147 other instances of a revocation. 1149 deleted is represented by a JSON boolean. deleted MUST be present. 1151 2.6.2.14. Attribute 1153 Attribute is an array of attributes that describe the object with 1154 data. 1156 Each attribute in an object MUST contain the parent event's ID in the 1157 event_id field and the parent object's ID in the object_id field. 1159 2.7. Object References 1161 Object References serve as a logical link between an Object and 1162 another referenced Object or Attribute. The relationship is 1163 categorised by an enumerated value from a fixed vocabulary. 1165 The relationship_type is recommended to be taken from the MISP object 1166 relationship list [[MISP-R]] is RECOMMENDED to ensure a coherent 1167 naming of the tags 1169 All Object References MUST contain an object_uuid, a referenced_uuid 1170 and a relationship type. 1172 2.7.1. Sample ObjectReference object 1174 "ObjectReference": { 1175 "id": "195", 1176 "uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1", 1177 "timestamp": "1505892908", 1178 "object_id": "591", 1179 "event_id": "113", 1180 "referenced_id": "590", 1181 "referenced_type": "1", 1182 "relationship_type": "derived-from", 1183 "comment": "", 1184 "deleted": false, 1185 "object_uuid": "59c1134d-8a40-4c14-ad94-0f7ba07724d1", 1186 "referenced_uuid": "59c1133c-9adc-4d06-a34b-0f7ca07724d1", 1187 } 1189 2.7.2. ObjectReference Attributes 1191 2.7.2.1. uuid 1193 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1194 the object reference. The uuid MUST be preserved for any updates or 1195 transfer of the same object reference. UUID version 4 is RECOMMENDED 1196 when assigning it to a new object reference. 1198 2.7.2.2. id 1200 id represents the human-readable identifier associated to the object 1201 reference for a specific MISP instance. 1203 id is represented as a JSON string. id SHALL be present. 1205 2.7.2.3. timestamp 1207 timestamp represents a reference time when the object was created or 1208 last modified. timestamp is expressed in seconds (decimal) since 1st 1209 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1211 timestamp is represented as a JSON string. timestamp MUST be present. 1213 2.7.2.4. object_id 1215 object_id represents the human-readable identifier of the object that 1216 the object reference belongs to on a specific MISP instance. A 1217 human-readable identifier MUST be represented as an unsigned integer. 1219 event_id is represented as a JSON string. event_id SHALL be present. 1221 2.7.2.5. event_id 1223 event_id represents the human-readable identifier of the event that 1224 the object reference belongs to on a specific MISP instance. A 1225 human-readable identifier MUST be represented as an unsigned integer. 1227 event_id is represented as a JSON string. event_id SHALL be present. 1229 2.7.2.6. referenced_id 1231 referenced_id represents the human-readable identifier of the object 1232 or attribute that the parent object of the object reference points to 1233 on a specific MISP instance. 1235 referenced_id is represented as a JSON string. referenced_id MAY be 1236 present. 1238 2.7.2.7. referenced_type 1240 referenced_type represents the numeric value describing what the 1241 object reference points to, "0" representing an attribute and "1" 1242 representing an object 1244 referenced_type is represented as a JSON string. referenced_type MAY 1245 be present. 