idnits 2.17.1 draft-dulaunoy-misp-core-format-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 11 instances of too long lines in the document, the longest one being 18 characters in excess of 72. ** The abstract seems to contain references ([MISP-P]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 3, 2019) is 1909 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'MISP-R' is defined on line 2302, but no explicit reference was found in the text == Unused Reference: 'MISP-T' is defined on line 2306, but no explicit reference was found in the text ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) Summary: 4 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Intended status: Informational CIRCL 5 Expires: August 7, 2019 February 3, 2019 7 MISP core format 8 draft-dulaunoy-misp-core-format-07 10 Abstract 12 This document describes the MISP core format used to exchange 13 indicators and threat information between MISP (Malware Information 14 and threat Sharing Platform) instances. The JSON format includes the 15 overall structure along with the semantic associated for each 16 respective key. The format is described to support other 17 implementations which reuse the format and ensuring an 18 interoperability with existing MISP [MISP-P] software and other 19 Threat Intelligence Platforms. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on August 7, 2019. 38 Copyright Notice 40 Copyright (c) 2019 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 57 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3 61 2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 7 63 2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 8 64 2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8 65 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8 66 2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9 67 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 15 68 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 15 69 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 16 70 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 21 71 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 22 72 2.6.1. Sample Object object . . . . . . . . . . . . . . . . 22 73 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 23 74 2.7. Object References . . . . . . . . . . . . . . . . . . . . 26 75 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 26 76 2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 27 77 2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 78 2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 29 79 2.9. Sighting . . . . . . . . . . . . . . . . . . . . . . . . 29 80 2.9.1. Sample Sighting . . . . . . . . . . . . . . . . . . . 31 81 2.10. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 31 82 2.10.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 31 83 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 33 84 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 47 85 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 47 86 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 48 87 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 49 88 6. Security Considerations . . . . . . . . . . . . . . . . . . . 49 89 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 49 90 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 49 91 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 49 92 9.1. Normative References . . . . . . . . . . . . . . . . . . 49 93 9.2. Informative References . . . . . . . . . . . . . . . . . 50 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50 96 1. Introduction 98 Sharing threat information became a fundamental requirements in the 99 Internet, security and intelligence community at large. Threat 100 information can include indicators of compromise, malicious file 101 indicators, financial fraud indicators or even detailed information 102 about a threat actor. MISP [MISP-P] started as an open source 103 project in late 2011 and the MISP format started to be widely used as 104 an exchange format within the community in the past years. The aim 105 of this document is to describe the specification and the MISP core 106 format. 108 1.1. Conventions and Terminology 110 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 111 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 112 document are to be interpreted as described in RFC 2119 [RFC2119]. 114 2. Format 116 2.1. Overview 118 The MISP core format is in the JSON [RFC4627] format. In MISP, an 119 event is composed of a single JSON object. 121 A capitalized key (like Event, Org) represent a data model and a non- 122 capitalised key is just an attribute. This nomenclature can support 123 an implementation to represent the MISP format in another data 124 structure. 126 2.2. Event 128 An event is a simple meta structure scheme where attributes and meta- 129 data are embedded to compose a coherent set of indicators. An event 130 can be composed from an incident, a security analysis report or a 131 specific threat actor analysis. The meaning of an event only depends 132 of the information embedded in the event. 134 2.2.1. Event Attributes 136 2.2.1.1. uuid 138 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 139 the event. The uuid MUST be preserved for any updates or transfer of 140 the same event. UUID version 4 is RECOMMENDED when assigning it to a 141 new event. 143 uuid is represented as a JSON string. uuid MUST be present. 145 2.2.1.2. id 147 id represents the human-readable identifier associated to the event 148 for a specific MISP instance. A human-readable identifier MUST be 149 represented as an unsigned integer. 151 id is represented as a JSON string. id SHALL be present. 153 2.2.1.3. published 155 published represents the event publication state. If the event was 156 published, the published value MUST be true. In any other 157 publication state, the published value MUST be false. 159 published is represented as a JSON boolean. published MUST be 160 present. 162 2.2.1.4. info 164 info represents the information field of the event. info is a free- 165 text value to provide a human-readable summary of the event. info 166 SHOULD NOT be bigger than 256 characters and SHOULD NOT include new- 167 lines. 169 info is represented as a JSON string. info MUST be present. 171 2.2.1.5. threat_level_id 173 threat_level_id represents the threat level. 175 4: 176 Undefined 178 3: 179 Low 181 2: 182 Medium 184 1: 185 High 187 If a higher granularity is required, a MISP taxonomy applied as a Tag 188 SHOULD be preferred. 190 threat_level_id is represented as a JSON string. threat_level_id 191 SHALL be present. 193 2.2.1.6. analysis 195 analysis represents the analysis level. 197 0: 198 Initial 200 1: 201 Ongoing 203 2: 204 Complete 206 If a higher granularity is required, a MISP taxonomy applied as a Tag 207 SHOULD be preferred. 209 analysis is represented as a JSON string. analysis SHALL be present. 211 2.2.1.7. date 213 date represents a reference date to the event in ISO 8601 format 214 (date only: YYYY-MM-DD). This date corresponds to the date the event 215 occurred, which may be in the past. 217 date is represented as a JSON string. date MUST be present. 219 2.2.1.8. timestamp 221 timestamp represents a reference time when the event, or one of the 222 attributes within the event was created, or last updated/edited on 223 the instance. timestamp is expressed in seconds (decimal) since 1st 224 of January 1970 (Unix timestamp). The time zone MUST be UTC. 226 timestamp is represented as a JSON string. timestamp MUST be present. 228 2.2.1.9. publish_timestamp 230 publish_timestamp represents a reference time when the event was 231 published on the instance. published_timestamp is expressed in 232 seconds (decimal) since 1st of January 1970 (Unix timestamp). At 233 each publication of an event, publish_timestamp MUST be updated. The 234 time zone MUST be UTC. If the published_timestamp is present and the 235 published flag is set to false, the publish_timestamp represents the 236 previous publication timestamp. If the event was never published, 237 the published_timestamp MUST be set to 0. 239 publish_timestamp is represented as a JSON string. publish_timestamp 240 MUST be present. 242 2.2.1.10. org_id 244 org_id represents a human-readable identifier referencing an Org 245 object of the organisation which generated the event. A human- 246 readable identifier MUST be represented as an unsigned integer. 248 The org_id MUST be updated when the event is generated by a new 249 instance. 251 org_id is represented as a JSON string. org_id MUST be present. 