idnits 2.17.1 draft-dulaunoy-misp-core-format-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 11 instances of too long lines in the document, the longest one being 18 characters in excess of 72. ** The abstract seems to contain references ([MISP-P]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 24, 2020) is 1212 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'MISP-R' is defined on line 2523, but no explicit reference was found in the text == Unused Reference: 'MISP-T' is defined on line 2527, but no explicit reference was found in the text Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Expires: June 27, 2021 CIRCL 5 December 24, 2020 7 MISP core format 8 draft-dulaunoy-misp-core-format-13 10 Abstract 12 This document describes the MISP core format used to exchange 13 indicators and threat information between MISP (Open Source Threat 14 Intelligence Sharing Platform formerly known as Malware Information 15 Sharing Platform) instances. The JSON format includes the overall 16 structure along with the semantic associated for each respective key. 17 The format is described to support other implementations which reuse 18 the format and ensuring an interoperability with existing MISP 19 [MISP-P] software and other Threat Intelligence Platforms. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on June 27, 2021. 38 Copyright Notice 40 Copyright (c) 2020 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 57 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 4 61 2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 7 63 2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 8 64 2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8 65 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 9 66 2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9 67 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 16 68 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 16 69 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 16 70 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 22 71 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 23 72 2.6.1. Sample Object . . . . . . . . . . . . . . . . . . . . 23 73 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 24 74 2.7. Object References . . . . . . . . . . . . . . . . . . . . 28 75 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 28 76 2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 28 77 2.8. EventReport . . . . . . . . . . . . . . . . . . . . . . . 30 78 2.8.1. id . . . . . . . . . . . . . . . . . . . . . . . . . 31 79 2.8.2. UUID . . . . . . . . . . . . . . . . . . . . . . . . 31 80 2.8.3. event_id . . . . . . . . . . . . . . . . . . . . . . 31 81 2.8.4. name . . . . . . . . . . . . . . . . . . . . . . . . 31 82 2.8.5. content . . . . . . . . . . . . . . . . . . . . . . . 31 83 2.8.6. distribution . . . . . . . . . . . . . . . . . . . . 32 84 2.8.7. sharing_group_id . . . . . . . . . . . . . . . . . . 32 85 2.8.8. timestamp . . . . . . . . . . . . . . . . . . . . . . 32 86 2.8.9. deleted . . . . . . . . . . . . . . . . . . . . . . . 33 87 2.9. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 88 2.9.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 33 89 2.10. Sighting . . . . . . . . . . . . . . . . . . . . . . . . 33 90 2.10.1. Sample Sighting . . . . . . . . . . . . . . . . . . 34 91 2.11. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 35 92 2.11.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 35 93 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 37 94 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 51 95 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 51 96 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 52 98 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 53 99 6. Security Considerations . . . . . . . . . . . . . . . . . . . 53 100 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 53 101 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 102 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 103 9.1. Normative References . . . . . . . . . . . . . . . . . . 54 104 9.2. Informative References . . . . . . . . . . . . . . . . . 54 105 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54 107 1. Introduction 109 Sharing threat information became a fundamental requirements in the 110 Internet, security and intelligence community at large. Threat 111 information can include indicators of compromise, malicious file 112 indicators, financial fraud indicators or even detailed information 113 about a threat actor. MISP [MISP-P] started as an open source 114 project in late 2011 and the MISP format started to be widely used as 115 an exchange format within the community in the past years. The aim 116 of this document is to describe the specification and the MISP core 117 format. 119 1.1. Conventions and Terminology 121 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 122 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 123 document are to be interpreted as described in RFC 2119 [RFC2119]. 125 2. Format 127 2.1. Overview 129 The MISP core format is in the JSON [RFC8259] format. In MISP, an 130 event is composed of a single JSON object. 