1247 2.7.2.8. relationship_type 1249 relationship_type represents the human-readable context of the 1250 relationship between an object and another object or attribute as 1251 described by the object_reference. 1253 referenced_type is represented as a JSON string. relationship_type 1254 MUST be present. 1256 2.7.2.9. comment 1258 comment is a contextual comment field. 1260 comment is represented by a JSON string. comment MAY be present. 1262 2.7.2.10. deleted 1264 deleted represents a setting that allows object references to be 1265 revoked. Revoked object references are not actionable and exist 1266 merely to inform other instances of a revocation. 1268 deleted is represented by a JSON boolean. deleted MUST be present. 1270 2.7.2.11. object_uuid 1272 object_uuid represents the Universally Unique IDentifier (UUID) 1273 [RFC4122] of the object that the given object reference belongs to. 1274 The object_uuid MUST be preserved to preserve the object reference's 1275 association with the object. 1277 2.7.2.12. referenced_uuid 1279 referenced_uuid represents the Universally Unique IDentifier (UUID) 1280 [RFC4122] of the object or attribute that is being referenced by the 1281 object reference. The referenced_uuid MUST be preserved to preserve 1282 the object reference's association with the object or attribute. 1284 2.8. Tag 1286 A tag is a simple method to classify an event with a simple string. 1287 The tag name can be freely chosen. The tag name can be also chosen 1288 from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. 1289 When an event is distributed outside an organisation, the use of MISP 1290 taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of 1291 the tags. A tag is represented as a JSON array where each element 1292 describes each tag associated. A tag array SHALL be at event level 1293 or attribute level. A tag element is described with a name, id, 1294 colour and exportable flag. 1296 exportable represents a setting if the tag is kept local or 1297 exportable to other MISP instances. exportable is represented by a 1298 JSON boolean. id is a human-readable identifier that references the 1299 tag on the local instance. colour represents an RGB value of the tag. 1301 name MUST be present. colour, id and exportable SHALL be present. 1303 2.8.1. Sample Tag 1305 "Tag": [{ 1306 "exportable": true, 1307 "colour": "#ffffff", 1308 "name": "tlp:white", 1309 "id": "2" }] 1311 2.9. Sighting 1313 A sighting is an ascertainment which describes whether an attribute 1314 has been seen under a given set of conditions. The sighting can 1315 include the organisation who sighted the attribute or can be 1316 anonymised. Sighting is composed of a JSON array in which each 1317 element describes one singular instance of a sighting. A sighting 1318 element is a JSON object composed of the following values: 1320 type MUST be present. type describes the type of a sighting. MISP 1321 allows 3 default types: 1323 +------------+------------------------------------------------------+ 1324 | Sighting | Description | 1325 | type | | 1326 +------------+------------------------------------------------------+ 1327 | 0 | denotes an attribute which has been seen | 1328 | 1 | denotes an attribute which has been seen and | 1329 | | confirmed as false-positive | 1330 | 2 | denotes an attribute which will be expired at the | 1331 | | time of the sighting | 1332 +------------+------------------------------------------------------+ 1334 uuid MUST be present. uuid references the uuid of the sighted 1335 attribute. 