idnits 2.17.1 draft-dulaunoy-misp-core-format-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 11 instances of too long lines in the document, the longest one being 18 characters in excess of 72. ** The abstract seems to contain references ([MISP-P]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 27, 2020) is 1338 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'MISP-R' is defined on line 2392, but no explicit reference was found in the text == Unused Reference: 'MISP-T' is defined on line 2396, but no explicit reference was found in the text Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Intended status: Informational CIRCL 5 Expires: February 28, 2021 August 27, 2020 7 MISP core format 8 draft-dulaunoy-misp-core-format-11 10 Abstract 12 This document describes the MISP core format used to exchange 13 indicators and threat information between MISP (Open Source Threat 14 Intelligence Sharing Platform formerly known as Malware Information 15 Sharing Platform) instances. The JSON format includes the overall 16 structure along with the semantic associated for each respective key. 17 The format is described to support other implementations which reuse 18 the format and ensuring an interoperability with existing MISP 19 [MISP-P] software and other Threat Intelligence Platforms. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on February 28, 2021. 38 Copyright Notice 40 Copyright (c) 2020 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 57 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3 61 2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 7 63 2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 8 64 2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8 65 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8 66 2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9 67 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 15 68 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 16 69 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 16 70 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 22 71 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 23 72 2.6.1. Sample Object . . . . . . . . . . . . . . . . . . . . 23 73 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 24 74 2.7. Object References . . . . . . . . . . . . . . . . . . . . 28 75 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 28 76 2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 28 77 2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 78 2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 31 79 2.9. Sighting . . . . . . . . . . . . . . . . . . . . . . . . 31 80 2.9.1. Sample Sighting . . . . . . . . . . . . . . . . . . . 32 81 2.10. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 33 82 2.10.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 33 83 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 35 84 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 49 85 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 49 86 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 50 87 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 51 88 6. Security Considerations . . . . . . . . . . . . . . . . . . . 51 89 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 51 90 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 91 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 92 9.1. Normative References . . . . . . . . . . . . . . . . . . 52 93 9.2. Informative References . . . . . . . . . . . . . . . . . 52 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52 96 1. Introduction 98 Sharing threat information became a fundamental requirements in the 99 Internet, security and intelligence community at large. Threat 100 information can include indicators of compromise, malicious file 101 indicators, financial fraud indicators or even detailed information 102 about a threat actor. MISP [MISP-P] started as an open source 103 project in late 2011 and the MISP format started to be widely used as 104 an exchange format within the community in the past years. The aim 105 of this document is to describe the specification and the MISP core 106 format. 108 1.1. Conventions and Terminology 110 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 111 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 112 document are to be interpreted as described in RFC 2119 [RFC2119]. 114 2. Format 116 2.1. Overview 118 The MISP core format is in the JSON [RFC8259] format. In MISP, an 119 event is composed of a single JSON object. 121 A capitalized key (like Event, Org) represent a data model and a non- 122 capitalised key is just an attribute. This nomenclature can support 123 an implementation to represent the MISP format in another data 124 structure. 126 2.2. Event 128 An event is a simple meta structure scheme where attributes and meta- 129 data are embedded to compose a coherent set of indicators. An event 130 can be composed from an incident, a security analysis report or a 131 specific threat actor analysis. The meaning of an event only depends 132 of the information embedded in the event. 134 2.2.1. Event Attributes 136 2.2.1.1. uuid 138 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 139 the event. The uuid MUST be preserved for any updates or transfer of 140 the same event. UUID version 4 is RECOMMENDED when assigning it to a 141 new event. 143 uuid is represented as a JSON string. uuid MUST be present. 145 2.2.1.2. id 147 id represents the human-readable identifier associated to the event 148 for a specific MISP instance. A human-readable identifier MUST be 149 represented as an unsigned integer. 151 id is represented as a JSON string. id SHALL be present. 153 2.2.1.3. published 155 published represents the event publication state. If the event was 156 published, the published value MUST be true. In any other 157 publication state, the published value MUST be false. 159 published is represented as a JSON boolean. published MUST be 160 present. 162 2.2.1.4. info 164 info represents the information field of the event. info is a free- 165 text value to provide a human-readable summary of the event. info 166 SHOULD NOT be bigger than 256 characters and SHOULD NOT include new- 167 lines. 169 info is represented as a JSON string. info MUST be present. 171 2.2.1.5. threat_level_id 173 threat_level_id represents the threat level. 175 4: 176 Undefined 178 3: 179 Low 181 2: 182 Medium 184 1: 185 High 187 If a higher granularity is required, a MISP taxonomy applied as a Tag 188 SHOULD be preferred. 190 threat_level_id is represented as a JSON string. threat_level_id 191 SHALL be present. 193 2.2.1.6. analysis 195 analysis represents the analysis level. 197 0: 198 Initial 200 1: 201 Ongoing 203 2: 204 Complete 206 If a higher granularity is required, a MISP taxonomy applied as a Tag 207 SHOULD be preferred. 209 analysis is represented as a JSON string. analysis SHALL be present. 211 2.2.1.7. date 213 date represents a reference date to the event in ISO 8601 format 214 (date only: YYYY-MM-DD). This date corresponds to the date the event 215 occurred, which may be in the past. 217 date is represented as a JSON string. date MUST be present. 219 2.2.1.8. timestamp 221 timestamp represents a reference time when the event, or one of the 222 attributes within the event was created, or last updated/edited on 223 the instance. timestamp is expressed in seconds (decimal) since 1st 224 of January 1970 (Unix timestamp). The time zone MUST be UTC. 226 timestamp is represented as a JSON string. timestamp MUST be present. 228 2.2.1.9. publish_timestamp 230 publish_timestamp represents a reference time when the event was 231 published on the instance. published_timestamp is expressed in 232 seconds (decimal) since 1st of January 1970 (Unix timestamp). At 233 each publication of an event, publish_timestamp MUST be updated. The 234 time zone MUST be UTC. If the published_timestamp is present and the 235 published flag is set to false, the publish_timestamp represents the 236 previous publication timestamp. If the event was never published, 237 the published_timestamp MUST be set to 0. 239 publish_timestamp is represented as a JSON string. publish_timestamp 240 MUST be present. 242 2.2.1.10. org_id 244 org_id represents a human-readable identifier referencing an Org 245 object of the organisation which generated the event. A human- 246 readable identifier MUST be represented as an unsigned integer. 248 The org_id MUST be updated when the event is generated by a new 249 instance. 251 org_id is represented as a JSON string. org_id MUST be present. 253 2.2.1.11. orgc_id 255 orgc_id represents a human-readable identifier referencing an Orgc 256 object of the organisation which created the event. 258 The orgc_id and Org object MUST be preserved for any updates or 259 transfer of the same event. 261 orgc_id is represented as a JSON string. orgc_id MUST be present. 263 2.2.1.12. attribute_count 265 attribute_count represents the number of attributes in the event. 266 attribute_count is expressed in decimal. 