132 A capitalized key (like Event, Org) represent a data model and a non- 133 capitalised key is just an attribute. This nomenclature can support 134 an implementation to represent the MISP format in another data 135 structure. 137 2.2. Event 139 An event is a simple meta structure scheme where attributes and meta- 140 data are embedded to compose a coherent set of indicators. An event 141 can be composed from an incident, a security analysis report or a 142 specific threat actor analysis. The meaning of an event only depends 143 of the information embedded in the event. 145 2.2.1. Event Attributes 147 2.2.1.1. uuid 149 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 150 the event. The uuid MUST be preserved for any updates or transfer of 151 the same event. UUID version 4 is RECOMMENDED when assigning it to a 152 new event. 154 uuid is represented as a JSON string. uuid MUST be present. 156 2.2.1.2. id 158 id represents the human-readable identifier associated to the event 159 for a specific MISP instance. A human-readable identifier MUST be 160 represented as an unsigned integer. 162 id is represented as a JSON string. id SHALL be present. 164 2.2.1.3. published 166 published represents the event publication state. If the event was 167 published, the published value MUST be true. In any other 168 publication state, the published value MUST be false. 170 published is represented as a JSON boolean. published MUST be 171 present. 173 2.2.1.4. info 175 info represents the information field of the event. info is a free- 176 text value to provide a human-readable summary of the event. info 177 SHOULD NOT be bigger than 256 characters and SHOULD NOT include new- 178 lines. 180 info is represented as a JSON string. info MUST be present. 182 2.2.1.5. threat_level_id 184 threat_level_id represents the threat level. 186 4: 187 Undefined 189 3: 190 Low 192 2: 194 Medium 196 1: 197 High 199 If a higher granularity is required, a MISP taxonomy applied as a Tag 200 SHOULD be preferred. 202 threat_level_id is represented as a JSON string. threat_level_id 203 SHALL be present. 205 2.2.1.6. analysis 207 analysis represents the analysis level. 209 0: 210 Initial 212 1: 213 Ongoing 215 2: 216 Complete 218 If a higher granularity is required, a MISP taxonomy applied as a Tag 219 SHOULD be preferred. 221 analysis is represented as a JSON string. analysis SHALL be present. 223 2.2.1.7. date 225 date represents a reference date to the event in ISO 8601 format 226 (date only: YYYY-MM-DD). This date corresponds to the date the event 227 occurred, which may be in the past. 229 date is represented as a JSON string. date MUST be present. 231 2.2.1.8. timestamp 233 timestamp represents a reference time when the event, or one of the 234 attributes within the event was created, or last updated/edited on 235 the instance. timestamp is expressed in seconds (decimal) since 1st 236 of January 1970 (Unix timestamp). The time zone MUST be UTC. 238 timestamp is represented as a JSON string. timestamp MUST be present. 240 2.2.1.9. publish_timestamp 242 publish_timestamp represents a reference time when the event was 243 published on the instance. published_timestamp is expressed in 244 seconds (decimal) since 1st of January 1970 (Unix timestamp). At 245 each publication of an event, publish_timestamp MUST be updated. The 246 time zone MUST be UTC. If the published_timestamp is present and the 247 published flag is set to false, the publish_timestamp represents the 248 previous publication timestamp. If the event was never published, 249 the published_timestamp MUST be set to 0. 251 publish_timestamp is represented as a JSON string. publish_timestamp 252 MUST be present. 254 2.2.1.10. org_id 256 org_id represents a human-readable identifier referencing an Org 257 object of the organisation which generated the event. A human- 258 readable identifier MUST be represented as an unsigned integer. 260 The org_id MUST be updated when the event is generated by a new 261 instance. 263 org_id is represented as a JSON string. org_id MUST be present. 265 2.2.1.11. orgc_id 267 orgc_id represents a human-readable identifier referencing an Orgc 268 object of the organisation which created the event. 270 The orgc_id and Org object MUST be preserved for any updates or 271 transfer of the same event. 273 orgc_id is represented as a JSON string. orgc_id MUST be present. 275 2.2.1.12. attribute_count 277 attribute_count represents the number of attributes in the event. 278 attribute_count is expressed in decimal. 280 attribute_count is represented as a JSON string. attribute_count 281 SHALL be present. 283 2.2.1.13. distribution 285 distribution represents the basic distribution rules of the event. 286 The system must adhere to the distribution setting for access control 287 and for dissemination of the event. 289 distribution is represented by a JSON string. distribution MUST be 290 present and be one of the following options: 292 0 293 Your Organisation Only 295 1 296 This Community Only 298 2 299 Connected Communities 301 3 302 All Communities 304 4 305 Sharing Group 307 2.2.1.14. sharing_group_id 309 sharing_group_id represents a human-readable identifier referencing a 310 Sharing Group object that defines the distribution of the event, if 311 distribution level "4" is set. A human-readable identifier MUST be 312 represented as an unsigned integer. 