1337 date_sighting MUST be present. date_sighting is expressed in seconds 1338 (decimal) elapsed since 1st of January 1970 (Unix timestamp). 1339 date_sighting represents when the referenced attribute, designated by 1340 its uuid, is sighted. 1342 source MAY be present. source is represented as a JSON string and 1343 represents the human-readable version of the sighting source, which 1344 can be a given piece of software (e.g. SIEM), device or a specific 1345 analytical process. 1347 id, event_id and attribute_id MAY be present. 1349 id represents the human-readable identifier of the sighting reference 1350 which belongs to a specific MISP instance. event_id represents the 1351 human-readable identifier of the event referenced by the sighting and 1352 belongs to a specific MISP instance. attribute_id represents the 1353 human-readable identifier of the attribute referenced by the sighting 1354 and belongs to a specific MISP instance. 1356 org_id MAY be present along the JSON object describing the 1357 organisation. If the org_id is not present, the sighting is 1358 considered as anonymised. 1360 org_id represents the human-readable identifier of the organisation 1361 which did the sighting and belongs to a specific MISP instance. 1363 A human-readable identifier MUST be represented as an unsigned 1364 integer. 1366 2.9.1. Sample Sighting 1368 "Sighting": [ 1369 { 1370 "id": "13599", 1371 "attribute_id": "1201615", 1372 "event_id": "10164", 1373 "org_id": "2", 1374 "date_sighting": "1517581400", 1375 "uuid": "5a747459-41b4-4826-9b29-42dd950d210f", 1376 "source": "M2M-CIRCL", 1377 "type": "0", 1378 "Organisation": { 1379 "id": "2", 1380 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1381 "name": "CIRCL" 1382 } 1383 }, 1384 { 1385 "id": "13601", 1386 "attribute_id": "1201615", 1387 "event_id": "10164", 1388 "org_id": "2", 1389 "date_sighting": "1517581401", 1390 "uuid": "5a74745a-a190-4d04-b719-4916950d210f", 1391 "source": "M2M-CIRCL", 1392 "type": "0", 1393 "Organisation": { 1394 "id": "2", 1395 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1396 "name": "CIRCL" 1397 } 1398 } 1399 ] 1401 2.10. Galaxy 1403 A galaxy is a simple method to express a large object called cluster 1404 that can be attached to MISP events. A cluster can be composed of 1405 one or more elements. Elements are expressed as key-values. 1407 2.10.1. Sample Galaxy 1408 "Galaxy": [ { 1409 "id": "18", 1410 "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3", 1411 "name": "Threat Actor", 1412 "type": "threat-actor", 1413 "description": "Threat actors are characteristics of malicious actors 1414 (or adversaries) representing a cyber attack threat 1415 including presumed intent and historically observed behaviour.", 1416 "version": "1", 1417 "GalaxyCluster": [ 1418 { 1419 "id": "1699", 1420 "uuid": "7cdff317-a673-4474-84ec-4f1754947823", 1421 "type": "threat-actor", 1422 "value": "Anunak", 1423 "tag_name": "misp-galaxy:threat-actor=\"Anunak\"", 1424 "description": "Groups targeting financial organizations 1425 or people with significant financial assets.", 1426 "galaxy_id": "18", 1427 "source": "MISP Project", 1428 "authors": [ 1429 "Alexandre Dulaunoy", 1430 "Florian Roth", 1431 "Thomas Schreck", 1432 "Timo Steffens", 1433 "Various" 1434 ], 1435 "tag_id": "111", 1436 "meta": { 1437 "synonyms": [ 1438 "Carbanak", 1439 "Carbon Spider" 1440 ], 1441 "country": [ 1442 "RU" 1443 ], 1444 "motive": [ 1445 "Cybercrime" 1446 ] 1447 } 1448 } 1449 ] 1450 } 1451 ] 1453 3. JSON Schema 1455 The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP 1456 core format as literally described before. The JSON Schema is used 1457 to validate MISP events at creation time or parsing. 