268 attribute_count is represented as a JSON string. attribute_count 269 SHALL be present. 271 2.2.1.13. distribution 273 distribution represents the basic distribution rules of the event. 274 The system must adhere to the distribution setting for access control 275 and for dissemination of the event. 277 distribution is represented by a JSON string. distribution MUST be 278 present and be one of the following options: 280 0 281 Your Organisation Only 283 1 284 This Community Only 286 2 287 Connected Communities 289 3 290 All Communities 292 4 293 Sharing Group 295 2.2.1.14. sharing_group_id 297 sharing_group_id represents a human-readable identifier referencing a 298 Sharing Group object that defines the distribution of the event, if 299 distribution level "4" is set. A human-readable identifier MUST be 300 represented as an unsigned integer. 302 sharing_group_id is represented by a JSON string and SHOULD be 303 present. If a distribution level other than "4" is chosen the 304 sharing_group_id MUST be set to "0". 306 2.2.1.15. extends_uuid 308 extends_uuid represents which event is extended by this event. The 309 extends_uuid is described as a Universally Unique IDentifier (UUID) 310 [RFC4122] with the UUID of the extended event. 312 extends_uuid is represented as a JSON string. extends_uuid SHOULD be 313 present. 315 2.3. Objects 317 2.3.1. Org 319 An Org object is composed of an uuid, name and id. 321 The uuid represents the Universally Unique IDentifier (UUID) 322 [RFC4122] of the organisation. The organisation UUID is globally 323 assigned to an organisation and SHALL be kept overtime. 325 The name is a readable description of the organisation and SHOULD be 326 present. The id is a human-readable identifier generated by the 327 instance and used as reference in the event. A human-readable 328 identifier MUST be represented as an unsigned integer. 330 uuid, name and id are represented as a JSON string. uuid, name and id 331 MUST be present. 333 2.3.1.1. Sample Org Object 334 "Org": { 335 "id": "2", 336 "name": "CIRCL", 337 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 338 } 340 2.3.2. Orgc 342 An Orgc object is composed of an uuid, name and id. 344 The uuid MUST be preserved for any updates or transfer of the same 345 event. UUID version 4 is RECOMMENDED when assigning it to a new 346 event. The organisation UUID is globally assigned to an organisation 347 and SHALL be kept overtime. 349 The name is a readable description of the organisation and SHOULD be 350 present. The id is a human-readable identifier generated by the 351 instance and used as reference in the event. A human-readable 352 identifier MUST be represented as an unsigned integer. 354 uuid, name and id are represented as a JSON string. uuid, name and id 355 MUST be present. 357 2.4. Attribute 359 Attributes are used to describe the indicators and contextual data of 360 an event. The main information contained in an attribute is made up 361 of a category-type-value triplet, where the category and type give 362 meaning and context to the value. Through the various category-type 363 combinations a wide range of information can be conveyed. 365 A MISP document MUST at least includes category-type-value triplet 366 described in section "Attribute Attributes". 368 2.4.1. Sample Attribute Object 369 "Attribute": { 370 "id": "346056", 371 "type": "comment", 372 "category": "Other", 373 "to_ids": false, 374 "uuid": "57f4f6d9-cd20-458b-84fd-109ec0a83869", 375 "event_id": "3357", 376 "distribution": "5", 377 "timestamp": "1475679332", 378 "comment": "", 379 "sharing_group_id": "0", 380 "deleted": false, 381 "value": "Hello world", 382 "SharingGroup": [], 383 "ShadowAttribute": [], 384 "RelatedAttribute": [], 385 "first_seen": "2019-06-02T22:14:28.711954+00:00", 386 "last_seen": null 387 } 389 2.4.2. Attribute Attributes 391 2.4.2.1. uuid 393 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 394 the event. The uuid MUST be preserved for any updates or transfer of 395 the same event. UUID version 4 is RECOMMENDED when assigning it to a 396 new event. 398 uuid is represented as a JSON string. uuid MUST be present. 400 2.4.2.2. id 402 id represents the human-readable identifier associated to the event 403 for a specific MISP instance. A human-readable identifier MUST be 404 represented as an unsigned integer. 406 id is represented as a JSON string. id SHALL be present. 408 2.4.2.3. type 410 type represents the means through which an attribute tries to 411 describe the intent of the attribute creator, using a list of pre- 412 defined attribute types. 414 type is represented as a JSON string. type MUST be present and it 415 MUST be a valid selection for the chosen category. The list of valid 416 category-type combinations is as follows: 418 Antivirus detection 419 link, comment, text, hex, attachment, other, anonymised 421 Artifacts dropped 422 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 423 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, 424 authentihash, vhash, cdhash, filename, filename|md5, 425 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 426 filename|sha512, filename|sha512/224, filename|sha512/256, 427 filename|sha3-224, filename|sha3-256, filename|sha3-384, 428 filename|sha3-512, filename|authentihash, filename|vhash, 429 filename|ssdeep, filename|tlsh, filename|imphash, 430 filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern- 431 in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, 432 attachment, malware-sample, named pipe, mutex, windows-scheduled- 433 task, windows-service-name, windows-service-displayname, comment, 434 text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 435 fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, 436 anonymised 438 Attribution 439 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 440 whois-registrant-email, whois-registrant-name, whois-registrant- 441 org, whois-registrar, whois-creation-date, comment, text, x509- 442 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 443 other, dns-soa-email, anonymised 445 External analysis 446 md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, 447 filename, filename|md5, filename|sha1, filename|sha256, 448 filename|sha3-224, filename|sha3-256, filename|sha3-384, 449 filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 450 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 451 regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, 452 pattern-in-traffic, pattern-in-memory, vulnerability, weakness, 453 attachment, malware-sample, link, comment, text, x509-fingerprint- 454 sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3- 455 fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, 456 other, cortex, anonymised, community-id 458 Financial fraud 459 btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc- 460 number, prtn, phone-number, comment, text, other, hex, anonymised 462 Internal reference 463 text, link, comment, other, hex, anonymised, git-commit-id 465 Network activity 466 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, 467 domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, 468 url, uri, user-agent, http-method, AS, snort, pattern-in-file, 469 stix2-pattern, pattern-in-traffic, attachment, comment, text, 470 x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint- 471 sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, 472 hex, cookie, hostname|port, bro, zeek, anonymised, community-id, 473 email-subject 475 Other 476 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 477 float, hex, phone-number, boolean, anonymised 479 Payload delivery 480 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 481 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, 482 authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, 483 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 484 filename|sha512, filename|sha512/224, filename|sha512/256, 485 filename|sha3-224, filename|sha3-256, filename|sha3-384, 486 filename|sha3-512, filename|authentihash, filename|vhash, 487 filename|ssdeep, filename|tlsh, filename|imphash, 488 filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- 489 src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email- 490 src, email-dst, email-subject, email-attachment, email-body, url, 491 user-agent, AS, pattern-in-file, pattern-in-traffic, 492 stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, 493 link, malware-type, comment, text, hex, vulnerability, weakness, 494 x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- 495 sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, 496 hostname|port, email-dst-display-name, email-src-display-name, 497 email-header, email-reply-to, email-x-mailer, email-mime-boundary, 498 email-thread-index, email-message-id, mobile-application-id, 499 chrome-extension-id, whois-registrant-email, anonymised 501 Payload installation 502 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 503 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, 504 authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, 505 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 506 filename|sha512, filename|sha512/224, filename|sha512/256, 