314 sharing_group_id is represented by a JSON string and SHOULD be 315 present. If a distribution level other than "4" is chosen the 316 sharing_group_id MUST be set to "0". 318 2.2.1.15. extends_uuid 320 extends_uuid represents which event is extended by this event. The 321 extends_uuid is described as a Universally Unique IDentifier (UUID) 322 [RFC4122] with the UUID of the extended event. 324 extends_uuid is represented as a JSON string. extends_uuid SHOULD be 325 present. 327 2.3. Objects 329 2.3.1. Org 331 An Org object is composed of an uuid, name and id. 333 The uuid represents the Universally Unique IDentifier (UUID) 334 [RFC4122] of the organisation. The organisation UUID is globally 335 assigned to an organisation and SHALL be kept overtime. 337 The name is a readable description of the organisation and SHOULD be 338 present. The id is a human-readable identifier generated by the 339 instance and used as reference in the event. A human-readable 340 identifier MUST be represented as an unsigned integer. 342 uuid, name and id are represented as a JSON string. uuid, name and id 343 MUST be present. 345 2.3.1.1. Sample Org Object 347 "Org": { 348 "id": "2", 349 "name": "CIRCL", 350 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 351 } 353 2.3.2. Orgc 355 An Orgc object is composed of an uuid, name and id. 357 The uuid MUST be preserved for any updates or transfer of the same 358 event. UUID version 4 is RECOMMENDED when assigning it to a new 359 event. The organisation UUID is globally assigned to an organisation 360 and SHALL be kept overtime. 362 The name is a readable description of the organisation and SHOULD be 363 present. The id is a human-readable identifier generated by the 364 instance and used as reference in the event. A human-readable 365 identifier MUST be represented as an unsigned integer. 367 uuid, name and id are represented as a JSON string. uuid, name and id 368 MUST be present. 370 2.4. Attribute 372 Attributes are used to describe the indicators and contextual data of 373 an event. The main information contained in an attribute is made up 374 of a category-type-value triplet, where the category and type give 375 meaning and context to the value. Through the various category-type 376 combinations a wide range of information can be conveyed. 378 A MISP document MUST at least includes category-type-value triplet 379 described in section "Attribute Attributes". 381 2.4.1. Sample Attribute Object 383 "Attribute": { 384 "id": "346056", 385 "type": "comment", 386 "category": "Other", 387 "to_ids": false, 388 "uuid": "57f4f6d9-cd20-458b-84fd-109ec0a83869", 389 "event_id": "3357", 390 "distribution": "5", 391 "timestamp": "1475679332", 392 "comment": "", 393 "sharing_group_id": "0", 394 "deleted": false, 395 "value": "Hello world", 396 "SharingGroup": [], 397 "ShadowAttribute": [], 398 "RelatedAttribute": [], 399 "first_seen": "2019-06-02T22:14:28.711954+00:00", 400 "last_seen": null 401 } 403 2.4.2. Attribute Attributes 405 2.4.2.1. uuid 407 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 408 the event. The uuid MUST be preserved for any updates or transfer of 409 the same event. UUID version 4 is RECOMMENDED when assigning it to a 410 new event. 412 uuid is represented as a JSON string. uuid MUST be present. 414 2.4.2.2. id 416 id represents the human-readable identifier associated to the event 417 for a specific MISP instance. A human-readable identifier MUST be 418 represented as an unsigned integer. 420 id is represented as a JSON string. id SHALL be present. 422 2.4.2.3. type 424 type represents the means through which an attribute tries to 425 describe the intent of the attribute creator, using a list of pre- 426 defined attribute types. 428 type is represented as a JSON string. type MUST be present and it 429 MUST be a valid selection for the chosen category. The list of valid 430 category-type combinations is as follows: 432 Antivirus detection 433 link, comment, text, hex, attachment, other, anonymised 435 Artifacts dropped 436 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 437 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 438 impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, 439 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 440 filename|sha512, filename|sha512/224, filename|sha512/256, 441 filename|sha3-224, filename|sha3-256, filename|sha3-384, 442 filename|sha3-512, filename|authentihash, filename|vhash, 443 filename|ssdeep, filename|tlsh, filename|imphash, 444 filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern- 445 in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, 446 yara, sigma, attachment, malware-sample, named pipe, mutex, 447 process-state, windows-scheduled-task, windows-service-name, 448 windows-service-displayname, comment, text, hex, x509-fingerprint- 449 sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, 450 cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, 451 