1459 { 1460 "$schema": "http://json-schema.org/draft-04/schema#", 1461 "title": "Validator for misp events", 1462 "id": "https://github.com/MISP/MISP/blob/2.4/format/2.4/schema.json", 1463 "defs": { 1464 "org": { 1465 "type": "object", 1466 "additionalProperties": false, 1467 "properties": { 1468 "id": { 1469 "type": "string" 1470 }, 1471 "name": { 1472 "type": "string" 1473 }, 1474 "uuid": { 1475 "type": "string" 1476 } 1477 }, 1478 "required": [ 1479 "uuid" 1480 ] 1481 }, 1482 "orgc": { 1483 "type": "object", 1484 "additionalProperties": false, 1485 "properties": { 1486 "id": { 1487 "type": "string" 1488 }, 1489 "name": { 1490 "type": "string" 1491 }, 1492 "uuid": { 1493 "type": "string" 1494 } 1495 }, 1496 "required": [ 1497 "uuid" 1498 ] 1499 }, 1500 "sharing_group": { 1501 "type": "object", 1502 "additionalProperties": false, 1503 "properties": { 1504 "id": { 1505 "type": "string" 1506 }, 1507 "name": { 1508 "type": "string" 1509 }, 1510 "releasability": { 1511 "type": "string" 1512 }, 1513 "description": { 1514 "type": "string" 1515 }, 1516 "uuid": { 1517 "type": "string" 1518 }, 1519 "organisation_uuid": { 1520 "type": "string" 1521 }, 1522 "org_id": { 1523 "type": "string" 1524 }, 1525 "sync_user_id": { 1526 "type": "string" 1527 }, 1528 "active": { 1529 "type": "boolean" 1530 }, 1531 "created": { 1532 "type": "string" 1533 }, 1534 "modified": { 1535 "type": "string" 1536 }, 1537 "local": { 1538 "type": "boolean" 1539 }, 1540 "roaming": { 1541 "type": "boolean" 1542 }, 1543 "Organisation": { 1544 "$ref": "#/defs/org" 1545 }, 1546 "SharingGroupOrg": { 1547 "type": "array", 1548 "uniqueItems": true, 1549 "items": { 1550 "$ref": "#/defs/sharing_group_org" 1551 } 1552 }, 1553 "SharingGroupServer": { 1554 "type": "array", 1555 "uniqueItems": true, 1556 "items": { 1557 "$ref": "#/defs/sharing_group_server" 1558 } 1559 }, 1560 "required": [ 1561 "uuid" 1562 ] 1563 }, 1564 "required": [ 1565 "uuid" 1566 ] 1567 }, 1568 "sharing_group_org": { 1569 "type": "object", 1570 "additionalProperties": false, 1571 "properties": { 1572 "id": { 1573 "type": "string" 1574 }, 1575 "sharing_group_id": { 1576 "type": "string" 1577 }, 1578 "org_id": { 1579 "type": "string" 1580 }, 1581 "extend": { 1582 "type": "boolean" 1583 }, 1584 "Organisation": { 1585 "$ref": "#/defs/org" 1586 } 1587 } 1588 }, 1589 "sharing_group_server": { 1590 "type": "object", 1591 "additionalProperties": false, 1592 "properties": { 1593 "id": { 1594 "type": "string" 1595 }, 1596 "sharing_group_id": { 1597 "type": "string" 1598 }, 1599 "server_id": { 1600 "type": "string" 1601 }, 1602 "all_orgs": { 1603 "type": "boolean" 1604 }, 1605 "Server": { 1606 "$ref": "#/defs/server" 1607 } 1608 } 1609 }, 1610 "server": { 1611 "type": "object", 1612 "additionalProperties": false, 1613 "properties": { 1614 "id": { 1615 "type": "string" 1616 }, 1617 "url": { 1618 "type": "string" 1619 }, 1620 "name": { 1621 "type": "string" 1622 } 1623 } 1624 }, 1625 "object": { 1626 "type": "object", 1627 "additionalProperties": false, 1628 "properties": { 1629 "uuid": { 1630 "type": "string" 1631 }, 1632 "name": { 1633 "type": "string" 1634 }, 1635 "event_id": { 