507 filename|sha3-224, filename|sha3-256, filename|sha3-384, 508 filename|sha3-512, filename|authentihash, filename|vhash, 509 filename|ssdeep, filename|tlsh, filename|imphash, 510 filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- 511 traffic, pattern-in-memory, stix2-pattern, yara, sigma, 512 vulnerability, weakness, attachment, malware-sample, malware-type, 513 comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, 514 x509-fingerprint-sha256, mobile-application-id, chrome-extension- 515 id, other, mime-type, anonymised 517 Payload type 518 comment, text, other, anonymised 520 Persistence mechanism 521 filename, regkey, regkey|value, comment, text, other, hex, 522 anonymised 524 Person 525 first-name, middle-name, last-name, date-of-birth, place-of-birth, 526 gender, passport-number, passport-country, passport-expiration, 527 redress-number, nationality, visa-number, issue-date-of-the-visa, 528 primary-residence, country-of-residence, special-service-request, 529 frequent-flyer-number, travel-details, payment-details, place- 530 port-of-original-embarkation, place-port-of-clearance, place-port- 531 of-onward-foreign-destination, passenger-name-record-locator- 532 number, comment, text, other, phone-number, identity-card-number, 533 anonymised 535 Social network 536 github-username, github-repository, github-organisation, jabber- 537 id, twitter-id, email-src, email-dst, eppn, comment, text, other, 538 whois-registrant-email, anonymised 540 Support Tool 541 link, text, attachment, comment, other, hex, anonymised 543 Targeting data 544 target-user, target-email, target-machine, target-org, target- 545 location, target-external, comment, anonymised 547 Attributes are based on the usage within their different communities. 548 Attributes can be extended on a regular basis and this reference 549 document is updated accordingly. 551 2.4.2.4. category 553 category represents the intent of what the attribute is describing as 554 selected by the attribute creator, using a list of pre-defined 555 attribute categories. 557 category is represented as a JSON string. category MUST be present 558 and it MUST be a valid selection for the chosen type. The list of 559 valid category-type combinations is mentioned above. 561 2.4.2.5. to_ids 563 to_ids represents whether the attribute is meant to be actionable. 564 Actionable defined attributes that can be used in automated processes 565 as a pattern for detection in Local or Network Intrusion Detection 566 System, log analysis tools or even filtering mechanisms. 568 to_ids is represented as a JSON boolean. to_ids MUST be present. 570 2.4.2.6. event_id 572 event_id represents a human-readable identifier referencing the Event 573 object that the attribute belongs to. A human-readable identifier 574 MUST be represented as an unsigned integer. 576 The event_id SHOULD be updated when the event is imported to reflect 577 the newly created event's id on the instance. 579 event_id is represented as a JSON string. event_id MUST be present. 581 2.4.2.7. distribution 583 distribution represents the basic distribution rules of the 584 attribute. The system must adhere to the distribution setting for 585 access control and for dissemination of the attribute. 587 distribution is represented by a JSON string. distribution MUST be 588 present and be one of the following options: 590 0 591 Your Organisation Only 593 1 594 This Community Only 596 2 597 Connected Communities 599 3 600 All Communities 602 4 603 Sharing Group 605 5 606 Inherit Event 608 2.4.2.8. timestamp 610 timestamp represents a reference time when the attribute was created 611 or last modified. timestamp is expressed in seconds (decimal) since 612 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 614 timestamp is represented as a JSON string. timestamp MUST be present. 616 2.4.2.9. comment 618 comment is a contextual comment field. 620 comment is represented by a JSON string. comment MAY be present. 622 2.4.2.10. sharing_group_id 624 sharing_group_id represents a human-readable identifier referencing a 625 Sharing Group object that defines the distribution of the attribute, 626 if distribution level "4" is set. A human-readable identifier MUST 627 be represented as an unsigned integer. 629 sharing_group_id is represented by a JSON string and SHOULD be 630 present. If a distribution level other than "4" is chosen the 631 sharing_group_id MUST be set to "0". 633 2.4.2.11. deleted 635 deleted represents a setting that allows attributes to be revoked. 636 Revoked attributes are not actionable and exist merely to inform 637 other instances of a revocation. 639 deleted is represented by a JSON boolean. deleted MUST be present. 641 2.4.2.12. data 643 data contains the base64 encoded contents of an attachment or a 644 malware sample. For malware samples, the sample MUST be encrypted 645 using a password protected zip archive, with the password being 646 "infected". 648 data is represented by a JSON string in base64 encoding. data MUST be 649 set for attributes of type malware-sample and attachment. 651 2.4.2.13. RelatedAttribute 653 RelatedAttribute is an array of attributes correlating with the 654 current attribute. Each element in the array represents an JSON 655 object which contains an Attribute dictionnary with the external 656 attributes who correlate. Each Attribute MUST include the id, 657 org_id, info and a value. Only the correlations found on the local 658 instance are shown in RelatedAttribute. 660 RelatedAttribute MAY be present. 662 2.4.2.14. ShadowAttribute 664 ShadowAttribute is an array of shadow attributes that serve as 665 proposals by third parties to alter the containing attribute. The 666 structure of a ShadowAttribute is similar to that of an Attribute, 667 which can be accepted or discarded by the event creator. If 668 accepted, the original attribute containing the shadow attribute is 669 removed and the shadow attribute is converted into an attribute. 671 Each shadow attribute that references an attribute MUST contain the 672 containing attribute's ID in the old_id field and the event's ID in 673 the event_id field. 675 2.4.2.15. value 677 value represents the payload of an attribute. The format of the 678 value is dependent on the type of the attribute. 680 value is represented by a JSON string. value MUST be present. 682 2.4.2.16. first_seen 684 first_seen represents a reference time when the attribute was first 685 seen. first_seen is expressed as an ISO 8601 datetime up to the 686 micro-second with time zone support. 688 first_seen is represented as a JSON string. first_seen MAY be 689 present. 691 2.4.2.17. last_seen 693 last_seen represents a reference time when the attribute was last 694 seen. last_seen is expressed as an ISO 8601 datetime up to the micro- 695 second with time zone support. 697 last_seen is represented as a JSON string. last_seen MAY be present. 699 2.5. ShadowAttribute 701 ShadowAttributes are 3rd party created attributes that either propose 702 to add new information to an event or modify existing information. 703 They are not meant to be actionable until the event creator accepts 704 them - at which point they will be converted into attributes or 705 modify an existing attribute. 707 They are similar in structure to Attributes but additionally carry a 708 reference to the creator of the ShadowAttribute as well as a 709 revocation flag. 711 2.5.1. Sample Attribute Object 713 "ShadowAttribute": { 714 "id": "8", 715 "type": "ip-src", 716 "category": "Network activity", 717 "to_ids": false, 718 "uuid": "57d475f1-da78-4569-89de-1458c0a83869", 719 "event_uuid": "57d475e6-41c4-41ca-b450-145ec0a83869", 720 "event_id": "9", 721 "old_id": "319", 722 "comment": "", 723 "org_id": "1", 724 "proposal_to_delete": false, 725 "value": "5.5.5.5", 726 "deleted": false, 727 "Org": { 728 "id": "1", 729 "name": "MISP", 730 "uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869" 731 }, 732 "first_seen": "2019-06-02T22:14:28.711954+00:00", 733 "last_seen": null 734 } 736 2.5.2. ShadowAttribute Attributes 738 2.5.2.1. uuid 740 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 741 the event. The uuid MUST be preserved for any updates or transfer of 742 the same event. UUID version 4 is RECOMMENDED when assigning it to a 743 new event. 745 uuid is represented as a JSON string. uuid MUST be present. 747 2.5.2.2. id 749 id represents the human-readable identifier associated to the event 750 for a specific MISP instance. human-readable identifier MUST be 751 represented as an unsigned integer. id is represented as a JSON 752 string. id SHALL be present. 754 2.5.2.3. type 756 type represents the means through which an attribute tries to 757 describe the intent of the attribute creator, using a list of pre- 758 defined attribute types. 