pgp-private-key 453 Attribution 454 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 455 whois-registrant-email, whois-registrant-name, whois-registrant- 456 org, whois-registrar, whois-creation-date, comment, text, x509- 457 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 458 other, dns-soa-email, anonymised, email 460 External analysis 461 md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, 462 filename, filename|md5, filename|sha1, filename|sha256, 463 filename|sha3-224, filename|sha3-256, filename|sha3-384, 464 filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 465 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 466 regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, 467 pattern-in-traffic, pattern-in-memory, filename-pattern, 468 vulnerability, cpe, weakness, attachment, malware-sample, link, 469 comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 470 fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh- 471 md5, hasshserver-md5, github-repository, other, cortex, 472 anonymised, community-id 474 Financial fraud 475 btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc- 476 number, prtn, phone-number, comment, text, other, hex, anonymised 478 Internal reference 479 text, link, comment, other, hex, anonymised, git-commit-id 481 Network activity 482 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, 483 domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, 484 eppn, url, uri, user-agent, http-method, AS, snort, pattern-in- 485 file, filename-pattern, stix2-pattern, pattern-in-traffic, 486 attachment, comment, text, x509-fingerprint-md5, x509-fingerprint- 487 sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm- 488 fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, 489 hostname|port, bro, zeek, anonymised, community-id, email-subject, 490 favicon-mmh3 492 Other 493 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 494 float, hex, phone-number, boolean, anonymised, pgp-public-key, 495 pgp-private-key 497 Payload delivery 498 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 499 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 500 impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, 501 filename|md5, filename|sha1, filename|sha224, filename|sha256, 502 filename|sha384, filename|sha512, filename|sha512/224, 503 filename|sha512/256, filename|sha3-224, filename|sha3-256, 504 filename|sha3-384, filename|sha3-512, filename|authentihash, 505 filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, 506 filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- 507 src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, 508 email-src, email-dst, email-subject, email-attachment, email-body, 509 url, user-agent, AS, pattern-in-file, pattern-in-traffic, 510 filename-pattern, stix2-pattern, yara, sigma, mime-type, 511 attachment, malware-sample, link, malware-type, comment, text, 512 hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509- 513 fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, 514 jarm-fingerprint, hassh-md5, hasshserver-md5, other, 515 hostname|port, email-dst-display-name, email-src-display-name, 516 email-header, email-reply-to, email-x-mailer, email-mime-boundary, 517 email-thread-index, email-message-id, mobile-application-id, 518 chrome-extension-id, whois-registrant-email, anonymised 520 Payload installation 521 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 522 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 523 impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, 524 filename|md5, filename|sha1, filename|sha224, filename|sha256, 525 filename|sha384, filename|sha512, filename|sha512/224, 526 filename|sha512/256, filename|sha3-224, filename|sha3-256, 527 filename|sha3-384, filename|sha3-512, filename|authentihash, 528 filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, 529 filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- 530 traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, 531 sigma, vulnerability, cpe, weakness, attachment, malware-sample, 532 malware-type, comment, text, hex, x509-fingerprint-sha1, x509- 533 fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, 534 chrome-extension-id, other, mime-type, anonymised 536 Payload type 537 comment, text, other, anonymised 539 Persistence mechanism 540 filename, regkey, regkey|value, comment, text, other, hex, 541 anonymised 543 Person 544 first-name, middle-name, last-name, date-of-birth, place-of-birth, 545 gender, passport-number, passport-country, passport-expiration, 546 redress-number, nationality, visa-number, issue-date-of-the-visa, 547 primary-residence, country-of-residence, special-service-request, 548 frequent-flyer-number, travel-details, payment-details, place- 549 port-of-original-embarkation, place-port-of-clearance, place-port- 550 of-onward-foreign-destination, passenger-name-record-locator- 551 number, comment, text, other, phone-number, identity-card-number, 552 anonymised, email, pgp-public-key, pgp-private-key 554 Social network 555 github-username, github-repository, github-organisation, jabber- 556 id, twitter-id, email, email-src, email-dst, eppn, comment, text, 557 other, whois-registrant-email, anonymised, pgp-public-key, pgp- 558 private-key 560 Support Tool 561 link, text, attachment, comment, other, hex, anonymised 563 Targeting data 564 target-user, target-email, target-machine, target-org, target- 565 location, target-external, comment, anonymised 567 Attributes are based on the usage within their different communities. 