1636 "type": "string" 1637 }, 1638 "description": { 1639 "type": "string" 1640 }, 1641 "template_uuid": { 1642 "type": "string" 1643 }, 1644 "template_version": { 1645 "type": "string" 1646 }, 1647 "id": { 1648 "type": "string" 1649 }, 1650 "meta-category": { 1651 "type": "string" 1652 }, 1653 "deleted": { 1654 "type": "boolean" 1655 }, 1656 "timestamp": { 1657 "type": "string" 1658 }, 1659 "distribution": { 1660 "type": "string" 1661 }, 1662 "sharing_group_id": { 1663 "type": "string" 1664 }, 1665 "comment": { 1666 "type": "string" 1667 }, 1668 "ObjectReference": { 1669 "type": "array", 1670 "uniqueItems": true, 1671 "items": { 1672 "$ref": "#/defs/objectreference" 1673 } 1674 }, 1675 "Attribute": { 1676 "type": "array", 1677 "uniqueItems": true, 1678 "items": { 1679 "$ref": "#/defs/attribute" 1680 } 1681 } 1682 } 1683 }, 1684 "sighthing": { 1685 "type": "object", 1686 "additionalProperties": false, 1687 "properties": { 1688 "id": { 1689 "type": "string" 1690 }, 1691 "attribute_id": { 1692 "type": "string" 1694 }, 1695 "event_id": { 1696 "type": "string" 1697 }, 1698 "source": { 1699 "type": "string" 1700 }, 1701 "type": { 1702 "type": "string" 1703 }, 1704 "org_id": { 1705 "type": "string" 1706 }, 1707 "date_sighting": { 1708 "type": "string" 1709 }, 1710 "uuid": { 1711 "type": "string" 1712 }, 1713 "Organisation": { 1714 "$ref": "#/defs/organisation" 1715 } 1716 } 1717 }, 1718 "organisation": { 1719 "type": "object", 1720 "additionalProperties": false, 1721 "properties": { 1722 "id": { 1723 "type": "string" 1724 }, 1725 "uuid": { 1726 "type": "string" 1727 }, 1728 "name": { 1729 "type": "string" 1730 } 1731 } 1732 }, 1733 "objectreference": { 1734 "type": "object", 1735 "additionalProperties": false, 1736 "properties": { 1737 "deleted": { 1738 "type": "boolean" 1739 }, 1740 "object_id": { 1741 "type": "string" 1743 }, 1744 "event_id": { 1745 "type": "string" 1746 }, 1747 "timestamp": { 1748 "type": "string" 1749 }, 1750 "id": { 1751 "type": "string" 1752 }, 1753 "uuid": { 1754 "type": "string" 1755 }, 1756 "type": { 1757 "type": "string" 1758 }, 1759 "referenced_id": { 1760 "type": "string" 1761 }, 1762 "referenced_uuid": { 1763 "type": "string" 1764 }, 1765 "referenced_type": { 1766 "type": "string" 1767 }, 1768 "relationship_type": { 1769 "type": "string" 1770 }, 1771 "object_uuid": { 1772 "type": "string" 1773 }, 1774 "comment": { 1775 "type": "string" 1776 }, 1777 "Object": { 1778 "$ref": "#/defs/object" 1779 } 1780 } 1781 }, 1782 "attribute": { 1783 "type": "object", 1784 "additionalProperties": false, 1785 "properties": { 1786 "id": { 1787 "type": "string" 1788 }, 1789 "old_id": { 1790 "type": "string" 1792 }, 1793 "type": { 1794 "type": "string" 1795 }, 1796 "category": { 1797 "type": "string" 1798 }, 1799 "to_ids": { 1800 "type": "boolean" 1801 }, 1802 "uuid": { 1803 "type": "string" 1804 }, 1805 "event_id": { 1806 "type": "string" 1807 }, 1808 "event_uuid": { 1809 "type": "string" 1810 }, 1811 "proposal_to_delete": { 1812 "type": "boolean" 1813 }, 1814 "validationIssue": { 1815 "type": "boolean" 1816 }, 1817 "Org": { 1818 "$ref": "#/defs/organisation" 1819 }, 1820 "org_id": { 1821 "type": "string" 1822 }, 1823 "distribution": { 1824 "type": "string" 1825 }, 1826 "timestamp": { 1827 "type": "string" 1828 }, 1829 "comment": { 1830 "type": "string" 1831 }, 1832 "sharing_group_id": { 1833 "type": "string" 1834 }, 1835 "deleted": { 1836 "type": "boolean" 1837 }, 1838 "disable_correlation": { 