760 type is represented as a JSON string. type MUST be present and it 761 MUST be a valid selection for the chosen category. The list of valid 762 category-type combinations is as follows: 764 Antivirus detection 765 link, comment, text, hex, attachment, other, anonymised 767 Artifacts dropped 768 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 769 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, 770 authentihash, vhash, cdhash, filename, filename|md5, 771 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 772 filename|sha512, filename|sha512/224, filename|sha512/256, 773 filename|sha3-224, filename|sha3-256, filename|sha3-384, 774 filename|sha3-512, filename|authentihash, filename|vhash, 775 filename|ssdeep, filename|tlsh, filename|imphash, 776 filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern- 777 in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, 778 attachment, malware-sample, named pipe, mutex, windows-scheduled- 779 task, windows-service-name, windows-service-displayname, comment, 780 text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 781 fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, 782 anonymised 784 Attribution 785 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 786 whois-registrant-email, whois-registrant-name, whois-registrant- 787 org, whois-registrar, whois-creation-date, comment, text, x509- 788 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 789 other, dns-soa-email, anonymised 791 External analysis 792 md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, 793 filename, filename|md5, filename|sha1, filename|sha256, 794 filename|sha3-224, filename|sha3-256, filename|sha3-384, 795 filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 796 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 797 regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, 798 pattern-in-traffic, pattern-in-memory, vulnerability, weakness, 799 attachment, malware-sample, link, comment, text, x509-fingerprint- 800 sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3- 801 fingerprint-md5, hassh-md5, hasshserver-md5, github-repository, 802 other, cortex, anonymised, community-id 804 Financial fraud 805 btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc- 806 number, prtn, phone-number, comment, text, other, hex, anonymised 808 Internal reference 809 text, link, comment, other, hex, anonymised, git-commit-id 811 Network activity 812 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, 813 domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, 814 url, uri, user-agent, http-method, AS, snort, pattern-in-file, 815 stix2-pattern, pattern-in-traffic, attachment, comment, text, 816 x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint- 817 sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, 818 hex, cookie, hostname|port, bro, zeek, anonymised, community-id, 819 email-subject 821 Other 822 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 823 float, hex, phone-number, boolean, anonymised 825 Payload delivery 826 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 827 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, 828 authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, 829 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 830 filename|sha512, filename|sha512/224, filename|sha512/256, 831 filename|sha3-224, filename|sha3-256, filename|sha3-384, 832 filename|sha3-512, filename|authentihash, filename|vhash, 833 filename|ssdeep, filename|tlsh, filename|imphash, 834 filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- 835 src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email- 836 src, email-dst, email-subject, email-attachment, email-body, url, 837 user-agent, AS, pattern-in-file, pattern-in-traffic, 838 stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, 839 link, malware-type, comment, text, hex, vulnerability, weakness, 840 x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- 841 sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, 842 hostname|port, email-dst-display-name, email-src-display-name, 843 email-header, email-reply-to, email-x-mailer, email-mime-boundary, 844 email-thread-index, email-message-id, mobile-application-id, 845 chrome-extension-id, whois-registrant-email, anonymised 847 Payload installation 848 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 849 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, impfuzzy, 850 authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, 851 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 852 filename|sha512, filename|sha512/224, filename|sha512/256, 853 filename|sha3-224, filename|sha3-256, filename|sha3-384, 854 filename|sha3-512, filename|authentihash, filename|vhash, 855 filename|ssdeep, filename|tlsh, filename|imphash, 856 filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- 857 traffic, pattern-in-memory, stix2-pattern, yara, sigma, 858 vulnerability, weakness, attachment, malware-sample, malware-type, 859 comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, 860 x509-fingerprint-sha256, mobile-application-id, chrome-extension- 861 id, other, mime-type, anonymised 863 Payload type 864 comment, text, other, anonymised 866 Persistence mechanism 867 filename, regkey, regkey|value, comment, text, other, hex, 868 anonymised 870 Person 871 first-name, middle-name, last-name, date-of-birth, place-of-birth, 872 gender, passport-number, passport-country, passport-expiration, 873 redress-number, nationality, visa-number, issue-date-of-the-visa, 874 primary-residence, country-of-residence, special-service-request, 875 frequent-flyer-number, travel-details, payment-details, place- 876 port-of-original-embarkation, place-port-of-clearance, place-port- 877 of-onward-foreign-destination, passenger-name-record-locator- 878 number, comment, text, other, phone-number, identity-card-number, 879 anonymised 881 Social network 882 github-username, github-repository, github-organisation, jabber- 883 id, twitter-id, email-src, email-dst, eppn, comment, text, other, 884 whois-registrant-email, anonymised 886 Support Tool 887 link, text, attachment, comment, other, hex, anonymised 889 Targeting data 890 target-user, target-email, target-machine, target-org, target- 891 location, target-external, comment, anonymised 893 Attributes are based on the usage within their different communities. 894 Attributes can be extended on a regular basis and this reference 895 document is updated accordingly. 897 2.5.2.4. category 899 category represents the intent of what the attribute is describing as 900 selected by the attribute creator, using a list of pre-defined 901 attribute categories. 903 category is represented as a JSON string. category MUST be present 904 and it MUST be a valid selection for the chosen type. The list of 905 valid category-type combinations is mentioned above. 907 2.5.2.5. to_ids 909 to_ids represents whether the Attribute to be created if the 910 ShadowAttribute is accepted is meant to be actionable. Actionable 911 defined attributes that can be used in automated processes as a 912 pattern for detection in Local or Network Intrusion Detection System, 913 log analysis tools or even filtering mechanisms. 915 to_ids is represented as a JSON boolean. to_ids MUST be present. 917 2.5.2.6. event_id 919 event_id represents a human-readable identifier referencing the Event 920 object that the ShadowAttribute belongs to. 922 The event_id SHOULD be updated when the event is imported to reflect 923 the newly created event's id on the instance. 925 event_id is represented as a JSON string. event_id MUST be present. 927 2.5.2.7. old_id 929 old_id represents a human-readable identifier referencing the 930 Attribute object that the ShadowAttribute belongs to. A 931 ShadowAttribute can this way target an existing Attribute, implying 932 that it is a proposal to modify an existing Attribute, or 933 alternatively it can be a proposal to create a new Attribute for the 934 containing Event. 936 The old_id SHOULD be updated when the event is imported to reflect 937 the newly created Attribute's id on the instance. Alternatively, if 938 the ShadowAttribute proposes the creation of a new Attribute, it 939 should be set to 0. 941 old_id is represented as a JSON string. old_id MUST be present. 943 2.5.2.8. timestamp 945 timestamp represents a reference time when the attribute was created 946 or last modified. timestamp is expressed in seconds (decimal) since 947 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 949 timestamp is represented as a JSON string. timestamp MUST be present. 951 2.5.2.9. comment 953 comment is a contextual comment field. 955 comment is represented by a JSON string. comment MAY be present. 957 2.5.2.10. org_id 959 org_id represents a human-readable identifier referencing the 960 proposal creator's Organisation object. A human-readable identifier 961 MUST be represented as an unsigned integer. 963 Whilst attributes can only be created by the event creator 964 organisation, shadow attributes can be created by third parties. 965 org_id tracks the creator organisation. 967 org_id is represented by a JSON string and MUST be present. 969 2.5.2.11. proposal_to_delete 971 proposal_to_delete is a boolean flag that sets whether the shadow 972 attribute proposes to alter an attribute, or whether it proposes to 973 remove it completely. 