568 Attributes can be extended on a regular basis and this reference 569 document is updated accordingly. 571 2.4.2.4. category 573 category represents the intent of what the attribute is describing as 574 selected by the attribute creator, using a list of pre-defined 575 attribute categories. 577 category is represented as a JSON string. category MUST be present 578 and it MUST be a valid selection for the chosen type. The list of 579 valid category-type combinations is mentioned above. 581 2.4.2.5. to_ids 583 to_ids represents whether the attribute is meant to be actionable. 584 Actionable defined attributes that can be used in automated processes 585 as a pattern for detection in Local or Network Intrusion Detection 586 System, log analysis tools or even filtering mechanisms. 588 to_ids is represented as a JSON boolean. to_ids MUST be present. 590 2.4.2.6. event_id 592 event_id represents a human-readable identifier referencing the Event 593 object that the attribute belongs to. A human-readable identifier 594 MUST be represented as an unsigned integer. 596 The event_id SHOULD be updated when the event is imported to reflect 597 the newly created event's id on the instance. 599 event_id is represented as a JSON string. event_id MUST be present. 601 2.4.2.7. distribution 603 distribution represents the basic distribution rules of the 604 attribute. The system must adhere to the distribution setting for 605 access control and for dissemination of the attribute. 607 distribution is represented by a JSON string. distribution MUST be 608 present and be one of the following options: 610 0 611 Your Organisation Only 613 1 614 This Community Only 616 2 617 Connected Communities 619 3 620 All Communities 622 4 623 Sharing Group 625 5 626 Inherit Event 628 2.4.2.8. timestamp 630 timestamp represents a reference time when the attribute was created 631 or last modified. timestamp is expressed in seconds (decimal) since 632 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 634 timestamp is represented as a JSON string. timestamp MUST be present. 636 2.4.2.9. comment 638 comment is a contextual comment field. 640 comment is represented by a JSON string. comment MAY be present. 642 2.4.2.10. sharing_group_id 644 sharing_group_id represents a human-readable identifier referencing a 645 Sharing Group object that defines the distribution of the attribute, 646 if distribution level "4" is set. A human-readable identifier MUST 647 be represented as an unsigned integer. 649 sharing_group_id is represented by a JSON string and SHOULD be 650 present. If a distribution level other than "4" is chosen the 651 sharing_group_id MUST be set to "0". 653 2.4.2.11. deleted 655 deleted represents a setting that allows attributes to be revoked. 656 Revoked attributes are not actionable and exist merely to inform 657 other instances of a revocation. 659 deleted is represented by a JSON boolean. deleted MUST be present. 661 2.4.2.12. data 663 data contains the base64 encoded contents of an attachment or a 664 malware sample. For malware samples, the sample MUST be encrypted 665 using a password protected zip archive, with the password being 666 "infected". 668 data is represented by a JSON string in base64 encoding. data MUST be 669 set for attributes of type malware-sample and attachment. 671 2.4.2.13. RelatedAttribute 673 RelatedAttribute is an array of attributes correlating with the 674 current attribute. Each element in the array represents an JSON 675 object which contains an Attribute dictionnary with the external 676 attributes who correlate. Each Attribute MUST include the id, 677 org_id, info and a value. Only the correlations found on the local 678 instance are shown in RelatedAttribute. 680 RelatedAttribute MAY be present. 682 2.4.2.14. ShadowAttribute 684 ShadowAttribute is an array of shadow attributes that serve as 685 proposals by third parties to alter the containing attribute. The 686 structure of a ShadowAttribute is similar to that of an Attribute, 687 which can be accepted or discarded by the event creator. If 688 accepted, the original attribute containing the shadow attribute is 689 removed and the shadow attribute is converted into an attribute. 691 Each shadow attribute that references an attribute MUST contain the 692 containing attribute's ID in the old_id field and the event's ID in 693 the event_id field. 695 2.4.2.15. value 697 value represents the payload of an attribute. The format of the 698 value is dependent on the type of the attribute. 700 value is represented by a JSON string. value MUST be present. 702 2.4.2.16. first_seen 704 first_seen represents a reference time when the attribute was first 705 seen. first_seen is expressed as an ISO 8601 datetime up to the 706 micro-second with time zone support. 