253 2.2.1.11. orgc_id 255 orgc_id represents a human-readable identifier referencing an Orgc 256 object of the organisation which created the event. 258 The orgc_id and Org object MUST be preserved for any updates or 259 transfer of the same event. 261 orgc_id is represented as a JSON string. orgc_id MUST be present. 263 2.2.1.12. attribute_count 265 attribute_count represents the number of attributes in the event. 266 attribute_count is expressed in decimal. 268 attribute_count is represented as a JSON string. attribute_count 269 SHALL be present. 271 2.2.1.13. distribution 273 distribution represents the basic distribution rules of the event. 274 The system must adhere to the distribution setting for access control 275 and for dissemination of the event. 277 distribution is represented by a JSON string. distribution MUST be 278 present and be one of the following options: 280 0 281 Your Organisation Only 283 1 284 This Community Only 286 2 287 Connected Communities 289 3 290 All Communities 292 4 293 Sharing Group 295 2.2.1.14. sharing_group_id 297 sharing_group_id represents a human-readable identifier referencing a 298 Sharing Group object that defines the distribution of the event, if 299 distribution level "4" is set. A human-readable identifier MUST be 300 represented as an unsigned integer. 302 sharing_group_id is represented by a JSON string and SHOULD be 303 present. If a distribution level other than "4" is chosen the 304 sharing_group_id MUST be set to "0". 306 2.2.1.15. extends_uuid 308 extends_uuid represents which event is extended by this event. The 309 extends_uuid is described as a Universally Unique IDentifier (UUID) 310 [RFC4122] with the UUID of the extended event. 312 extends_uuid is represented as a JSON string. extends_uuid SHOULD be 313 present. 315 2.3. Objects 317 2.3.1. Org 319 An Org object is composed of an uuid, name and id. 321 The uuid represents the Universally Unique IDentifier (UUID) 322 [RFC4122] of the organisation. The organisation UUID is globally 323 assigned to an organisation and SHALL be kept overtime. 325 The name is a readable description of the organisation and SHOULD be 326 present. The id is a human-readable identifier generated by the 327 instance and used as reference in the event. A human-readable 328 identifier MUST be represented as an unsigned integer. 330 uuid, name and id are represented as a JSON string. uuid, name and id 331 MUST be present. 333 2.3.1.1. Sample Org Object 334 "Org": { 335 "id": "2", 336 "name": "CIRCL", 337 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 338 } 340 2.3.2. Orgc 342 An Orgc object is composed of an uuid, name and id. 344 The uuid MUST be preserved for any updates or transfer of the same 345 event. UUID version 4 is RECOMMENDED when assigning it to a new 346 event. The organisation UUID is globally assigned to an organisation 347 and SHALL be kept overtime. 349 The name is a readable description of the organisation and SHOULD be 350 present. The id is a human-readable identifier generated by the 351 instance and used as reference in the event. A human-readable 352 identifier MUST be represented as an unsigned integer. 354 uuid, name and id are represented as a JSON string. uuid, name and id 355 MUST be present. 357 2.4. Attribute 359 Attributes are used to describe the indicators and contextual data of 360 an event. The main information contained in an attribute is made up 361 of a category-type-value triplet, where the category and type give 362 meaning and context to the value. Through the various category-type 363 combinations a wide range of information can be conveyed. 365 A MISP document MUST at least includes category-type-value triplet 366 described in section "Attribute Attributes". 368 2.4.1. Sample Attribute Object 369 "Attribute": { 370 "id": "346056", 371 "type": "comment", 372 "category": "Other", 373 "to_ids": false, 374 "uuid": "57f4f6d9-cd20-458b-84fd-109ec0a83869", 375 "event_id": "3357", 376 "distribution": "5", 377 "timestamp": "1475679332", 378 "comment": "", 379 "sharing_group_id": "0", 380 "deleted": false, 381 "value": "Hello world", 382 "SharingGroup": [], 383 "ShadowAttribute": [], 384 "RelatedAttribute": [] 385 } 387 2.4.2. Attribute Attributes 389 2.4.2.1. uuid 391 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 392 the event. The uuid MUST be preserved for any updates or transfer of 393 the same event. UUID version 4 is RECOMMENDED when assigning it to a 394 new event. 396 uuid is represented as a JSON string. uuid MUST be present. 398 2.4.2.2. id 400 id represents the human-readable identifier associated to the event 401 for a specific MISP instance. A human-readable identifier MUST be 402 represented as an unsigned integer. 404 id is represented as a JSON string. id SHALL be present. 406 2.4.2.3. type 408 type represents the means through which an attribute tries to 409 describe the intent of the attribute creator, using a list of pre- 410 defined attribute types. 412 type is represented as a JSON string. type MUST be present and it 413 MUST be a valid selection for the chosen category. The list of valid 414 category-type combinations is as follows: 416 Antivirus detection 417 link, comment, text, hex, attachment, other, anonymised 419 Artifacts dropped 420 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 421 ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, 422 filename|md5, filename|sha1, filename|sha224, filename|sha256, 423 filename|sha384, filename|sha512, filename|sha512/224, 424 filename|sha512/256, filename|authentihash, filename|ssdeep, 425 filename|tlsh, filename|imphash, filename|impfuzzy, 426 filename|pehash, regkey, regkey|value, pattern-in-file, pattern- 427 in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware- 428 sample, named pipe, mutex, windows-scheduled-task, windows- 429 service-name, windows-service-displayname, comment, text, hex, 430 x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- 431 sha256, other, cookie, gene, mime-type, anonymised 433 Attribution 434 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 435 whois-registrant-email, whois-registrant-name, whois-registrant- 436 org, whois-registrar, whois-creation-date, comment, text, x509- 437 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 438 other, dns-soa-email, anonymised 440 External analysis 441 md5, sha1, sha256, filename, filename|md5, filename|sha1, 442 filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 443 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 444 regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, 445 pattern-in-traffic, pattern-in-memory, vulnerability, attachment, 446 malware-sample, link, comment, text, x509-fingerprint-sha1, x509- 447 fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, 448 hassh-md5, hasshserver-md5, github-repository, other, cortex, 449 anonymised 451 Financial fraud 452 btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, 453 prtn, phone-number, comment, text, other, hex, anonymised 455 Internal reference 456 text, link, comment, other, hex, anonymised 458 Network activity 459 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, 460 domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user- 461 agent, http-method, AS, snort, pattern-in-file, stix2-pattern, 462 pattern-in-traffic, attachment, comment, text, x509-fingerprint- 463 md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3- 464 fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, 465 hostname|port, bro, zeek, anonymised 467 Other 468 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 469 float, hex, phone-number, boolean, anonymised 471 Payload delivery 472 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 473 ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, 474 filename, filename|md5, filename|sha1, filename|sha224, 475 filename|sha256, filename|sha384, filename|sha512, 476 filename|sha512/224, filename|sha512/256, filename|authentihash, 477 filename|ssdeep, filename|tlsh, filename|imphash, 478 filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- 479 src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email- 480 src, email-dst, email-subject, email-attachment, email-body, url, 481 user-agent, AS, pattern-in-file, pattern-in-traffic, 482 stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, 483 link, malware-type, comment, text, hex, vulnerability, x509- 484 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 485 ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, 486 hostname|port, email-dst-display-name, email-src-display-name, 487 email-header, email-reply-to, email-x-mailer, email-mime-boundary, 488 email-thread-index, email-message-id, mobile-application-id, 489 