975 Accepting a shadow attribute with this flag set will remove the 976 target attribute. 978 proposal_to_delete is a JSON boolean and it MUST be present. If 979 proposal_to_delete is set to true, old_id MUST NOT be 0. 981 2.5.2.12. deleted 983 deleted represents a setting that allows shadow attributes to be 984 revoked. Revoked shadow attributes only serve to inform other 985 instances that the shadow attribute is no longer active. 987 deleted is represented by a JSON boolean. deleted SHOULD be present. 989 2.5.2.13. data 991 data contains the base64 encoded contents of an attachment or a 992 malware sample. For malware samples, the sample MUST be encrypted 993 using a password protected zip archive, with the password being 994 "infected". 996 data is represented by a JSON string in base64 encoding. data MUST be 997 set for shadow attributes of type malware-sample and attachment. 999 2.5.2.14. first_seen 1001 first_seen represents a reference time when the attribute was first 1002 seen. first_seen as an ISO 8601 datetime up to the micro-second with 1003 time zone support. 1005 first_seen is represented as a JSON string. first_seen MAY be 1006 present. 1008 2.5.2.15. last_seen 1010 last_seen represents a reference time when the attribute was last 1011 seen. last_seen as an ISO 8601 datetime up to the micro-second with 1012 time zone support. 1014 last_seen is represented as a JSON string. last_seen MAY be present. 1016 2.5.3. Org 1018 An Org object is composed of an uuid, name and id. 1020 The uuid represents the Universally Unique IDentifier (UUID) 1021 [RFC4122] of the organization. The organization UUID is globally 1022 assigned to an organization and SHALL be kept overtime. 1024 The name is a readable description of the organization and SHOULD be 1025 present. The id is a human-readable identifier generated by the 1026 instance and used as reference in the event. A human-readable 1027 identifier MUST be represented as an unsigned integer. 1029 uuid, name and id are represented as a JSON string. uuid, name and id 1030 MUST be present. 1032 2.5.3.1. Sample Org Object 1033 "Org": { 1034 "id": "2", 1035 "name": "CIRCL", 1036 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 1037 } 1039 2.5.3.2. value 1041 value represents the payload of an attribute. The format of the 1042 value is dependent on the type of the attribute. 1044 value is represented by a JSON string. value MUST be present. 1046 2.6. Object 1048 Objects serve as a contextual bond between a list of attributes 1049 within an event. Their main purpose is to describe more complex 1050 structures than can be described by a single attribute Each object is 1051 created using an Object Template and carries the meta-data of the 1052 template used for its creation within. Objects belong to a meta- 1053 category and are defined by a name. 1055 The schema used is described by the template_uuid and 1056 template_version fields. 1058 A MISP document containing an Object MUST contain a name, a meta- 1059 category, a description, a template_uuid and a template_version as 1060 described in the "Object Attributes" section. 1062 2.6.1. Sample Object 1063 "Object": { 1064 "id": "588", 1065 "name": "file", 1066 "meta-category": "file", 1067 "description": "File object describing a file with meta-information", 1068 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", 1069 "template_version": "3", 1070 "event_id": "56", 1071 "uuid": "398b0094-0384-4c48-9bf0-22b3dff9c4d3", 1072 "timestamp": "1505747965", 1073 "distribution": "5", 1074 "sharing_group_id": "0", 1075 "comment": "", 1076 "deleted": false, 1077 "ObjectReference": [], 1078 "Attribute": [ 1079 { 1080 "id": "7822", 1081 "type": "filename", 1082 "category": "Payload delivery", 1083 "to_ids": true, 1084 "uuid": "59bfe3fb-bde0-4dfe-b5b1-2b10a07724d1", 1085 "event_id": "56", 1086 "distribution": "0", 1087 "timestamp": "1505747963", 1088 "comment": "", 1089 "sharing_group_id": "0", 1090 "deleted": false, 1091 "disable_correlation": false, 1092 "object_id": "588", 1093 "object_relation": "filename", 1094 "value": "StarCraft.exe", 1095 "ShadowAttribute": [], 1096 "first_seen": null, 1097 "last_seen": null 1098 }, 1099 "first_seen": "2019-06-02T22:14:28.711954+00:00", 1100 "last_seen": null 1101 ] 1102 } 1104 Figure 1 1106 2.6.2. Object Attributes 1107 2.6.2.1. uuid 1109 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1110 the object. The uuid MUST be preserved for any updates or transfer 1111 of the same object. UUID version 4 is RECOMMENDED when assigning it 1112 to a new object. 1114 2.6.2.2. id 1116 id represents the human-readable identifier associated to the object 1117 for a specific MISP instance. A human-readable identifier MUST be 1118 represented as an unsigned integer. 1120 id is represented as a JSON string. id SHALL be present. 1122 2.6.2.3. name 1124 name represents the human-readable name of the object describing the 1125 intent of the object package. 1127 name is represented as a JSON string. name MUST be present 1129 2.6.2.4. meta-category 1131 meta-category represents the sub-category of objects that the given 1132 object belongs to. meta-categories are not tied to a fixed list of 1133 options but can be created on the fly. 1135 meta-category is represented as a JSON string. meta-category MUST be 1136 present 1138 2.6.2.5. description 1140 description is a human-readable description of the given object type, 1141 as derived from the template used for creation. 1143 description is represented as a JSON string. id SHALL be present. 1145 2.6.2.6. template_uuid 1147 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1148 the template used to create the object. The uuid MUST be preserved 1149 to preserve the object's association with the correct template used 1150 for creation. UUID version 4 is RECOMMENDED when assigning it to a 1151 new object. 1153 2.6.2.7. template_version 1155 template_version represents a numeric incrementing version of the 1156 template used to create the object. It is used to associate the 1157 object to the correct version of the template and together with the 1158 template_uuid forms an association to the correct template type and 1159 version. 1161 version is represented as a JSON string. version MUST be present. 1163 2.6.2.8. event_id 1165 event_id represents the human-readable identifier of the event that 1166 the object belongs to on a specific MISP instance. A human-readable 1167 identifier MUST be represented as an unsigned integer. 1169 event_id is represented as a JSON string. event_id SHALL be present. 1171 2.6.2.9. timestamp 1173 timestamp represents a reference time when the object was created or 1174 last modified. timestamp is expressed in seconds (decimal) since 1st 1175 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1177 timestamp is represented as a JSON string. timestamp MUST be present. 1179 2.6.2.10. distribution 1181 distribution represents the basic distribution rules of the object. 1182 The system must adhere to the distribution setting for access control 1183 and for dissemination of the object. 1185 distribution is represented by a JSON string. distribution MUST be 1186 present and be one of the following options: 1188 0 1189 Your Organisation Only 1191 1 1192 This Community Only 1194 2 1195 Connected Communities 1197 3 1198 All Communities 1200 4 1201 Sharing Group 1203 2.6.2.11. sharing_group_id 1205 sharing_group_id represents a human-readable identifier referencing a 1206 Sharing Group object that defines the distribution of the object, if 1207 distribution level "4" is set. A human-readable identifier MUST be 1208 represented as an unsigned integer. 1210 sharing_group_id is represented by a JSON string and SHOULD be 1211 present. If a distribution level other than "4" is chosen the 1212 sharing_group_id MUST be set to "0". 1214 2.6.2.12. comment 1216 comment is a contextual comment field. 1218 comment is represented by a JSON string. comment MAY be present. 1220 2.6.2.13. deleted 1222 deleted represents a setting that allows attributes to be revoked. 1223 Revoked attributes are not actionable and exist merely to inform 1224 other instances of a revocation. 1226 deleted is represented by a JSON boolean. deleted MUST be present. 1228 2.6.2.14. Attribute 1230 Attribute is an array of attributes that describe the object with 1231 data. 1233 Each attribute in an object MUST contain the parent event's ID in the 1234 event_id field and the parent object's ID in the object_id field. 1236 2.6.2.15. first_seen 1238 first_seen represents a reference time when the object was first 1239 seen. first_seen as an ISO 8601 datetime up to the micro-second with 1240 time zone support. 1242 first_seen is represented as a JSON string. first_seen MAY be 1243 present. 1245 2.6.2.16. last_seen 1247 last_seen represents a reference time when the object was last seen. 1248 last_seen as an ISO 8601 datetime up to the micro-second with time 1249 zone support. 1251 last_seen is represented as a JSON string. last_seen MAY be present. 