708 first_seen is represented as a JSON string. first_seen MAY be 709 present. 711 2.4.2.17. last_seen 713 last_seen represents a reference time when the attribute was last 714 seen. last_seen is expressed as an ISO 8601 datetime up to the micro- 715 second with time zone support. 717 last_seen is represented as a JSON string. last_seen MAY be present. 719 2.5. ShadowAttribute 721 ShadowAttributes are 3rd party created attributes that either propose 722 to add new information to an event or modify existing information. 723 They are not meant to be actionable until the event creator accepts 724 them - at which point they will be converted into attributes or 725 modify an existing attribute. 727 They are similar in structure to Attributes but additionally carry a 728 reference to the creator of the ShadowAttribute as well as a 729 revocation flag. 731 2.5.1. Sample Attribute Object 733 "ShadowAttribute": { 734 "id": "8", 735 "type": "ip-src", 736 "category": "Network activity", 737 "to_ids": false, 738 "uuid": "57d475f1-da78-4569-89de-1458c0a83869", 739 "event_uuid": "57d475e6-41c4-41ca-b450-145ec0a83869", 740 "event_id": "9", 741 "old_id": "319", 742 "comment": "", 743 "org_id": "1", 744 "proposal_to_delete": false, 745 "value": "5.5.5.5", 746 "deleted": false, 747 "Org": { 748 "id": "1", 749 "name": "MISP", 750 "uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869" 751 }, 752 "first_seen": "2019-06-02T22:14:28.711954+00:00", 753 "last_seen": null 754 } 756 2.5.2. ShadowAttribute Attributes 758 2.5.2.1. uuid 760 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 761 the event. The uuid MUST be preserved for any updates or transfer of 762 the same event. UUID version 4 is RECOMMENDED when assigning it to a 763 new event. 765 uuid is represented as a JSON string. uuid MUST be present. 767 2.5.2.2. id 769 id represents the human-readable identifier associated to the event 770 for a specific MISP instance. human-readable identifier MUST be 771 represented as an unsigned integer. id is represented as a JSON 772 string. id SHALL be present. 774 2.5.2.3. type 776 type represents the means through which an attribute tries to 777 describe the intent of the attribute creator, using a list of pre- 778 defined attribute types. 780 type is represented as a JSON string. type MUST be present and it 781 MUST be a valid selection for the chosen category. The list of valid 782 category-type combinations is as follows: 784 Antivirus detection 785 link, comment, text, hex, attachment, other, anonymised 787 Artifacts dropped 788 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 789 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 790 impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, 791 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 792 filename|sha512, filename|sha512/224, filename|sha512/256, 793 filename|sha3-224, filename|sha3-256, filename|sha3-384, 794 filename|sha3-512, filename|authentihash, filename|vhash, 795 filename|ssdeep, filename|tlsh, filename|imphash, 796 filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern- 797 in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, 798 yara, sigma, attachment, malware-sample, named pipe, mutex, 799 process-state, windows-scheduled-task, windows-service-name, 800 windows-service-displayname, comment, text, hex, x509-fingerprint- 801 sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, 802 cookie, gene, kusto-query, mime-type, anonymised, pgp-public-key, 803 pgp-private-key 805 Attribution 806 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 807 whois-registrant-email, whois-registrant-name, whois-registrant- 808 org, whois-registrar, whois-creation-date, comment, text, x509- 809 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 810 other, dns-soa-email, anonymised, email 812 External analysis 813 md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, 814 filename, filename|md5, filename|sha1, filename|sha256, 815 filename|sha3-224, filename|sha3-256, filename|sha3-384, 816 filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 817 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 818 regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, 819 pattern-in-traffic, pattern-in-memory, filename-pattern, 820 vulnerability, cpe, weakness, attachment, malware-sample, link, 821 comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 822 fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh- 823 md5, hasshserver-md5, github-repository, other, cortex, 824 anonymised, community-id 826 Financial fraud 827 btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc- 828 number, prtn, phone-number, comment, text, other, hex, anonymised 830 Internal reference 831 text, link, comment, other, hex, anonymised, git-commit-id 833 Network activity 834 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, 835 domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, 836 eppn, url, uri, user-agent, http-method, AS, snort, pattern-in- 837 file, filename-pattern, stix2-pattern, pattern-in-traffic, 838 attachment, comment, text, x509-fingerprint-md5, x509-fingerprint- 839 sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm- 840 fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, 841 hostname|port, bro, zeek, anonymised, community-id, email-subject, 842 favicon-mmh3 844 Other 845 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 846 float, hex, phone-number, boolean, anonymised, pgp-public-key, 847 pgp-private-key 849 Payload delivery 850 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 851 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 852 impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, 853 filename|md5, filename|sha1, filename|sha224, filename|sha256, 854 filename|sha384, filename|sha512, filename|sha512/224, 855 filename|sha512/256, filename|sha3-224, filename|sha3-256, 856 filename|sha3-384, filename|sha3-512, filename|authentihash, 857 filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, 858 filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- 859 src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, 860 email-src, email-dst, email-subject, email-attachment, email-body, 861 url, user-agent, AS, pattern-in-file, pattern-in-traffic, 862 filename-pattern, stix2-pattern, yara, sigma, mime-type, 863 attachment, malware-sample, link, malware-type, comment, text, 864 hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509- 865 fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, 866 jarm-fingerprint, hassh-md5, hasshserver-md5, other, 867 hostname|port, email-dst-display-name, email-src-display-name, 868 email-header, email-reply-to, email-x-mailer, email-mime-boundary, 869 email-thread-index, email-message-id, mobile-application-id, 870 chrome-extension-id, whois-registrant-email, anonymised 872 Payload installation 873 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 874 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 875 impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, 876 filename|md5, filename|sha1, filename|sha224, filename|sha256, 877 filename|sha384, filename|sha512, filename|sha512/224, 878 filename|sha512/256, filename|sha3-224, filename|sha3-256, 879 filename|sha3-384, filename|sha3-512, filename|authentihash, 880 filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, 881 filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- 882 traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, 883 sigma, vulnerability, cpe, weakness, attachment, malware-sample, 884 malware-type, comment, text, hex, x509-fingerprint-sha1, x509- 885 fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, 886 chrome-extension-id, other, mime-type, anonymised 888 Payload type 889 comment, text, other, anonymised 891 Persistence mechanism 892 filename, regkey, regkey|value, comment, text, other, hex, 893 anonymised 895 Person 896 first-name, middle-name, last-name, date-of-birth, place-of-birth, 897 gender, passport-number, passport-country, passport-expiration, 898 redress-number, nationality, visa-number, issue-date-of-the-visa, 899 primary-residence, country-of-residence, special-service-request, 900 frequent-flyer-number, travel-details, payment-details, place- 901 port-of-original-embarkation, place-port-of-clearance, place-port- 902 of-onward-foreign-destination, passenger-name-record-locator- 903 number, comment, text, other, phone-number, identity-card-number, 904 anonymised, email, pgp-public-key, pgp-private-key 906 Social network 907 github-username, github-repository, github-organisation, jabber- 908 id, twitter-id, email, email-src, email-dst, eppn, comment, text, 909 other, whois-registrant-email, anonymised, pgp-public-key, pgp- 910 private-key 912 Support Tool 913 link, text, attachment, comment, other, hex, anonymised 915 Targeting data 916 target-user, target-email, target-machine, target-org, target- 917 location, target-external, comment, anonymised 919 Attributes are based on the usage within their different communities. 920 Attributes can be extended on a regular basis and this reference 921 document is updated accordingly. 923 2.5.2.4. category 925 category represents the intent of what the attribute is describing as 926 selected by the attribute creator, using a list of pre-defined 927 attribute categories. 929 category is represented as a JSON string. category MUST be present 930 and it MUST be a valid selection for the chosen type. The list of 931 valid category-type combinations is mentioned above. 933 2.5.2.5. to_ids 935 to_ids represents whether the Attribute to be created if the 936 ShadowAttribute is accepted is meant to be actionable. Actionable 937 defined attributes that can be used in automated processes as a 938 pattern for detection in Local or Network Intrusion Detection System, 939 log analysis tools or even filtering mechanisms. 941 to_ids is represented as a JSON boolean. to_ids MUST be present. 943 2.5.2.6. event_id 945 event_id represents a human-readable identifier referencing the Event 946 object that the ShadowAttribute belongs to. 948 The event_id SHOULD be updated when the event is imported to reflect 949 the newly created event's id on the instance. 951 event_id is represented as a JSON string. event_id MUST be present. 