whois-registrant-email, anonymised 491 Payload installation 492 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 493 ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, 494 filename, filename|md5, filename|sha1, filename|sha224, 495 filename|sha256, filename|sha384, filename|sha512, 496 filename|sha512/224, filename|sha512/256, filename|authentihash, 497 filename|ssdeep, filename|tlsh, filename|imphash, 498 filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- 499 traffic, pattern-in-memory, stix2-pattern, yara, sigma, 500 vulnerability, attachment, malware-sample, malware-type, comment, 501 text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 502 fingerprint-sha256, mobile-application-id, other, mime-type, 503 anonymised 505 Payload type 506 comment, text, other, anonymised 508 Persistence mechanism 509 filename, regkey, regkey|value, comment, text, other, hex, 510 anonymised 512 Person 513 first-name, middle-name, last-name, date-of-birth, place-of-birth, 514 gender, passport-number, passport-country, passport-expiration, 515 redress-number, nationality, visa-number, issue-date-of-the-visa, 516 primary-residence, country-of-residence, special-service-request, 517 frequent-flyer-number, travel-details, payment-details, place- 518 port-of-original-embarkation, place-port-of-clearance, place-port- 519 of-onward-foreign-destination, passenger-name-record-locator- 520 number, comment, text, other, phone-number, identity-card-number, 521 anonymised 523 Social network 524 github-username, github-repository, github-organisation, jabber- 525 id, twitter-id, email-src, email-dst, comment, text, other, whois- 526 registrant-email, anonymised 528 Support Tool 529 link, text, attachment, comment, other, hex, anonymised 531 Targeting data 532 target-user, target-email, target-machine, target-org, target- 533 location, target-external, comment, anonymised 535 Attributes are based on the usage within their different communities. 536 Attributes can be extended on a regular basis and this reference 537 document is updated accordingly. 539 2.4.2.4. category 541 category represents the intent of what the attribute is describing as 542 selected by the attribute creator, using a list of pre-defined 543 attribute categories. 545 category is represented as a JSON string. category MUST be present 546 and it MUST be a valid selection for the chosen type. The list of 547 valid category-type combinations is mentioned above. 549 2.4.2.5. to_ids 551 to_ids represents whether the attribute is meant to be actionable. 552 Actionable defined attributes that can be used in automated processes 553 as a pattern for detection in Local or Network Intrusion Detection 554 System, log analysis tools or even filtering mechanisms. 556 to_ids is represented as a JSON boolean. to_ids MUST be present. 558 2.4.2.6. event_id 560 event_id represents a human-readable identifier referencing the Event 561 object that the attribute belongs to. A human-readable identifier 562 MUST be represented as an unsigned integer. 564 The event_id SHOULD be updated when the event is imported to reflect 565 the newly created event's id on the instance. 567 event_id is represented as a JSON string. event_id MUST be present. 569 2.4.2.7. distribution 571 distribution represents the basic distribution rules of the 572 attribute. The system must adhere to the distribution setting for 573 access control and for dissemination of the attribute. 575 distribution is represented by a JSON string. distribution MUST be 576 present and be one of the following options: 578 0 579 Your Organisation Only 581 1 582 This Community Only 584 2 585 Connected Communities 587 3 588 All Communities 590 4 591 Sharing Group 593 5 594 Inherit Event 596 2.4.2.8. timestamp 598 timestamp represents a reference time when the attribute was created 599 or last modified. timestamp is expressed in seconds (decimal) since 600 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 602 timestamp is represented as a JSON string. timestamp MUST be present. 604 2.4.2.9. comment 606 comment is a contextual comment field. 608 comment is represented by a JSON string. comment MAY be present. 610 2.4.2.10. sharing_group_id 612 sharing_group_id represents a human-readable identifier referencing a 613 Sharing Group object that defines the distribution of the attribute, 614 if distribution level "4" is set. A human-readable identifier MUST 615 be represented as an unsigned integer. 617 sharing_group_id is represented by a JSON string and SHOULD be 618 present. If a distribution level other than "4" is chosen the 619 sharing_group_id MUST be set to "0". 621 2.4.2.11. deleted 623 deleted represents a setting that allows attributes to be revoked. 624 Revoked attributes are not actionable and exist merely to inform 625 other instances of a revocation. 627 deleted is represented by a JSON boolean. deleted MUST be present. 629 2.4.2.12. data 631 data contains the base64 encoded contents of an attachment or a 632 malware sample. For malware samples, the sample MUST be encrypted 633 using a password protected zip archive, with the password being 634 "infected". 636 data is represented by a JSON string in base64 encoding. data MUST be 637 set for attributes of type malware-sample and attachment. 639 2.4.2.13. RelatedAttribute 641 RelatedAttribute is an array of attributes correlating with the 642 current attribute. Each element in the array represents an JSON 643 object which contains an Attribute dictionnary with the external 644 attributes who correlate. Each Attribute MUST include the id, 645 org_id, info and a value. Only the correlations found on the local 646 instance are shown in RelatedAttribute. 648 RelatedAttribute MAY be present. 650 2.4.2.14. ShadowAttribute 652 ShadowAttribute is an array of shadow attributes that serve as 653 proposals by third parties to alter the containing attribute. The 654 structure of a ShadowAttribute is similar to that of an Attribute, 655 which can be accepted or discarded by the event creator. If 656 accepted, the original attribute containing the shadow attribute is 657 removed and the shadow attribute is converted into an attribute. 659 Each shadow attribute that references an attribute MUST contain the 660 containing attribute's ID in the old_id field and the event's ID in 661 the event_id field. 663 2.4.2.15. value 665 value represents the payload of an attribute. The format of the 666 value is dependent on the type of the attribute. 668 value is represented by a JSON string. value MUST be present. 670 2.5. ShadowAttribute 672 ShadowAttributes are 3rd party created attributes that either propose 673 to add new information to an event or modify existing information. 674 They are not meant to be actionable until the event creator accepts 675 them - at which point they will be converted into attributes or 676 modify an existing attribute. 678 They are similar in structure to Attributes but additionally carry a 679 reference to the creator of the ShadowAttribute as well as a 680 revocation flag. 682 2.5.1. Sample Attribute Object 683 "ShadowAttribute": { 684 "id": "8", 685 "type": "ip-src", 686 "category": "Network activity", 687 "to_ids": false, 688 "uuid": "57d475f1-da78-4569-89de-1458c0a83869", 689 "event_uuid": "57d475e6-41c4-41ca-b450-145ec0a83869", 690 "event_id": "9", 691 "old_id": "319", 692 "comment": "", 693 "org_id": "1", 694 "proposal_to_delete": false, 695 "value": "5.5.5.5", 696 "deleted": false, 697 "Org": { 698 "id": "1", 699 "name": "MISP", 700 "uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869" 701 } 702 } 704 2.5.2. ShadowAttribute Attributes 706 2.5.2.1. uuid 708 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 709 the event. The uuid MUST be preserved for any updates or transfer of 710 the same event. UUID version 4 is RECOMMENDED when assigning it to a 711 new event. 713 uuid is represented as a JSON string. uuid MUST be present. 715 2.5.2.2. id 717 id represents the human-readable identifier associated to the event 718 for a specific MISP instance. human-readable identifier MUST be 719 represented as an unsigned integer. id is represented as a JSON 720 string. id SHALL be present. 722 2.5.2.3. type 724 type represents the means through which an attribute tries to 725 describe the intent of the attribute creator, using a list of pre- 726 defined attribute types. 