1839 "type": "boolean" 1841 }, 1842 "value": { 1843 "type": "string" 1844 }, 1845 "data": { 1846 "type": "string" 1847 }, 1848 "object_relation": { 1849 "type": ["string", "null"] 1850 }, 1851 "object_id": { 1852 "type": "string" 1853 }, 1854 "SharingGroup": { 1855 "$ref": "#/defs/sharing_group" 1856 }, 1857 "ShadowAttribute": { 1858 "type": "array", 1859 "uniqueItems": true, 1860 "items": { 1861 "$ref": "#/defs/attribute" 1862 } 1863 }, 1864 "Sighting": { 1865 "type": "array", 1866 "uniqueItems": true, 1867 "items": { 1868 "$ref": "#/defs/sighthing" 1869 } 1870 }, 1871 "Galaxy": { 1872 "type": "array", 1873 "uniqueItems": true, 1874 "items": { 1875 "$ref": "#/defs/galaxy" 1876 } 1877 }, 1878 "Tag": { 1879 "uniqueItems": true, 1880 "type": "array", 1881 "items": { 1882 "$ref": "#/defs/tag" 1883 } 1884 } 1885 } 1886 }, 1887 "event": { 1888 "type": "object", 1889 "additionalProperties": false, 1890 "properties": { 1891 "id": { 1892 "type": "string" 1893 }, 1894 "orgc_id": { 1895 "type": "string" 1896 }, 1897 "org_id": { 1898 "type": "string" 1899 }, 1900 "date": { 1901 "type": "string" 1902 }, 1903 "extends_uuid": { 1904 "type": "string" 1905 }, 1906 "threat_level_id": { 1907 "type": "string" 1908 }, 1909 "info": { 1910 "type": "string" 1911 }, 1912 "published": { 1913 "type": "boolean" 1914 }, 1915 "uuid": { 1916 "type": "string" 1917 }, 1918 "attribute_count": { 1919 "type": "string" 1920 }, 1921 "analysis": { 1922 "type": "string" 1923 }, 1924 "timestamp": { 1925 "type": "string" 1926 }, 1927 "distribution": { 1928 "type": "string" 1929 }, 1930 "proposal_email_lock": { 1931 "type": "boolean" 1932 }, 1933 "locked": { 1934 "type": "boolean" 1935 }, 1936 "publish_timestamp": { 1937 "type": "string" 1938 }, 1939 "sharing_group_id": { 1940 "type": "string" 1941 }, 1942 "disable_correlation": { 1943 "type": "boolean" 1944 }, 1945 "event_creator_email": { 1946 "type": "string" 1947 }, 1948 "Org": { 1949 "$ref": "#/defs/org" 1950 }, 1951 "Orgc": { 1952 "$ref": "#/defs/org" 1953 }, 1954 "SharingGroup": { 1955 "$ref": "#/defs/sharing_group" 1956 }, 1957 "Attribute": { 1958 "type": "array", 1959 "uniqueItems": true, 1960 "items": { 1961 "$ref": "#/defs/attribute" 1962 } 1963 }, 1964 "ShadowAttribute": { 1965 "type": "array", 1966 "uniqueItems": true, 1967 "items": { 1968 "$ref": "#/defs/attribute" 1969 } 1970 }, 1971 "RelatedEvent": { 1972 "type": "array", 1973 "uniqueItems": true, 1974 "items": { 1975 "type": "object", 1976 "additionalProperties": false, 1977 "properties": { 1978 "Event":{ 1979 "$ref": "#/defs/event" 1980 } 1981 } 1982 } 1983 }, 1984 "Galaxy": { 1985 "type": "array", 1986 "uniqueItems": true, 1987 "items": { 1988 "$ref": "#/defs/galaxy" 1989 } 1990 }, 1991 "Object": { 1992 "type": "array", 1993 "uniqueItems": true, 1994 "items": { 1995 "$ref": "#/defs/object" 1996 } 1997 }, 1998 "Tag": { 1999 "type": "array", 2000 "uniqueItems": true, 2001 "items": { 2002 "$ref": "#/defs/tag" 2003 } 2004 } 2005 } 2006 }, 2007 "tag": { 2008 "type": "object", 2009 "additionalProperties": false, 2010 "properties": { 2011 "id": { 2012 "type": "string" 2013 }, 2014 "name": { 2015 "type": "string" 2016 }, 2017 "colour": { 2018 "type": "string" 2019 }, 2020 "exportable": { 2021 "type": "boolean" 2022 }, 2023 "hide_tag": { 2024 "type": "boolean" 2025 }, 2026 "user_id": { 2027 "type": "string" 2028 } 2029 } 2030 }, 2031 "galaxy": { 2032 "type": "object", 2033 "additionalProperties": false, 2034 "properties": { 2035 "id": { 2036 "type": "string" 2037 }, 2038 "uuid": { 2039 "type": "string" 2040 }, 2041 "name": { 2042 "type": "string" 2043 }, 2044 "type": { 2045 "type": "string" 2046 }, 2047 "description": { 2048 "type": "string" 2049 }, 2050 "version": { 2051 "type": "string" 2052 }, 2053 "icon": { 2054 "type": "string" 2055 }, 2056 "namespace": { 2057 "type": "string" 2058 }, 2059 "GalaxyCluster": { 2060 "type": "array", 2061 "uniqueItems": true, 2062 "items": { 2063 "$ref": "#/defs/galaxy_cluster" 2064 } 2065 } 2066 } 2067 }, 2068 "galaxy_cluster": { 2069 "type": "object", 2070 "additionalProperties": false, 2071 "properties": { 2072 "id": { 2073 "type": "string" 2074 }, 2075 "uuid": { 2076 "type": "string" 2077 }, 2078 "type": { 2079 "type": "string" 2080 }, 2081 "value": { 2082 "type": "string" 2083 }, 2084 "tag_name": { 2085 "type": "string" 2086 }, 2087 "description": { 2088 "type": "string" 2089 }, 2090 "galaxy_id": { 2091 "type": "string" 2092 }, 2093 "version": { 2094 "type": "string" 2095 }, 2096 "source": { 2097 "type": "string" 2098 }, 2099 "authors": { 2100 "type": "array", 2101 "uniqueItems": true, 2102 "items": { 2103 "type": "string" 2104 } 2105 }, 2106 "tag_id": { 2107 "type": "string" 2108 }, 2109 "meta": { 2110 "type": "object" 2111 } 2112 } 2113 } 2114 }, 2115 "type": "object", 2116 "properties": { 2117 "Event": { 2118 "$ref": "#/defs/event" 2119 } 2120 }, 2121 "required": [ 2122 "Event" 2123 ] 2124 } 2126 4. Manifest 2128 MISP events can be shared over an HTTP repository, a file package or 2129 USB key. A manifest file is used to provide an index of MISP events 2130 allowing to only fetch the recently updated files without the need to 2131 parse each json file. 2133 4.1. Format 2135 A manifest file is a simple JSON file named manifest.json in a 2136 directory where the MISP events are located. Each MISP event is a 2137 file located in the same directory with the event uuid as filename 2138 with the json extension. 2140 The manifest format is a JSON object composed of a dictionary where 2141 the field is the uuid of the event. 2143 Each uuid is composed of a JSON object with the following fields 2144 which came from the original event referenced by the same uuid: 2146 o info (MUST) 2148 o Orgc object (MUST) 2150 o analysis (SHALL) 2152 o timestamp (MUST) 2154 o date (MUST) 2156 o threat_level_id (SHALL) 2158 In addition to the fields originating from the event, the following 2159 fields can be added: 2161 o integrity:sha256 represents the SHA256 value in hexadecimal 2162 representation of the associated MISP event file to ensure 2163 integrity of the file. (SHOULD) 2165 o integrity:pgp represents a detached PGP signature [RFC4880] of the 2166 associated MISP event file to ensure integrity of the file. 2167 (SHOULD) 2169 If a detached PGP signature is used for each MISP event, a detached 2170 PGP signature is a MUST to ensure integrity of the manifest file. A 2171 detached PGP signature for a manifest file is a manifest.json.asc 2172 file containing the PGP signature. 