1253 2.7. Object References 1255 Object References serve as a logical link between an Object and 1256 another referenced Object or Attribute. The relationship is 1257 categorised by an enumerated value from a fixed vocabulary. 1259 The relationship_type is recommended to be taken from the MISP object 1260 relationship list [[MISP-R]] is RECOMMENDED to ensure a coherent 1261 naming of the tags 1263 All Object References MUST contain an object_uuid, a referenced_uuid 1264 and a relationship type. 1266 2.7.1. Sample ObjectReference object 1268 "ObjectReference": { 1269 "id": "195", 1270 "uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1", 1271 "timestamp": "1505892908", 1272 "object_id": "591", 1273 "event_id": "113", 1274 "referenced_id": "590", 1275 "referenced_type": "1", 1276 "relationship_type": "derived-from", 1277 "comment": "", 1278 "deleted": false, 1279 "object_uuid": "59c1134d-8a40-4c14-ad94-0f7ba07724d1", 1280 "referenced_uuid": "59c1133c-9adc-4d06-a34b-0f7ca07724d1", 1281 } 1283 2.7.2. ObjectReference Attributes 1285 2.7.2.1. uuid 1287 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1288 the object reference. The uuid MUST be preserved for any updates or 1289 transfer of the same object reference. UUID version 4 is RECOMMENDED 1290 when assigning it to a new object reference. 1292 2.7.2.2. id 1294 id represents the human-readable identifier associated to the object 1295 reference for a specific MISP instance. 1297 id is represented as a JSON string. id SHALL be present. 1299 2.7.2.3. timestamp 1301 timestamp represents a reference time when the object was created or 1302 last modified. timestamp is expressed in seconds (decimal) since 1st 1303 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1305 timestamp is represented as a JSON string. timestamp MUST be present. 1307 2.7.2.4. object_id 1309 object_id represents the human-readable identifier of the object that 1310 the object reference belongs to on a specific MISP instance. A 1311 human-readable identifier MUST be represented as an unsigned integer. 1313 event_id is represented as a JSON string. event_id SHALL be present. 1315 2.7.2.5. event_id 1317 event_id represents the human-readable identifier of the event that 1318 the object reference belongs to on a specific MISP instance. A 1319 human-readable identifier MUST be represented as an unsigned integer. 1321 event_id is represented as a JSON string. event_id SHALL be present. 1323 2.7.2.6. referenced_id 1325 referenced_id represents the human-readable identifier of the object 1326 or attribute that the parent object of the object reference points to 1327 on a specific MISP instance. 1329 referenced_id is represented as a JSON string. referenced_id MAY be 1330 present. 1332 2.7.2.7. referenced_type 1334 referenced_type represents the numeric value describing what the 1335 object reference points to, "0" representing an attribute and "1" 1336 representing an object 1338 referenced_type is represented as a JSON string. referenced_type MAY 1339 be present. 1341 2.7.2.8. relationship_type 1343 relationship_type represents the human-readable context of the 1344 relationship between an object and another object or attribute as 1345 described by the object_reference. 1347 referenced_type is represented as a JSON string. relationship_type 1348 MUST be present. 1350 2.7.2.9. comment 1352 comment is a contextual comment field. 1354 comment is represented by a JSON string. comment MAY be present. 1356 2.7.2.10. deleted 1358 deleted represents a setting that allows object references to be 1359 revoked. Revoked object references are not actionable and exist 1360 merely to inform other instances of a revocation. 1362 deleted is represented by a JSON boolean. deleted MUST be present. 1364 2.7.2.11. object_uuid 1366 object_uuid represents the Universally Unique IDentifier (UUID) 1367 [RFC4122] of the object that the given object reference belongs to. 1368 The object_uuid MUST be preserved to preserve the object reference's 1369 association with the object. 1371 2.7.2.12. referenced_uuid 1373 referenced_uuid represents the Universally Unique IDentifier (UUID) 1374 [RFC4122] of the object or attribute that is being referenced by the 1375 object reference. The referenced_uuid MUST be preserved to preserve 1376 the object reference's association with the object or attribute. 1378 2.8. Tag 1380 A tag is a simple method to classify an event with a simple string. 1381 The tag name can be freely chosen. The tag name can be also chosen 1382 from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. 1383 When an event is distributed outside an organisation, the use of MISP 1384 taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of 1385 the tags. A tag is represented as a JSON array where each element 1386 describes each tag associated. A tag array SHALL be at event level 1387 or attribute level. A tag element is described with a name, id, 1388 colour and exportable flag. 1390 exportable represents a setting if the tag is kept local or 1391 exportable to other MISP instances. exportable is represented by a 1392 JSON boolean. id is a human-readable identifier that references the 1393 tag on the local instance. colour represents an RGB value of the tag. 1395 name MUST be present. colour, id and exportable SHALL be present. 1397 2.8.1. Sample Tag 1399 "Tag": [{ 1400 "exportable": true, 1401 "colour": "#ffffff", 1402 "name": "tlp:white", 1403 "id": "2" }] 1405 2.9. Sighting 1407 A sighting is an ascertainment which describes whether an attribute 1408 has been seen under a given set of conditions. The sighting can 1409 include the organisation who sighted the attribute or can be 1410 anonymised. Sighting is composed of a JSON array in which each 1411 element describes one singular instance of a sighting. A sighting 1412 element is a JSON object composed of the following values: 1414 type MUST be present. type describes the type of a sighting. MISP 1415 allows 3 default types: 1417 +------------+------------------------------------------------------+ 1418 | Sighting | Description | 1419 | type | | 1420 +------------+------------------------------------------------------+ 1421 | 0 | denotes an attribute which has been seen | 1422 | 1 | denotes an attribute which has been seen and | 1423 | | confirmed as false-positive | 1424 | 2 | denotes an attribute which will be expired at the | 1425 | | time of the sighting | 1426 +------------+------------------------------------------------------+ 1428 uuid MUST be present. uuid references the uuid of the sighted 1429 attribute. 1431 date_sighting MUST be present. date_sighting is expressed in seconds 1432 (decimal) elapsed since 1st of January 1970 (Unix timestamp). 1433 date_sighting represents when the referenced attribute, designated by 1434 its uuid, is sighted. 1436 source MAY be present. source is represented as a JSON string and 1437 represents the human-readable version of the sighting source, which 1438 can be a given piece of software (e.g. SIEM), device or a specific 1439 analytical process. 1441 id, event_id and attribute_id MAY be present. 1443 id represents the human-readable identifier of the sighting reference 1444 which belongs to a specific MISP instance. event_id represents the 1445 human-readable identifier of the event referenced by the sighting and 1446 belongs to a specific MISP instance. attribute_id represents the 1447 human-readable identifier of the attribute referenced by the sighting 1448 and belongs to a specific MISP instance. 1450 org_id MAY be present along the JSON object describing the 1451 organisation. If the org_id is not present, the sighting is 1452 considered as anonymised. 1454 org_id represents the human-readable identifier of the organisation 1455 which did the sighting and belongs to a specific MISP instance. 1457 A human-readable identifier MUST be represented as an unsigned 1458 integer. 1460 2.9.1. Sample Sighting 1461 "Sighting": [ 1462 { 1463 "id": "13599", 1464 "attribute_id": "1201615", 1465 "event_id": "10164", 1466 "org_id": "2", 1467 "date_sighting": "1517581400", 1468 "uuid": "5a747459-41b4-4826-9b29-42dd950d210f", 1469 "source": "M2M-CIRCL", 1470 "type": "0", 1471 "Organisation": { 1472 "id": "2", 1473 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1474 "name": "CIRCL" 1475 } 1476 }, 1477 { 1478 "id": "13601", 1479 "attribute_id": "1201615", 1480 "event_id": "10164", 1481 "org_id": "2", 1482 "date_sighting": "1517581401", 1483 "uuid": "5a74745a-a190-4d04-b719-4916950d210f", 1484 "source": "M2M-CIRCL", 1485 "type": "0", 1486 "Organisation": { 1487 "id": "2", 1488 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1489 "name": "CIRCL" 1490 } 1491 } 1492 ] 1494 2.10. Galaxy 1496 A galaxy is a simple method to express a large object called cluster 1497 that can be attached to MISP events. A cluster can be composed of 1498 one or more elements. Elements are expressed as key-values. 