728 type is represented as a JSON string. type MUST be present and it 729 MUST be a valid selection for the chosen category. The list of valid 730 category-type combinations is as follows: 732 Antivirus detection 733 link, comment, text, hex, attachment, other, anonymised 735 Artifacts dropped 736 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 737 ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, 738 filename|md5, filename|sha1, filename|sha224, filename|sha256, 739 filename|sha384, filename|sha512, filename|sha512/224, 740 filename|sha512/256, filename|authentihash, filename|ssdeep, 741 filename|tlsh, filename|imphash, filename|impfuzzy, 742 filename|pehash, regkey, regkey|value, pattern-in-file, pattern- 743 in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware- 744 sample, named pipe, mutex, windows-scheduled-task, windows- 745 service-name, windows-service-displayname, comment, text, hex, 746 x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- 747 sha256, other, cookie, gene, mime-type, anonymised 749 Attribution 750 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 751 whois-registrant-email, whois-registrant-name, whois-registrant- 752 org, whois-registrar, whois-creation-date, comment, text, x509- 753 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 754 other, dns-soa-email, anonymised 756 External analysis 757 md5, sha1, sha256, filename, filename|md5, filename|sha1, 758 filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 759 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 760 regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, 761 pattern-in-traffic, pattern-in-memory, vulnerability, attachment, 762 malware-sample, link, comment, text, x509-fingerprint-sha1, x509- 763 fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, 764 hassh-md5, hasshserver-md5, github-repository, other, cortex, 765 anonymised 767 Financial fraud 768 btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, 769 prtn, phone-number, comment, text, other, hex, anonymised 771 Internal reference 772 text, link, comment, other, hex, anonymised 774 Network activity 775 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, 776 domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user- 777 agent, http-method, AS, snort, pattern-in-file, stix2-pattern, 778 pattern-in-traffic, attachment, comment, text, x509-fingerprint- 779 md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3- 780 fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, 781 hostname|port, bro, zeek, anonymised 783 Other 784 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 785 float, hex, phone-number, boolean, anonymised 787 Payload delivery 788 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 789 ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, 790 filename, filename|md5, filename|sha1, filename|sha224, 791 filename|sha256, filename|sha384, filename|sha512, 792 filename|sha512/224, filename|sha512/256, filename|authentihash, 793 filename|ssdeep, filename|tlsh, filename|imphash, 794 filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- 795 src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email- 796 src, email-dst, email-subject, email-attachment, email-body, url, 797 user-agent, AS, pattern-in-file, pattern-in-traffic, 798 stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, 799 link, malware-type, comment, text, hex, vulnerability, x509- 800 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 801 ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, 802 hostname|port, email-dst-display-name, email-src-display-name, 803 email-header, email-reply-to, email-x-mailer, email-mime-boundary, 804 email-thread-index, email-message-id, mobile-application-id, 805 whois-registrant-email, anonymised 807 Payload installation 808 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 809 ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, 810 filename, filename|md5, filename|sha1, filename|sha224, 811 filename|sha256, filename|sha384, filename|sha512, 812 filename|sha512/224, filename|sha512/256, filename|authentihash, 813 filename|ssdeep, filename|tlsh, filename|imphash, 814 filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- 815 traffic, pattern-in-memory, stix2-pattern, yara, sigma, 816 vulnerability, attachment, malware-sample, malware-type, comment, 817 text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 818 fingerprint-sha256, mobile-application-id, other, mime-type, 819 anonymised 821 Payload type 822 comment, text, other, anonymised 824 Persistence mechanism 825 filename, regkey, regkey|value, comment, text, other, hex, 826 anonymised 828 Person 829 first-name, middle-name, last-name, date-of-birth, place-of-birth, 830 gender, passport-number, passport-country, passport-expiration, 831 redress-number, nationality, visa-number, issue-date-of-the-visa, 832 primary-residence, country-of-residence, special-service-request, 833 frequent-flyer-number, travel-details, payment-details, place- 834 port-of-original-embarkation, place-port-of-clearance, place-port- 835 of-onward-foreign-destination, passenger-name-record-locator- 836 number, comment, text, other, phone-number, identity-card-number, 837 anonymised 839 Social network 840 github-username, github-repository, github-organisation, jabber- 841 id, twitter-id, email-src, email-dst, comment, text, other, whois- 842 registrant-email, anonymised 844 Support Tool 845 link, text, attachment, comment, other, hex, anonymised 847 Targeting data 848 target-user, target-email, target-machine, target-org, target- 849 location, target-external, comment, anonymised 851 Attributes are based on the usage within their different communities. 852 Attributes can be extended on a regular basis and this reference 853 document is updated accordingly. 855 2.5.2.4. category 857 category represents the intent of what the attribute is describing as 858 selected by the attribute creator, using a list of pre-defined 859 attribute categories. 861 category is represented as a JSON string. category MUST be present 862 and it MUST be a valid selection for the chosen type. The list of 863 valid category-type combinations is mentioned above. 865 2.5.2.5. to_ids 867 to_ids represents whether the Attribute to be created if the 868 ShadowAttribute is accepted is meant to be actionable. Actionable 869 defined attributes that can be used in automated processes as a 870 pattern for detection in Local or Network Intrusion Detection System, 871 log analysis tools or even filtering mechanisms. 873 to_ids is represented as a JSON boolean. to_ids MUST be present. 875 2.5.2.6. event_id 877 event_id represents a human-readable identifier referencing the Event 878 object that the ShadowAttribute belongs to. 880 The event_id SHOULD be updated when the event is imported to reflect 881 the newly created event's id on the instance. 883 event_id is represented as a JSON string. event_id MUST be present. 885 2.5.2.7. old_id 887 old_id represents a human-readable identifier referencing the 888 Attribute object that the ShadowAttribute belongs to. A 889 ShadowAttribute can this way target an existing Attribute, implying 890 that it is a proposal to modify an existing Attribute, or 891 alternatively it can be a proposal to create a new Attribute for the 892 containing Event. 894 The old_id SHOULD be updated when the event is imported to reflect 895 the newly created Attribute's id on the instance. Alternatively, if 896 the ShadowAttribute proposes the creation of a new Attribute, it 897 should be set to 0. 899 old_id is represented as a JSON string. old_id MUST be present. 901 2.5.2.8. timestamp 903 timestamp represents a reference time when the attribute was created 904 or last modified. timestamp is expressed in seconds (decimal) since 905 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 907 timestamp is represented as a JSON string. timestamp MUST be present. 909 2.5.2.9. comment 911 comment is a contextual comment field. 913 comment is represented by a JSON string. comment MAY be present. 915 2.5.2.10. org_id 917 org_id represents a human-readable identifier referencing the 918 proposal creator's Organisation object. A human-readable identifier 919 MUST be represented as an unsigned integer. 921 Whilst attributes can only be created by the event creator 922 organisation, shadow attributes can be created by third parties. 923 org_id tracks the creator organisation. 925 org_id is represented by a JSON string and MUST be present. 927 2.5.2.11. proposal_to_delete 929 proposal_to_delete is a boolean flag that sets whether the shadow 930 attribute proposes to alter an attribute, or whether it proposes to 931 remove it completely. 933 Accepting a shadow attribute with this flag set will remove the 934 target attribute. 936 proposal_to_delete is a JSON boolean and it MUST be present. If 937 proposal_to_delete is set to true, old_id MUST NOT be 0. 