2174 4.1.1. Sample Manifest 2176 { 2177 "57c6ac4c-c60c-4f79-a38f-b666950d210f": { 2178 "info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo", 2179 "Orgc": { 2180 "id": "2", 2181 "name": "CIRCL", 2182 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 2183 }, 2184 "analysis": "0", 2185 "Tag": [ 2186 { 2187 "colour": "#3d7a00", 2188 "name": "circl:incident-classification=\"malware\"" 2189 }, 2190 { 2191 "colour": "#ffffff", 2192 "name": "tlp:white" 2193 } 2194 ], 2195 "timestamp": "1472638251", 2196 "date": "2016-08-31", 2197 "threat_level_id": "3" 2198 }, 2199 "5720accd-dd28-45f8-80e5-4605950d210f": { 2200 "info": "Malspam 2016-04-27 - Locky", 2201 "Orgc": { 2202 "id": "2", 2203 "name": "CIRCL" 2204 }, 2205 "analysis": "2", 2206 "Tag": [ 2207 { 2208 "colour": "#ffffff", 2209 "name": "tlp:white" 2210 }, 2211 { 2212 "colour": "#3d7a00", 2213 "name": "circl:incident-classification=\"malware\"" 2214 }, 2215 { 2216 "colour": "#2c4f00", 2217 "name": "malware_classification:malware-category=\"Ransomware\"" 2218 } 2219 ], 2220 "timestamp": "1461764231", 2221 "date": "2016-04-27", 2222 "threat_level_id": "3" 2223 } 2224 } 2226 5. Implementation 2228 MISP format is implemented by different software including the MISP 2229 threat sharing platform and libraries like PyMISP [MISP-P]. 2230 Implementations use the format as an export/import mechanism, staging 2231 transport format or synchronisation format as used in the MISP core 2232 platform. MISP format doesn't impose any restriction on the data 2233 representation of the format in data-structure of other 2234 implementations. 2236 6. Security Considerations 2238 MISP events might contain sensitive or confidential information. 2239 Adequate access control and encryption measures shall be implemented 2240 to ensure the confidentiality of the MISP events. 2242 Adversaries might include malicious content in MISP events and 2243 attributes. Implementation MUST consider the input of malicious 2244 inputs beside the standard threat information that might already 2245 include malicious intended inputs. 2247 7. Acknowledgements 2249 The authors wish to thank all the MISP community who are supporting 2250 the creation of open standards in threat intelligence sharing. A 2251 special thank to Nicolas Bareil for the review of the JSON Schema. 2253 8. Sample MISP file 2255 9. References 2257 9.1. Normative References 2259 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2260 Requirement Levels", BCP 14, RFC 2119, 2261 DOI 10.17487/RFC2119, March 1997, 2262 . 2264 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 2265 Unique IDentifier (UUID) URN Namespace", RFC 4122, 2266 DOI 10.17487/RFC4122, July 2005, 2267 . 2269 [RFC4627] Crockford, D., "The application/json Media Type for 2270 JavaScript Object Notation (JSON)", RFC 4627, 2271 DOI 10.17487/RFC4627, July 2006, 2272 . 2274 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. 2275 Thayer, "OpenPGP Message Format", RFC 4880, 2276 DOI 10.17487/RFC4880, November 2007, 2277 . 2279 9.2. Informative References 2281 [JSON-SCHEMA] 2282 "JSON Schema: A Media Type for Describing JSON Documents", 2283 2016, 2284 . 2286 [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform 2287 and Threat Sharing", . 2289 [MISP-R] MISP, "MISP Object Relationship Types - common vocabulary 2290 of relationships", . 2293 [MISP-T] MISP, "MISP Taxonomies - shared and common vocabularies of 2294 tags", . 2296 Authors' Addresses 2298 Alexandre Dulaunoy 2299 Computer Incident Response Center Luxembourg 2300 16, bd d'Avranches 2301 Luxembourg L-1160 2302 Luxembourg 2304 Phone: +352 247 88444 2305 Email: alexandre.dulaunoy@circl.lu 2307 Andras Iklody 2308 Computer Incident Response Center Luxembourg 2309 16, bd d'Avranches 2310 Luxembourg L-1160 2311 Luxembourg 2313 Phone: +352 247 88444 2314 Email: andras.iklody@circl.lu