1500 2.10.1. Sample Galaxy 1501 "Galaxy": [ { 1502 "id": "18", 1503 "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3", 1504 "name": "Threat Actor", 1505 "type": "threat-actor", 1506 "description": "Threat actors are characteristics of malicious actors 1507 (or adversaries) representing a cyber attack threat 1508 including presumed intent and historically observed behaviour.", 1509 "version": "1", 1510 "GalaxyCluster": [ 1511 { 1512 "id": "1699", 1513 "uuid": "7cdff317-a673-4474-84ec-4f1754947823", 1514 "type": "threat-actor", 1515 "value": "Anunak", 1516 "tag_name": "misp-galaxy:threat-actor=\"Anunak\"", 1517 "description": "Groups targeting financial organizations 1518 or people with significant financial assets.", 1519 "galaxy_id": "18", 1520 "source": "MISP Project", 1521 "authors": [ 1522 "Alexandre Dulaunoy", 1523 "Florian Roth", 1524 "Thomas Schreck", 1525 "Timo Steffens", 1526 "Various" 1527 ], 1528 "tag_id": "111", 1529 "meta": { 1530 "synonyms": [ 1531 "Carbanak", 1532 "Carbon Spider" 1533 ], 1534 "country": [ 1535 "RU" 1536 ], 1537 "motive": [ 1538 "Cybercrime" 1539 ] 1540 } 1541 } 1542 ] 1543 } 1544 ] 1546 3. JSON Schema 1548 The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP 1549 core format as literally described before. The JSON Schema is used 1550 to validate MISP events at creation time or parsing. 1552 { 1553 "$schema": "http://json-schema.org/draft-04/schema#", 1554 "title": "Validator for misp events", 1555 "id": "https://github.com/MISP/MISP/blob/2.4/format/2.4/schema.json", 1556 "defs": { 1557 "org": { 1558 "type": "object", 1559 "additionalProperties": false, 1560 "properties": { 1561 "id": { 1562 "type": "string" 1563 }, 1564 "name": { 1565 "type": "string" 1566 }, 1567 "uuid": { 1568 "type": "string" 1569 } 1570 }, 1571 "required": [ 1572 "uuid" 1573 ] 1574 }, 1575 "orgc": { 1576 "type": "object", 1577 "additionalProperties": false, 1578 "properties": { 1579 "id": { 1580 "type": "string" 1581 }, 1582 "name": { 1583 "type": "string" 1584 }, 1585 "uuid": { 1586 "type": "string" 1587 } 1588 }, 1589 "required": [ 1590 "uuid" 1591 ] 1592 }, 1593 "sharing_group": { 1594 "type": "object", 1595 "additionalProperties": false, 1596 "properties": { 1597 "id": { 1598 "type": "string" 1599 }, 1600 "name": { 1601 "type": "string" 1602 }, 1603 "releasability": { 1604 "type": "string" 1605 }, 1606 "description": { 1607 "type": "string" 1608 }, 1609 "uuid": { 1610 "type": "string" 1611 }, 1612 "organisation_uuid": { 1613 "type": "string" 1614 }, 1615 "org_id": { 1616 "type": "string" 1617 }, 1618 "sync_user_id": { 1619 "type": "string" 1620 }, 1621 "active": { 1622 "type": "boolean" 1623 }, 1624 "created": { 1625 "type": "string" 1626 }, 1627 "modified": { 1628 "type": "string" 1629 }, 1630 "local": { 1631 "type": "boolean" 1632 }, 1633 "roaming": { 1634 "type": "boolean" 1635 }, 1636 "Organisation": { 1637 "$ref": "#/defs/org" 1638 }, 1639 "SharingGroupOrg": { 1640 "type": "array", 1641 "uniqueItems": true, 1642 "items": { 1643 "$ref": "#/defs/sharing_group_org" 1644 } 1645 }, 1646 "SharingGroupServer": { 1647 "type": "array", 1648 "uniqueItems": true, 1649 "items": { 1650 "$ref": "#/defs/sharing_group_server" 1651 } 1652 }, 1653 "required": [ 1654 "uuid" 1655 ] 1656 }, 1657 "required": [ 1658 "uuid" 1659 ] 1660 }, 1661 "sharing_group_org": { 1662 "type": "object", 1663 "additionalProperties": false, 1664 "properties": { 1665 "id": { 1666 "type": "string" 1667 }, 1668 "sharing_group_id": { 1669 "type": "string" 1670 }, 1671 "org_id": { 1672 "type": "string" 1673 }, 1674 "extend": { 1675 "type": "boolean" 1676 }, 1677 "Organisation": { 1678 "$ref": "#/defs/org" 1679 } 1680 } 1681 }, 1682 "sharing_group_server": { 1683 "type": "object", 1684 "additionalProperties": false, 1685 "properties": { 1686 "id": { 1687 "type": "string" 1688 }, 1689 "sharing_group_id": { 1690 "type": "string" 1691 }, 1692 "server_id": { 1693 "type": "string" 1694 }, 1695 "all_orgs": { 1696 "type": "boolean" 1697 }, 1698 "Server": { 1699 "$ref": "#/defs/server" 1700 } 1701 } 1702 }, 1703 "server": { 1704 "type": "object", 1705 "additionalProperties": false, 1706 "properties": { 1707 "id": { 1708 "type": "string" 1709 }, 1710 "url": { 1711 "type": "string" 1712 }, 1713 "name": { 1714 "type": "string" 1715 } 1716 } 1717 }, 1718 "object": { 1719 "type": "object", 1720 "additionalProperties": false, 1721 "properties": { 1722 "uuid": { 1723 "type": "string" 1724 }, 1725 "name": { 1726 "type": "string" 1727 }, 1728 "event_id": { 1729 "type": "string" 1730 }, 1731 "description": { 1732 "type": "string" 1733 }, 1734 "template_uuid": { 1735 "type": "string" 1736 }, 1737 "template_version": { 1738 "type": "string" 1739 }, 1740 "id": { 1741 "type": "string" 1742 }, 1743 "meta-category": { 1744 "type": "string" 1745 }, 1746 "deleted": { 1747 "type": "boolean" 1748 }, 1749 "timestamp": { 1750 "type": "string" 1751 }, 1752 "first_seen": { 1753 "type": "string" 1754 }, 1755 "last_seen": { 1756 "type": "string" 1757 }, 1758 "distribution": { 1759 "type": "string" 1760 }, 1761 "sharing_group_id": { 1762 "type": "string" 1763 }, 1764 "comment": { 1765 "type": "string" 1766 }, 1767 "ObjectReference": { 1768 "type": "array", 1769 "uniqueItems": true, 1770 "items": { 1771 "$ref": "#/defs/objectreference" 1772 } 1773 }, 1774 "Attribute": { 1775 "type": "array", 1776 "uniqueItems": true, 1777 "items": { 1778 "$ref": "#/defs/attribute" 1779 } 1780 } 1781 } 1782 }, 1783 "sighthing": { 1784 "type": "object", 1785 "additionalProperties": false, 1786 "properties": { 1787 "id": { 1788 "type": "string" 1789 }, 1790 "attribute_id": { 1791 "type": "string" 1792 }, 1793 "event_id": { 1794 "type": "string" 1795 }, 1796 "source": { 1797 "type": "string" 1798 }, 1799 "type": { 1800 "type": "string" 1801 }, 1802 "org_id": { 1803 "type": "string" 1804 }, 1805 "date_sighting": { 1806 "type": "string" 1807 }, 1808 "uuid": { 1809 "type": "string" 1810 }, 1811 "Organisation": { 1812 "$ref": "#/defs/organisation" 1813 } 1814 } 1815 }, 1816 "organisation": { 1817 "type": "object", 1818 "additionalProperties": false, 1819 "properties": { 1820 "id": { 1821 "type": "string" 1822 }, 1823 "uuid": { 1824 "type": "string" 1825 }, 1826 "name": { 1827 "type": "string" 1828 } 1829 } 1830 }, 1831 "objectreference": { 1832 "type": "object", 1833 "additionalProperties": false, 1834 "properties": { 1835 "deleted": { 1836 "type": "boolean" 1837 }, 1838 "object_id": { 1839 "type": "string" 1840 }, 1841 "event_id": { 1842 "type": "string" 1843 }, 1844 "timestamp": { 1845 "type": "string" 1846 }, 1847 "id": { 1848 "type": "string" 1849 }, 1850 "uuid": { 1851 "type": "string" 1852 }, 1853 "type": { 1854 "type": "string" 1855 }, 1856 "referenced_id": { 1857 "type": "string" 1858 }, 1859 "referenced_uuid": { 1860 "type": "string" 1861 }, 1862 "referenced_type": { 1863 "type": "string" 1864 }, 1865 "relationship_type": { 1866 "type": "string" 1867 }, 1868 "object_uuid": { 1869 "type": "string" 1870 }, 1871 "comment": { 1872 "type": "string" 1873 }, 1874 "Object": { 1875 "$ref": "#/defs/object" 1876 } 1877 } 1878 }, 1879 "attribute": { 1880 "type": "object", 1881 "additionalProperties": false, 1882 "properties": { 1883 "id": { 1884 "type": "string" 1885 }, 1886 "old_id": { 1887 "type": "string" 1888 }, 1889 "type": { 1890 "type": "string" 1891 }, 1892 "category": { 1893 "type": "string" 1894 }, 1895 "to_ids": { 1896 "type": "boolean" 1897 }, 1898 "uuid": { 1899 "type": "string" 1900 }, 1901 "event_id": { 1902 "type": "string" 1903 }, 1904 "event_uuid": { 1905 "type": "string" 1906 }, 1907 "proposal_to_delete": { 1908 "type": "boolean" 1909 }, 1910 "validationIssue": { 1911 "type": "boolean" 1912 }, 1913 "Org": { 1914 "$ref": "#/defs/organisation" 1915 }, 1916 "org_id": { 1917 "type": "string" 1918 }, 1919 "distribution": { 1920 "type": "string" 1921 }, 1922 "timestamp": { 1923 "type": "string" 1924 }, 1925 "first_seen": { 1926 "type": "string" 1927 }, 1928 "last_seen": { 1929 "type": "string" 1931 }, 1932 "comment": { 1933 "type": "string" 1934 }, 1935 "sharing_group_id": { 1936 "type": "string" 1937 }, 1938 "deleted": { 1939 "type": "boolean" 1940 }, 1941 "disable_correlation": { 1942 "type": "boolean" 1943 }, 1944 "value": { 1945 "type": "string" 1946 }, 1947 "data": { 1948 "type": "string" 1949 }, 1950 "object_relation": { 1951 "type": ["string", "null"] 1952 }, 1953 "object_id": { 1954 "type": "string" 1955 }, 1956 "SharingGroup": { 1957 "$ref": "#/defs/sharing_group" 1958 }, 1959 "ShadowAttribute": { 1960 "type": "array", 1961 "uniqueItems": true, 1962 "items": { 1963 "$ref": "#/defs/attribute" 1964 } 1965 }, 1966 "Sighting": { 1967 "type": "array", 1968 "uniqueItems": true, 1969 "items": { 1970 "$ref": "#/defs/sighthing" 1971 } 1972 }, 1973 "Galaxy": { 1974 "type": "array", 1975 "uniqueItems": true, 1976 "items": { 1977 "$ref": "#/defs/galaxy" 1978 } 1980 }, 1981 "Tag": { 1982 "uniqueItems": true, 1983 "type": "array", 1984 "items": { 1985 "$ref": "#/defs/tag" 1986 } 1987 } 1988 } 1989 }, 1990 "event": { 1991 "type": "object", 1992 "additionalProperties": false, 1993 "properties": { 1994 "id": { 1995 "type": "string" 1996 }, 1997 "orgc_id": { 1998 "type": "string" 1999 }, 2000 "org_id": { 2001 "type": "string" 2002 }, 2003 "date": { 2004 "type": "string" 2005 }, 2006 "extends_uuid": { 2007 "type": "string" 2008 }, 2009 "threat_level_id": { 2010 "type": "string" 2011 }, 2012 "info": { 2013 "type": "string" 