939 2.5.2.12. deleted 941 deleted represents a setting that allows shadow attributes to be 942 revoked. Revoked shadow attributes only serve to inform other 943 instances that the shadow attribute is no longer active. 945 deleted is represented by a JSON boolean. deleted SHOULD be present. 947 2.5.2.13. data 949 data contains the base64 encoded contents of an attachment or a 950 malware sample. For malware samples, the sample MUST be encrypted 951 using a password protected zip archive, with the password being 952 "infected". 954 data is represented by a JSON string in base64 encoding. data MUST be 955 set for shadow attributes of type malware-sample and attachment. 957 2.5.3. Org 959 An Org object is composed of an uuid, name and id. 961 The uuid represents the Universally Unique IDentifier (UUID) 962 [RFC4122] of the organization. The organization UUID is globally 963 assigned to an organization and SHALL be kept overtime. 965 The name is a readable description of the organization and SHOULD be 966 present. The id is a human-readable identifier generated by the 967 instance and used as reference in the event. A human-readable 968 identifier MUST be represented as an unsigned integer. 970 uuid, name and id are represented as a JSON string. uuid, name and id 971 MUST be present. 973 2.5.3.1. Sample Org Object 975 "Org": { 976 "id": "2", 977 "name": "CIRCL", 978 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 979 } 981 2.5.3.2. value 983 value represents the payload of an attribute. The format of the 984 value is dependent on the type of the attribute. 986 value is represented by a JSON string. value MUST be present. 988 2.6. Object 990 Objects serve as a contextual bond between a list of attributes 991 within an event. Their main purpose is to describe more complex 992 structures than can be described by a single attribute Each object is 993 created using an Object Template and carries the meta-data of the 994 template used for its creation within. Objects belong to a meta- 995 category and are defined by a name. 997 The schema used is described by the template_uuid and 998 template_version fields. 1000 A MISP document containing an Object MUST contain a name, a meta- 1001 category, a description, a template_uuid and a template_version as 1002 described in the "Object Attributes" section. 1004 2.6.1. Sample Object object 1005 "Object": { 1006 "id": "588", 1007 "name": "file", 1008 "meta-category": "file", 1009 "description": "File object describing a file with meta-information", 1010 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", 1011 "template_version": "3", 1012 "event_id": "56", 1013 "uuid": "398b0094-0384-4c48-9bf0-22b3dff9c4d3", 1014 "timestamp": "1505747965", 1015 "distribution": "5", 1016 "sharing_group_id": "0", 1017 "comment": "", 1018 "deleted": false, 1019 "ObjectReference": [], 1020 "Attribute": [ 1021 { 1022 "id": "7822", 1023 "type": "filename", 1024 "category": "Payload delivery", 1025 "to_ids": true, 1026 "uuid": "59bfe3fb-bde0-4dfe-b5b1-2b10a07724d1", 1027 "event_id": "56", 1028 "distribution": "0", 1029 "timestamp": "1505747963", 1030 "comment": "", 1031 "sharing_group_id": "0", 1032 "deleted": false, 1033 "disable_correlation": false, 1034 "object_id": "588", 1035 "object_relation": "filename", 1036 "value": "StarCraft.exe", 1037 "ShadowAttribute": [] 1038 } 1039 ] 1040 } 1042 2.6.2. Object Attributes 1044 2.6.2.1. uuid 1046 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1047 the object. The uuid MUST be preserved for any updates or transfer 1048 of the same object. UUID version 4 is RECOMMENDED when assigning it 1049 to a new object. 1051 2.6.2.2. id 1053 id represents the human-readable identifier associated to the object 1054 for a specific MISP instance. A human-readable identifier MUST be 1055 represented as an unsigned integer. 1057 id is represented as a JSON string. id SHALL be present. 1059 2.6.2.3. name 1061 name represents the human-readable name of the object describing the 1062 intent of the object package. 1064 name is represented as a JSON string. name MUST be present 1066 2.6.2.4. meta-category 1068 meta-category represents the sub-category of objects that the given 1069 object belongs to. meta-categories are not tied to a fixed list of 1070 options but can be created on the fly. 1072 meta-category is represented as a JSON string. meta-category MUST be 1073 present 1075 2.6.2.5. description 1077 description is a human-readable description of the given object type, 1078 as derived from the template used for creation. 1080 description is represented as a JSON string. id SHALL be present. 1082 2.6.2.6. template_uuid 1084 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1085 the template used to create the object. The uuid MUST be preserved 1086 to preserve the object's association with the correct template used 1087 for creation. UUID version 4 is RECOMMENDED when assigning it to a 1088 new object. 1090 2.6.2.7. template_version 1092 template_version represents a numeric incrementing version of the 1093 template used to create the object. It is used to associate the 1094 object to the correct version of the template and together with the 1095 template_uuid forms an association to the correct template type and 1096 version. 1098 version is represented as a JSON string. version MUST be present. 1100 2.6.2.8. event_id 1102 event_id represents the human-readable identifier of the event that 1103 the object belongs to on a specific MISP instance. A human-readable 1104 identifier MUST be represented as an unsigned integer. 1106 event_id is represented as a JSON string. event_id SHALL be present. 1108 2.6.2.9. timestamp 1110 timestamp represents a reference time when the object was created or 1111 last modified. timestamp is expressed in seconds (decimal) since 1st 1112 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1114 timestamp is represented as a JSON string. timestamp MUST be present. 1116 2.6.2.10. distribution 1118 distribution represents the basic distribution rules of the object. 1119 The system must adhere to the distribution setting for access control 1120 and for dissemination of the object. 1122 distribution is represented by a JSON string. distribution MUST be 1123 present and be one of the following options: 1125 0 1126 Your Organisation Only 1128 1 1129 This Community Only 1131 2 1132 Connected Communities 1134 3 1135 All Communities 1137 4 1138 Sharing Group 1140 2.6.2.11. sharing_group_id 1142 sharing_group_id represents a human-readable identifier referencing a 1143 Sharing Group object that defines the distribution of the object, if 1144 distribution level "4" is set. A human-readable identifier MUST be 1145 represented as an unsigned integer. 1147 sharing_group_id is represented by a JSON string and SHOULD be 1148 present. If a distribution level other than "4" is chosen the 1149 sharing_group_id MUST be set to "0". 1151 2.6.2.12. comment 1153 comment is a contextual comment field. 1155 comment is represented by a JSON string. comment MAY be present. 1157 2.6.2.13. deleted 1159 deleted represents a setting that allows attributes to be revoked. 1160 Revoked attributes are not actionable and exist merely to inform 1161 other instances of a revocation. 1163 deleted is represented by a JSON boolean. deleted MUST be present. 1165 2.6.2.14. Attribute 1167 Attribute is an array of attributes that describe the object with 1168 data. 1170 Each attribute in an object MUST contain the parent event's ID in the 1171 event_id field and the parent object's ID in the object_id field. 1173 2.7. Object References 1175 Object References serve as a logical link between an Object and 1176 another referenced Object or Attribute. The relationship is 1177 categorised by an enumerated value from a fixed vocabulary. 1179 The relationship_type is recommended to be taken from the MISP object 1180 relationship list [[MISP-R]] is RECOMMENDED to ensure a coherent 1181 naming of the tags 1183 All Object References MUST contain an object_uuid, a referenced_uuid 1184 and a relationship type. 1186 2.7.1. Sample ObjectReference object 1187 "ObjectReference": { 1188 "id": "195", 1189 "uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1", 1190 "timestamp": "1505892908", 1191 "object_id": "591", 1192 "event_id": "113", 1193 "referenced_id": "590", 1194 "referenced_type": "1", 1195 "relationship_type": "derived-from", 1196 "comment": "", 1197 "deleted": false, 1198 "object_uuid": "59c1134d-8a40-4c14-ad94-0f7ba07724d1", 1199 "referenced_uuid": "59c1133c-9adc-4d06-a34b-0f7ca07724d1", 1200 } 1202 2.7.2. ObjectReference Attributes 1204 2.7.2.1. uuid 1206 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1207 the object reference. The uuid MUST be preserved for any updates or 1208 transfer of the same object reference. UUID version 4 is RECOMMENDED 1209 when assigning it to a new object reference. 1211 2.7.2.2. id 1213 id represents the human-readable identifier associated to the object 1214 reference for a specific MISP instance. 1216 id is represented as a JSON string. id SHALL be present. 1218 2.7.2.3. timestamp 1220 timestamp represents a reference time when the object was created or 1221 last modified. timestamp is expressed in seconds (decimal) since 1st 1222 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1224 timestamp is represented as a JSON string. timestamp MUST be present. 1226 2.7.2.4. object_id 1228 object_id represents the human-readable identifier of the object that 1229 the object reference belongs to on a specific MISP instance. A 1230 human-readable identifier MUST be represented as an unsigned integer. 1232 event_id is represented as a JSON string. event_id SHALL be present. 1234 2.7.2.5. event_id 1236 event_id represents the human-readable identifier of the event that 1237 the object reference belongs to on a specific MISP instance. A 1238 human-readable identifier MUST be represented as an unsigned integer. 1240 event_id is represented as a JSON string. event_id SHALL be present. 1242 2.7.2.6. referenced_id 1244 referenced_id represents the human-readable identifier of the object 1245 or attribute that the parent object of the object reference points to 1246 on a specific MISP instance. 1248 referenced_id is represented as a JSON string. referenced_id MAY be 1249 present. 1251 2.7.2.7. referenced_type 1253 referenced_type represents the numeric value describing what the 1254 object reference points to, "0" representing an attribute and "1" 1255 representing an object 1257 referenced_type is represented as a JSON string. referenced_type MAY 1258 be present. 1260 2.7.2.8. relationship_type 1262 relationship_type represents the human-readable context of the 1263 relationship between an object and another object or attribute as 1264 described by the object_reference. 1266 referenced_type is represented as a JSON string. relationship_type 1267 MUST be present. 1269 2.7.2.9. comment 1271 comment is a contextual comment field. 1273 comment is represented by a JSON string. comment MAY be present. 1275 2.7.2.10. deleted 1277 deleted represents a setting that allows object references to be 1278 revoked. Revoked object references are not actionable and exist 1279 merely to inform other instances of a revocation. 1281 deleted is represented by a JSON boolean. deleted MUST be present. 1283 2.7.2.11. object_uuid 1285 object_uuid represents the Universally Unique IDentifier (UUID) 1286 [RFC4122] of the object that the given object reference belongs to. 1287 The object_uuid MUST be preserved to preserve the object reference's 1288 association with the object. 1290 2.7.2.12. referenced_uuid 1292 referenced_uuid represents the Universally Unique IDentifier (UUID) 1293 [RFC4122] of the object or attribute that is being referenced by the 1294 object reference. The referenced_uuid MUST be preserved to preserve 1295 the object reference's association with the object or attribute. 1297 2.8. Tag 1299 A tag is a simple method to classify an event with a simple string. 1300 The tag name can be freely chosen. The tag name can be also chosen 1301 from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. 1302 When an event is distributed outside an organisation, the use of MISP 1303 taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of 1304 the tags. A tag is represented as a JSON array where each element 1305 describes each tag associated. A tag array SHALL be at event level 1306 or attribute level. A tag element is described with a name, id, 1307 colour and exportable flag. 1309 exportable represents a setting if the tag is kept local or 1310 exportable to other MISP instances. exportable is represented by a 1311 JSON boolean. id is a human-readable identifier that references the 1312 tag on the local instance. colour represents an RGB value of the tag. 1314 name MUST be present. colour, id and exportable SHALL be present. 1316 2.8.1. Sample Tag 1318 "Tag": [{ 1319 "exportable": true, 1320 "colour": "#ffffff", 1321 "name": "tlp:white", 1322 "id": "2" }] 1324 2.9. Sighting 1326 A sighting is an ascertainment which describes whether an attribute 1327 has been seen under a given set of conditions. The sighting can 1328 include the organisation who sighted the attribute or can be 1329 anonymised. Sighting is composed of a JSON array in which each 1330 element describes one singular instance of a sighting. A sighting 1331 element is a JSON object composed of the following values: 1333 type MUST be present. type describes the type of a sighting. MISP 1334 allows 3 default types: 1336 +------------+------------------------------------------------------+ 1337 | Sighting | Description | 1338 | type | | 1339 +------------+------------------------------------------------------+ 1340 | 0 | denotes an attribute which has been seen | 1341 | 1 | denotes an attribute which has been seen and | 1342 | | confirmed as false-positive | 1343 | 2 | denotes an attribute which will be expired at the | 1344 | | time of the sighting | 1345 +------------+------------------------------------------------------+ 1347 uuid MUST be present. uuid references the uuid of the sighted 1348 attribute. 1350 date_sighting MUST be present. date_sighting is expressed in seconds 1351 (decimal) elapsed since 1st of January 1970 (Unix timestamp). 1352 date_sighting represents when the referenced attribute, designated by 1353 its uuid, is sighted. 1355 source MAY be present. source is represented as a JSON string and 1356 represents the human-readable version of the sighting source, which 1357 can be a given piece of software (e.g. SIEM), device or a specific 1358 analytical process. 1360 id, event_id and attribute_id MAY be present. 1362 id represents the human-readable identifier of the sighting reference 1363 which belongs to a specific MISP instance. event_id represents the 1364 human-readable identifier of the event referenced by the sighting and 1365 belongs to a specific MISP instance. attribute_id represents the 1366 human-readable identifier of the attribute referenced by the sighting 1367 and belongs to a specific MISP instance. 1369 org_id MAY be present along the JSON object describing the 1370 organisation. If the org_id is not present, the sighting is 1371 considered as anonymised. 1373 org_id represents the human-readable identifier of the organisation 1374 which did the sighting and belongs to a specific MISP instance. 1376 A human-readable identifier MUST be represented as an unsigned 1377 integer. 1379 2.9.1. Sample Sighting 1381 "Sighting": [ 1382 { 1383 "id": "13599", 1384 "attribute_id": "1201615", 1385 "event_id": "10164", 1386 "org_id": "2", 1387 "date_sighting": "1517581400", 1388 "uuid": "5a747459-41b4-4826-9b29-42dd950d210f", 1389 "source": "M2M-CIRCL", 1390 "type": "0", 1391 "Organisation": { 1392 "id": "2", 1393 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1394 "name": "CIRCL" 1395 } 1396 }, 1397 { 1398 "id": "13601", 1399 "attribute_id": "1201615", 1400 "event_id": "10164", 1401 "org_id": "2", 1402 "date_sighting": "1517581401", 1403 "uuid": "5a74745a-a190-4d04-b719-4916950d210f", 1404 "source": "M2M-CIRCL", 1405 "type": "0", 1406 "Organisation": { 1407 "id": "2", 1408 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1409 "name": "CIRCL" 1410 } 1411 } 1412 ] 1414 2.10. Galaxy 1416 A galaxy is a simple method to express a large object called cluster 1417 that can be attached to MISP events. A cluster can be composed of 1418 one or more elements. Elements are expressed as key-values. 1420 2.10.1. Sample Galaxy 1421 "Galaxy": [ { 1422 "id": "18", 1423 "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3", 1424 "name": "Threat Actor", 1425 "type": "threat-actor", 1426 "description": "Threat actors are characteristics of malicious actors 1427 (or adversaries) representing a cyber attack threat 1428 including presumed intent and historically observed behaviour.", 1429 "version": "1", 1430 "GalaxyCluster": [ 1431 { 1432 "id": "1699", 1433 "uuid": "7cdff317-a673-4474-84ec-4f1754947823", 1434 "type": "threat-actor", 1435 "value": "Anunak", 1436 "tag_name": "misp-galaxy:threat-actor=\"Anunak\"", 1437 "description": "Groups targeting financial organizations 1438 or people with significant financial assets.", 1439 "galaxy_id": "18", 1440 "source": "MISP Project", 1441 "authors": [ 1442 "Alexandre Dulaunoy", 1443 "Florian Roth", 1444 "Thomas Schreck", 1445 "Timo Steffens", 1446 "Various" 1447 ], 1448 "tag_id": "111", 1449 "meta": { 1450 "synonyms": [ 1451 "Carbanak", 1452 "Carbon Spider" 1453 ], 1454 "country": [ 1455 "RU" 1456 ], 1457 "motive": [ 1458 "Cybercrime" 1459 ] 1460 } 1461 } 1462 ] 1463 } 1464 ] 1466 3. JSON Schema 1468 The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP 1469 core format as literally described before. The JSON Schema is used 1470 to validate MISP events at creation time or parsing. 