2014 }, 2015 "published": { 2016 "type": "boolean" 2017 }, 2018 "uuid": { 2019 "type": "string" 2020 }, 2021 "attribute_count": { 2022 "type": "string" 2023 }, 2024 "analysis": { 2025 "type": "string" 2026 }, 2027 "timestamp": { 2028 "type": "string" 2029 }, 2030 "distribution": { 2031 "type": "string" 2032 }, 2033 "proposal_email_lock": { 2034 "type": "boolean" 2035 }, 2036 "locked": { 2037 "type": "boolean" 2038 }, 2039 "publish_timestamp": { 2040 "type": "string" 2041 }, 2042 "sharing_group_id": { 2043 "type": "string" 2044 }, 2045 "disable_correlation": { 2046 "type": "boolean" 2047 }, 2048 "event_creator_email": { 2049 "type": "string" 2050 }, 2051 "Org": { 2052 "$ref": "#/defs/org" 2053 }, 2054 "Orgc": { 2055 "$ref": "#/defs/org" 2056 }, 2057 "SharingGroup": { 2058 "$ref": "#/defs/sharing_group" 2059 }, 2060 "Attribute": { 2061 "type": "array", 2062 "uniqueItems": true, 2063 "items": { 2064 "$ref": "#/defs/attribute" 2065 } 2066 }, 2067 "ShadowAttribute": { 2068 "type": "array", 2069 "uniqueItems": true, 2070 "items": { 2071 "$ref": "#/defs/attribute" 2072 } 2073 }, 2074 "RelatedEvent": { 2075 "type": "array", 2076 "uniqueItems": true, 2077 "items": { 2078 "type": "object", 2079 "additionalProperties": false, 2080 "properties": { 2081 "Event":{ 2082 "$ref": "#/defs/event" 2083 } 2084 } 2085 } 2086 }, 2087 "Galaxy": { 2088 "type": "array", 2089 "uniqueItems": true, 2090 "items": { 2091 "$ref": "#/defs/galaxy" 2092 } 2093 }, 2094 "Object": { 2095 "type": "array", 2096 "uniqueItems": true, 2097 "items": { 2098 "$ref": "#/defs/object" 2099 } 2100 }, 2101 "Tag": { 2102 "type": "array", 2103 "uniqueItems": true, 2104 "items": { 2105 "$ref": "#/defs/tag" 2106 } 2107 } 2108 } 2109 }, 2110 "tag": { 2111 "type": "object", 2112 "additionalProperties": false, 2113 "properties": { 2114 "id": { 2115 "type": "string" 2116 }, 2117 "name": { 2118 "type": "string" 2119 }, 2120 "colour": { 2121 "type": "string" 2122 }, 2123 "exportable": { 2124 "type": "boolean" 2125 }, 2126 "hide_tag": { 2127 "type": "boolean" 2128 }, 2129 "user_id": { 2130 "type": "string" 2131 } 2132 } 2133 }, 2134 "galaxy": { 2135 "type": "object", 2136 "additionalProperties": false, 2137 "properties": { 2138 "id": { 2139 "type": "string" 2140 }, 2141 "uuid": { 2142 "type": "string" 2143 }, 2144 "name": { 2145 "type": "string" 2146 }, 2147 "type": { 2148 "type": "string" 2149 }, 2150 "description": { 2151 "type": "string" 2152 }, 2153 "version": { 2154 "type": "string" 2155 }, 2156 "icon": { 2157 "type": "string" 2158 }, 2159 "namespace": { 2160 "type": "string" 2161 }, 2162 "GalaxyCluster": { 2163 "type": "array", 2164 "uniqueItems": true, 2165 "items": { 2166 "$ref": "#/defs/galaxy_cluster" 2167 } 2168 } 2169 } 2170 }, 2171 "galaxy_cluster": { 2172 "type": "object", 2173 "additionalProperties": false, 2174 "properties": { 2175 "id": { 2176 "type": "string" 2177 }, 2178 "uuid": { 2179 "type": "string" 2180 }, 2181 "type": { 2182 "type": "string" 2183 }, 2184 "value": { 2185 "type": "string" 2186 }, 2187 "tag_name": { 2188 "type": "string" 2189 }, 2190 "description": { 2191 "type": "string" 2192 }, 2193 "galaxy_id": { 2194 "type": "string" 2195 }, 2196 "version": { 2197 "type": "string" 2198 }, 2199 "source": { 2200 "type": "string" 2201 }, 2202 "authors": { 2203 "type": "array", 2204 "uniqueItems": true, 2205 "items": { 2206 "type": "string" 2207 } 2208 }, 2209 "tag_id": { 2210 "type": "string" 2211 }, 2212 "meta": { 2213 "type": "object" 2214 } 2215 } 2216 } 2217 }, 2218 "type": "object", 2219 "properties": { 2220 "Event": { 2221 "$ref": "#/defs/event" 2222 } 2223 }, 2224 "required": [ 2225 "Event" 2226 ] 2227 } 2229 4. Manifest 2231 MISP events can be shared over an HTTP repository, a file package or 2232 USB key. A manifest file is used to provide an index of MISP events 2233 allowing to only fetch the recently updated files without the need to 2234 parse each json file. 2236 4.1. Format 2238 A manifest file is a simple JSON file named manifest.json in a 2239 directory where the MISP events are located. Each MISP event is a 2240 file located in the same directory with the event uuid as filename 2241 with the json extension. 2243 The manifest format is a JSON object composed of a dictionary where 2244 the field is the uuid of the event. 2246 Each uuid is composed of a JSON object with the following fields 2247 which came from the original event referenced by the same uuid: 2249 o info (MUST) 2251 o Orgc object (MUST) 2253 o analysis (SHALL) 2255 o timestamp (MUST) 2257 o date (MUST) 2259 o threat_level_id (SHALL) 2261 In addition to the fields originating from the event, the following 2262 fields can be added: 2264 o integrity:sha256 represents the SHA256 value in hexadecimal 2265 representation of the associated MISP event file to ensure 2266 integrity of the file. (SHOULD) 2268 o integrity:pgp represents a detached PGP signature [RFC4880] of the 2269 associated MISP event file to ensure integrity of the file. 2270 (SHOULD) 2272 If a detached PGP signature is used for each MISP event, a detached 2273 PGP signature is a MUST to ensure integrity of the manifest file. A 2274 detached PGP signature for a manifest file is a manifest.json.asc 2275 file containing the PGP signature. 2277 4.1.1. Sample Manifest 2279 { 2280 "57c6ac4c-c60c-4f79-a38f-b666950d210f": { 2281 "info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo", 2282 "Orgc": { 2283 "id": "2", 2284 "name": "CIRCL", 2285 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 2286 }, 2287 "analysis": "0", 2288 "Tag": [ 2289 { 2290 "colour": "#3d7a00", 2291 "name": "circl:incident-classification=\"malware\"" 2292 }, 2293 { 2294 "colour": "#ffffff", 2295 "name": "tlp:white" 2296 } 2297 ], 2298 "timestamp": "1472638251", 2299 "date": "2016-08-31", 2300 "threat_level_id": "3" 2301 }, 2302 "5720accd-dd28-45f8-80e5-4605950d210f": { 2303 "info": "Malspam 2016-04-27 - Locky", 2304 "Orgc": { 2305 "id": "2", 2306 "name": "CIRCL" 2307 }, 2308 "analysis": "2", 2309 "Tag": [ 2310 { 2311 "colour": "#ffffff", 2312 "name": "tlp:white" 2313 }, 2314 { 2315 "colour": "#3d7a00", 2316 "name": "circl:incident-classification=\"malware\"" 2317 }, 2318 { 2319 "colour": "#2c4f00", 2320 "name": "malware_classification:malware-category=\"Ransomware\"" 2321 } 2322 ], 2323 "timestamp": "1461764231", 2324 "date": "2016-04-27", 2325 "threat_level_id": "3" 2326 } 2327 } 2329 5. Implementation 2331 MISP format is implemented by different software including the MISP 2332 threat sharing platform and libraries like PyMISP [MISP-P]. 2333 Implementations use the format as an export/import mechanism, staging 2334 transport format or synchronisation format as used in the MISP core 2335 platform. MISP format doesn't impose any restriction on the data 2336 representation of the format in data-structure of other 2337 implementations. 2339 6. Security Considerations 2341 MISP events might contain sensitive or confidential information. 2342 Adequate access control and encryption measures shall be implemented 2343 to ensure the confidentiality of the MISP events. 2345 Adversaries might include malicious content in MISP events and 2346 attributes. Implementation MUST consider the input of malicious 2347 inputs beside the standard threat information that might already 2348 include malicious intended inputs. 2350 7. Acknowledgements 2352 The authors wish to thank all the MISP community who are supporting 2353 the creation of open standards in threat intelligence sharing. A 2354 special thank to Nicolas Bareil for the review of the JSON Schema. 2356 8. References 2358 9. References 2359 9.1. Normative References 2361 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2362 Requirement Levels", BCP 14, RFC 2119, 2363 DOI 10.17487/RFC2119, March 1997, 2364 . 2366 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 2367 Unique IDentifier (UUID) URN Namespace", RFC 4122, 2368 DOI 10.17487/RFC4122, July 2005, 2369 . 2371 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. 2372 Thayer, "OpenPGP Message Format", RFC 4880, 2373 DOI 10.17487/RFC4880, November 2007, 2374 . 2376 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 2377 Interchange Format", STD 90, RFC 8259, 2378 DOI 10.17487/RFC8259, December 2017, 2379 . 2381 9.2. Informative References 2383 [JSON-SCHEMA] 2384 "JSON Schema: A Media Type for Describing JSON Documents", 2385 2016, 2386 . 2388 [MISP-P] MISP, "MISP Project - Open Source Threat Intelligence 2389 Platform and Open Standards For Threat Information 2390 Sharing", . 2392 [MISP-R] MISP, "MISP Object Relationship Types - common vocabulary 2393 of relationships", . 2396 [MISP-T] MISP, "MISP Taxonomies - shared and common vocabularies of 2397 tags", . 2399 Authors' Addresses 2400 Alexandre Dulaunoy 2401 Computer Incident Response Center Luxembourg 2402 16, bd d'Avranches 2403 Luxembourg L-1160 2404 Luxembourg 2406 Phone: +352 247 88444 2407 Email: alexandre.dulaunoy@circl.lu 2409 Andras Iklody 2410 Computer Incident Response Center Luxembourg 2411 16, bd d'Avranches 2412 Luxembourg L-1160 2413 Luxembourg 2415 Phone: +352 247 88444 2416 Email: andras.iklody@circl.lu