1472 { 1473 "$schema": "http://json-schema.org/draft-04/schema#", 1474 "title": "Validator for misp events", 1475 "id": "https://github.com/MISP/MISP/blob/2.4/format/2.4/schema.json", 1476 "defs": { 1477 "org": { 1478 "type": "object", 1479 "additionalProperties": false, 1480 "properties": { 1481 "id": { 1482 "type": "string" 1483 }, 1484 "name": { 1485 "type": "string" 1486 }, 1487 "uuid": { 1488 "type": "string" 1489 } 1490 }, 1491 "required": [ 1492 "uuid" 1493 ] 1494 }, 1495 "orgc": { 1496 "type": "object", 1497 "additionalProperties": false, 1498 "properties": { 1499 "id": { 1500 "type": "string" 1501 }, 1502 "name": { 1503 "type": "string" 1504 }, 1505 "uuid": { 1506 "type": "string" 1507 } 1508 }, 1509 "required": [ 1510 "uuid" 1511 ] 1512 }, 1513 "sharing_group": { 1514 "type": "object", 1515 "additionalProperties": false, 1516 "properties": { 1517 "id": { 1518 "type": "string" 1519 }, 1520 "name": { 1521 "type": "string" 1522 }, 1523 "releasability": { 1524 "type": "string" 1525 }, 1526 "description": { 1527 "type": "string" 1528 }, 1529 "uuid": { 1530 "type": "string" 1531 }, 1532 "organisation_uuid": { 1533 "type": "string" 1534 }, 1535 "org_id": { 1536 "type": "string" 1537 }, 1538 "sync_user_id": { 1539 "type": "string" 1540 }, 1541 "active": { 1542 "type": "boolean" 1543 }, 1544 "created": { 1545 "type": "string" 1546 }, 1547 "modified": { 1548 "type": "string" 1549 }, 1550 "local": { 1551 "type": "boolean" 1552 }, 1553 "roaming": { 1554 "type": "boolean" 1555 }, 1556 "Organisation": { 1557 "$ref": "#/defs/org" 1558 }, 1559 "SharingGroupOrg": { 1560 "type": "array", 1561 "uniqueItems": true, 1562 "items": { 1563 "$ref": "#/defs/sharing_group_org" 1564 } 1565 }, 1566 "SharingGroupServer": { 1567 "type": "array", 1568 "uniqueItems": true, 1569 "items": { 1570 "$ref": "#/defs/sharing_group_server" 1571 } 1572 }, 1573 "required": [ 1574 "uuid" 1575 ] 1576 }, 1577 "required": [ 1578 "uuid" 1579 ] 1580 }, 1581 "sharing_group_org": { 1582 "type": "object", 1583 "additionalProperties": false, 1584 "properties": { 1585 "id": { 1586 "type": "string" 1587 }, 1588 "sharing_group_id": { 1589 "type": "string" 1590 }, 1591 "org_id": { 1592 "type": "string" 1593 }, 1594 "extend": { 1595 "type": "boolean" 1596 }, 1597 "Organisation": { 1598 "$ref": "#/defs/org" 1599 } 1600 } 1601 }, 1602 "sharing_group_server": { 1603 "type": "object", 1604 "additionalProperties": false, 1605 "properties": { 1606 "id": { 1607 "type": "string" 1608 }, 1609 "sharing_group_id": { 1610 "type": "string" 1611 }, 1612 "server_id": { 1613 "type": "string" 1614 }, 1615 "all_orgs": { 1616 "type": "boolean" 1617 }, 1618 "Server": { 1619 "$ref": "#/defs/server" 1620 } 1621 } 1622 }, 1623 "server": { 1624 "type": "object", 1625 "additionalProperties": false, 1626 "properties": { 1627 "id": { 1628 "type": "string" 1629 }, 1630 "url": { 1631 "type": "string" 1632 }, 1633 "name": { 1634 "type": "string" 1635 } 1636 } 1637 }, 1638 "object": { 1639 "type": "object", 1640 "additionalProperties": false, 1641 "properties": { 1642 "uuid": { 1643 "type": "string" 1644 }, 1645 "name": { 1646 "type": "string" 1647 }, 1648 "event_id": { 1649 "type": "string" 1650 }, 1651 "description": { 1652 "type": "string" 1653 }, 1654 "template_uuid": { 1655 "type": "string" 1656 }, 1657 "template_version": { 1658 "type": "string" 1659 }, 1660 "id": { 1661 "type": "string" 1662 }, 1663 "meta-category": { 1664 "type": "string" 1665 }, 1666 "deleted": { 1667 "type": "boolean" 1668 }, 1669 "timestamp": { 1670 "type": "string" 1671 }, 1672 "distribution": { 1673 "type": "string" 1674 }, 1675 "sharing_group_id": { 1676 "type": "string" 1677 }, 1678 "comment": { 1679 "type": "string" 1680 }, 1681 "ObjectReference": { 1682 "type": "array", 1683 "uniqueItems": true, 1684 "items": { 1685 "$ref": "#/defs/objectreference" 1686 } 1687 }, 1688 "Attribute": { 1689 "type": "array", 1690 "uniqueItems": true, 1691 "items": { 1692 "$ref": "#/defs/attribute" 1693 } 1694 } 1695 } 1696 }, 1697 "sighthing": { 1698 "type": "object", 1699 "additionalProperties": false, 1700 "properties": { 1701 "id": { 1702 "type": "string" 1703 }, 1704 "attribute_id": { 1705 "type": "string" 1707 }, 1708 "event_id": { 1709 "type": "string" 1710 }, 1711 "source": { 1712 "type": "string" 1713 }, 1714 "type": { 1715 "type": "string" 1716 }, 1717 "org_id": { 1718 "type": "string" 1719 }, 1720 "date_sighting": { 1721 "type": "string" 1722 }, 1723 "uuid": { 1724 "type": "string" 1725 }, 1726 "Organisation": { 1727 "$ref": "#/defs/organisation" 1728 } 1729 } 1730 }, 1731 "organisation": { 1732 "type": "object", 1733 "additionalProperties": false, 1734 "properties": { 1735 "id": { 1736 "type": "string" 1737 }, 1738 "uuid": { 1739 "type": "string" 1740 }, 1741 "name": { 1742 "type": "string" 1743 } 1744 } 1745 }, 1746 "objectreference": { 1747 "type": "object", 1748 "additionalProperties": false, 1749 "properties": { 1750 "deleted": { 1751 "type": "boolean" 1752 }, 1753 "object_id": { 1754 "type": "string" 1756 }, 1757 "event_id": { 1758 "type": "string" 1759 }, 1760 "timestamp": { 1761 "type": "string" 1762 }, 1763 "id": { 1764 "type": "string" 1765 }, 1766 "uuid": { 1767 "type": "string" 1768 }, 1769 "type": { 1770 "type": "string" 1771 }, 1772 "referenced_id": { 1773 "type": "string" 1774 }, 1775 "referenced_uuid": { 1776 "type": "string" 1777 }, 1778 "referenced_type": { 1779 "type": "string" 1780 }, 1781 "relationship_type": { 1782 "type": "string" 1783 }, 1784 "object_uuid": { 1785 "type": "string" 1786 }, 1787 "comment": { 1788 "type": "string" 1789 }, 1790 "Object": { 1791 "$ref": "#/defs/object" 1792 } 1793 } 1794 }, 1795 "attribute": { 1796 "type": "object", 1797 "additionalProperties": false, 1798 "properties": { 1799 "id": { 1800 "type": "string" 1801 }, 1802 "old_id": { 1803 "type": "string" 1805 }, 1806 "type": { 1807 "type": "string" 1808 }, 1809 "category": { 1810 "type": "string" 1811 }, 1812 "to_ids": { 1813 "type": "boolean" 1814 }, 1815 "uuid": { 1816 "type": "string" 1817 }, 1818 "event_id": { 1819 "type": "string" 1820 }, 1821 "event_uuid": { 1822 "type": "string" 1823 }, 1824 "proposal_to_delete": { 1825 "type": "boolean" 1826 }, 1827 "validationIssue": { 1828 "type": "boolean" 1829 }, 1830 "Org": { 1831 "$ref": "#/defs/organisation" 1832 }, 1833 "org_id": { 1834 "type": "string" 1835 }, 1836 "distribution": { 1837 "type": "string" 1838 }, 1839 "timestamp": { 1840 "type": "string" 1841 }, 1842 "comment": { 1843 "type": "string" 1844 }, 1845 "sharing_group_id": { 1846 "type": "string" 1847 }, 1848 "deleted": { 1849 "type": "boolean" 1850 }, 1851 "disable_correlation": { 1852 "type": "boolean" 1854 }, 1855 "value": { 1856 "type": "string" 1857 }, 1858 "data": { 1859 "type": "string" 1860 }, 1861 "object_relation": { 1862 "type": ["string", "null"] 1863 }, 1864 "object_id": { 1865 "type": "string" 1866 }, 1867 "SharingGroup": { 1868 "$ref": "#/defs/sharing_group" 1869 }, 1870 "ShadowAttribute": { 1871 "type": "array", 1872 "uniqueItems": true, 1873 "items": { 1874 "$ref": "#/defs/attribute" 1875 } 1876 }, 1877 "Sighting": { 1878 "type": "array", 1879 "uniqueItems": true, 1880 "items": { 1881 "$ref": "#/defs/sighthing" 1882 } 1883 }, 1884 "Galaxy": { 1885 "type": "array", 1886 "uniqueItems": true, 1887 "items": { 1888 "$ref": "#/defs/galaxy" 1889 } 1890 }, 1891 "Tag": { 1892 "uniqueItems": true, 1893 "type": "array", 1894 "items": { 1895 "$ref": "#/defs/tag" 1896 } 1897 } 1898 } 1899 }, 1900 "event": { 1901 "type": "object", 1902 "additionalProperties": false, 1903 "properties": { 1904 "id": { 1905 "type": "string" 1906 }, 1907 "orgc_id": { 1908 "type": "string" 1909 }, 1910 "org_id": { 1911 "type": "string" 1912 }, 1913 "date": { 1914 "type": "string" 1915 }, 1916 "extends_uuid": { 1917 "type": "string" 1918 }, 1919 "threat_level_id": { 1920 "type": "string" 1921 }, 1922 "info": { 1923 "type": "string" 1924 }, 1925 "published": { 1926 "type": "boolean" 1927 }, 1928 "uuid": { 1929 "type": "string" 1930 }, 1931 "attribute_count": { 1932 "type": "string" 1933 }, 1934 "analysis": { 1935 "type": "string" 1936 }, 1937 "timestamp": { 1938 "type": "string" 1939 }, 1940 "distribution": { 1941 "type": "string" 1942 }, 1943 "proposal_email_lock": { 1944 "type": "boolean" 1945 }, 1946 "locked": { 1947 "type": "boolean" 1948 }, 1949 "publish_timestamp": { 1950 "type": "string" 1951 }, 1952 "sharing_group_id": { 1953 "type": "string" 1954 }, 1955 "disable_correlation": { 1956 "type": "boolean" 1957 }, 1958 "event_creator_email": { 1959 "type": "string" 1960 }, 1961 "Org": { 1962 "$ref": "#/defs/org" 1963 }, 1964 "Orgc": { 1965 "$ref": "#/defs/org" 1966 }, 1967 "SharingGroup": { 1968 "$ref": "#/defs/sharing_group" 1969 }, 1970 "Attribute": { 1971 "type": "array", 1972 "uniqueItems": true, 1973 "items": { 1974 "$ref": "#/defs/attribute" 1975 } 1976 }, 1977 "ShadowAttribute": { 1978 "type": "array", 1979 "uniqueItems": true, 1980 "items": { 1981 "$ref": "#/defs/attribute" 1982 } 1983 }, 1984 "RelatedEvent": { 1985 "type": "array", 1986 "uniqueItems": true, 1987 "items": { 1988 "type": "object", 1989 "additionalProperties": false, 1990 "properties": { 1991 "Event":{ 1992 "$ref": "#/defs/event" 1993 } 1994 } 1995 } 1996 }, 1997 "Galaxy": { 1998 "type": "array", 1999 "uniqueItems": true, 2000 "items": { 2001 "$ref": "#/defs/galaxy" 2002 } 2003 }, 2004 "Object": { 2005 "type": "array", 2006 "uniqueItems": true, 2007 "items": { 2008 "$ref": "#/defs/object" 2009 } 2010 }, 2011 "Tag": { 2012 "type": "array", 2013 "uniqueItems": true, 2014 "items": { 2015 "$ref": "#/defs/tag" 2016 } 2017 } 2018 } 2019 }, 2020 "tag": { 2021 "type": "object", 2022 "additionalProperties": false, 2023 "properties": { 2024 "id": { 2025 "type": "string" 2026 }, 2027 "name": { 2028 "type": "string" 2029 }, 2030 "colour": { 2031 "type": "string" 2032 }, 2033 "exportable": { 2034 "type": "boolean" 2035 }, 2036 "hide_tag": { 2037 "type": "boolean" 2038 }, 2039 "user_id": { 2040 "type": "string" 2041 } 2042 } 2043 }, 2044 "galaxy": { 2045 "type": "object", 2046 "additionalProperties": false, 2047 "properties": { 2048 "id": { 2049 "type": "string" 2050 }, 2051 "uuid": { 2052 "type": "string" 2053 }, 2054 "name": { 2055 "type": "string" 2056 }, 2057 "type": { 2058 "type": "string" 2059 }, 2060 "description": { 2061 "type": "string" 2062 }, 2063 "version": { 2064 "type": "string" 2065 }, 2066 "icon": { 2067 "type": "string" 2068 }, 2069 "namespace": { 2070 "type": "string" 2071 }, 2072 "GalaxyCluster": { 2073 "type": "array", 2074 "uniqueItems": true, 2075 "items": { 2076 "$ref": "#/defs/galaxy_cluster" 2077 } 2078 } 2079 } 2080 }, 2081 "galaxy_cluster": { 2082 "type": "object", 2083 "additionalProperties": false, 2084 "properties": { 2085 "id": { 2086 "type": "string" 2087 }, 2088 "uuid": { 2089 "type": "string" 2090 }, 2091 "type": { 2092 "type": "string" 2093 }, 2094 "value": { 2095 "type": "string" 2096 }, 2097 "tag_name": { 2098 "type": "string" 2099 }, 2100 "description": { 2101 "type": "string" 2102 }, 2103 "galaxy_id": { 2104 "type": "string" 2105 }, 2106 "version": { 2107 "type": "string" 2108 }, 2109 "source": { 2110 "type": "string" 2111 }, 2112 "authors": { 2113 "type": "array", 2114 "uniqueItems": true, 2115 "items": { 2116 "type": "string" 2117 } 2118 }, 2119 "tag_id": { 2120 "type": "string" 2121 }, 2122 "meta": { 2123 "type": "object" 2124 } 2125 } 2126 } 2127 }, 2128 "type": "object", 2129 "properties": { 2130 "Event": { 2131 "$ref": "#/defs/event" 2132 } 2133 }, 2134 "required": [ 2135 "Event" 2136 ] 2137 } 2139 4. Manifest 2141 MISP events can be shared over an HTTP repository, a file package or 2142 USB key. A manifest file is used to provide an index of MISP events 2143 allowing to only fetch the recently updated files without the need to 2144 parse each json file. 2146 4.1. Format 2148 A manifest file is a simple JSON file named manifest.json in a 2149 directory where the MISP events are located. Each MISP event is a 2150 file located in the same directory with the event uuid as filename 2151 with the json extension. 2153 The manifest format is a JSON object composed of a dictionary where 2154 the field is the uuid of the event. 2156 Each uuid is composed of a JSON object with the following fields 2157 which came from the original event referenced by the same uuid: 2159 o info (MUST) 2161 o Orgc object (MUST) 2163 o analysis (SHALL) 2165 o timestamp (MUST) 2167 o date (MUST) 2169 o threat_level_id (SHALL) 2171 In addition to the fields originating from the event, the following 2172 fields can be added: 2174 o integrity:sha256 represents the SHA256 value in hexadecimal 2175 representation of the associated MISP event file to ensure 2176 integrity of the file. (SHOULD) 2178 o integrity:pgp represents a detached PGP signature [RFC4880] of the 2179 associated MISP event file to ensure integrity of the file. 2180 (SHOULD) 2182 If a detached PGP signature is used for each MISP event, a detached 2183 PGP signature is a MUST to ensure integrity of the manifest file. A 2184 detached PGP signature for a manifest file is a manifest.json.asc 2185 file containing the PGP signature. 2187 4.1.1. Sample Manifest 2189 { 2190 "57c6ac4c-c60c-4f79-a38f-b666950d210f": { 2191 "info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo", 2192 "Orgc": { 2193 "id": "2", 2194 "name": "CIRCL", 2195 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 2196 }, 2197 "analysis": "0", 2198 "Tag": [ 2199 { 2200 "colour": "#3d7a00", 2201 "name": "circl:incident-classification=\"malware\"" 2202 }, 2203 { 2204 "colour": "#ffffff", 2205 "name": "tlp:white" 2206 } 2207 ], 2208 "timestamp": "1472638251", 2209 "date": "2016-08-31", 2210 "threat_level_id": "3" 2211 }, 2212 "5720accd-dd28-45f8-80e5-4605950d210f": { 2213 "info": "Malspam 2016-04-27 - Locky", 2214 "Orgc": { 2215 "id": "2", 2216 "name": "CIRCL" 2217 }, 2218 "analysis": "2", 2219 "Tag": [ 2220 { 2221 "colour": "#ffffff", 2222 "name": "tlp:white" 2223 }, 2224 { 2225 "colour": "#3d7a00", 2226 "name": "circl:incident-classification=\"malware\"" 2227 }, 2228 { 2229 "colour": "#2c4f00", 2230 "name": "malware_classification:malware-category=\"Ransomware\"" 2231 } 2232 ], 2233 "timestamp": "1461764231", 2234 "date": "2016-04-27", 2235 "threat_level_id": "3" 2236 } 2237 } 2239 5. Implementation 2241 MISP format is implemented by different software including the MISP 2242 threat sharing platform and libraries like PyMISP [MISP-P]. 2243 Implementations use the format as an export/import mechanism, staging 2244 transport format or synchronisation format as used in the MISP core 2245 platform. MISP format doesn't impose any restriction on the data 2246 representation of the format in data-structure of other 2247 implementations. 2249 6. Security Considerations 2251 MISP events might contain sensitive or confidential information. 2252 Adequate access control and encryption measures shall be implemented 2253 to ensure the confidentiality of the MISP events. 2255 Adversaries might include malicious content in MISP events and 2256 attributes. Implementation MUST consider the input of malicious 2257 inputs beside the standard threat information that might already 2258 include malicious intended inputs. 2260 7. Acknowledgements 2262 The authors wish to thank all the MISP community who are supporting 2263 the creation of open standards in threat intelligence sharing. A 2264 special thank to Nicolas Bareil for the review of the JSON Schema. 2266 8. References 2268 9. References 2270 9.1. Normative References 2272 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2273 Requirement Levels", BCP 14, RFC 2119, 2274 DOI 10.17487/RFC2119, March 1997, 2275 . 2277 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 2278 Unique IDentifier (UUID) URN Namespace", RFC 4122, 2279 DOI 10.17487/RFC4122, July 2005, 2280 . 2282 [RFC4627] Crockford, D., "The application/json Media Type for 2283 JavaScript Object Notation (JSON)", RFC 4627, 2284 DOI 10.17487/RFC4627, July 2006, 2285 . 2287 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. 2288 Thayer, "OpenPGP Message Format", RFC 4880, 2289 DOI 10.17487/RFC4880, November 2007, 2290 . 2292 9.2. Informative References 2294 [JSON-SCHEMA] 2295 "JSON Schema: A Media Type for Describing JSON Documents", 2296 2016, 2297 . 2299 [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform 2300 and Threat Sharing", . 2302 [MISP-R] MISP, "MISP Object Relationship Types - common vocabulary 2303 of relationships", . 2306 [MISP-T] MISP, "MISP Taxonomies - shared and common vocabularies of 2307 tags", . 2309 Authors' Addresses 2311 Alexandre Dulaunoy 2312 Computer Incident Response Center Luxembourg 2313 16, bd d'Avranches 2314 Luxembourg L-1160 2315 Luxembourg 2317 Phone: +352 247 88444 2318 Email: alexandre.dulaunoy@circl.lu 2320 Andras Iklody 2321 Computer Incident Response Center Luxembourg 2322 16, bd d'Avranches 2323 Luxembourg L-1160 2324 Luxembourg 2326 Phone: +352 247 88444 2327 Email: andras.iklody@circl.lu