953 2.5.2.7. old_id 955 old_id represents a human-readable identifier referencing the 956 Attribute object that the ShadowAttribute belongs to. A 957 ShadowAttribute can this way target an existing Attribute, implying 958 that it is a proposal to modify an existing Attribute, or 959 alternatively it can be a proposal to create a new Attribute for the 960 containing Event. 962 The old_id SHOULD be updated when the event is imported to reflect 963 the newly created Attribute's id on the instance. Alternatively, if 964 the ShadowAttribute proposes the creation of a new Attribute, it 965 should be set to 0. 967 old_id is represented as a JSON string. old_id MUST be present. 969 2.5.2.8. timestamp 971 timestamp represents a reference time when the attribute was created 972 or last modified. timestamp is expressed in seconds (decimal) since 973 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 975 timestamp is represented as a JSON string. timestamp MUST be present. 977 2.5.2.9. comment 979 comment is a contextual comment field. 981 comment is represented by a JSON string. comment MAY be present. 983 2.5.2.10. org_id 985 org_id represents a human-readable identifier referencing the 986 proposal creator's Organisation object. A human-readable identifier 987 MUST be represented as an unsigned integer. 989 Whilst attributes can only be created by the event creator 990 organisation, shadow attributes can be created by third parties. 991 org_id tracks the creator organisation. 993 org_id is represented by a JSON string and MUST be present. 995 2.5.2.11. proposal_to_delete 997 proposal_to_delete is a boolean flag that sets whether the shadow 998 attribute proposes to alter an attribute, or whether it proposes to 999 remove it completely. 1001 Accepting a shadow attribute with this flag set will remove the 1002 target attribute. 1004 proposal_to_delete is a JSON boolean and it MUST be present. If 1005 proposal_to_delete is set to true, old_id MUST NOT be 0. 1007 2.5.2.12. deleted 1009 deleted represents a setting that allows shadow attributes to be 1010 revoked. Revoked shadow attributes only serve to inform other 1011 instances that the shadow attribute is no longer active. 1013 deleted is represented by a JSON boolean. deleted SHOULD be present. 1015 2.5.2.13. data 1017 data contains the base64 encoded contents of an attachment or a 1018 malware sample. For malware samples, the sample MUST be encrypted 1019 using a password protected zip archive, with the password being 1020 "infected". 1022 data is represented by a JSON string in base64 encoding. data MUST be 1023 set for shadow attributes of type malware-sample and attachment. 1025 2.5.2.14. first_seen 1027 first_seen represents a reference time when the attribute was first 1028 seen. first_seen as an ISO 8601 datetime up to the micro-second with 1029 time zone support. 1031 first_seen is represented as a JSON string. first_seen MAY be 1032 present. 1034 2.5.2.15. last_seen 1036 last_seen represents a reference time when the attribute was last 1037 seen. last_seen as an ISO 8601 datetime up to the micro-second with 1038 time zone support. 1040 last_seen is represented as a JSON string. last_seen MAY be present. 1042 2.5.3. Org 1044 An Org object is composed of an uuid, name and id. 1046 The uuid represents the Universally Unique IDentifier (UUID) 1047 [RFC4122] of the organization. The organization UUID is globally 1048 assigned to an organization and SHALL be kept overtime. 1050 The name is a readable description of the organization and SHOULD be 1051 present. The id is a human-readable identifier generated by the 1052 instance and used as reference in the event. A human-readable 1053 identifier MUST be represented as an unsigned integer. 1055 uuid, name and id are represented as a JSON string. uuid, name and id 1056 MUST be present. 1058 2.5.3.1. Sample Org Object 1060 "Org": { 1061 "id": "2", 1062 "name": "CIRCL", 1063 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 1064 } 1066 2.5.3.2. value 1068 value represents the payload of an attribute. The format of the 1069 value is dependent on the type of the attribute. 1071 value is represented by a JSON string. value MUST be present. 1073 2.6. Object 1075 Objects serve as a contextual bond between a list of attributes 1076 within an event. Their main purpose is to describe more complex 1077 structures than can be described by a single attribute Each object is 1078 created using an Object Template and carries the meta-data of the 1079 template used for its creation within. Objects belong to a meta- 1080 category and are defined by a name. 1082 The schema used is described by the template_uuid and 1083 template_version fields. 1085 A MISP document containing an Object MUST contain a name, a meta- 1086 category, a description, a template_uuid and a template_version as 1087 described in the "Object Attributes" section. 1089 2.6.1. Sample Object 1090 "Object": { 1091 "id": "588", 1092 "name": "file", 1093 "meta-category": "file", 1094 "description": "File object describing a file with meta-information", 1095 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", 1096 "template_version": "3", 1097 "event_id": "56", 1098 "uuid": "398b0094-0384-4c48-9bf0-22b3dff9c4d3", 1099 "timestamp": "1505747965", 1100 "distribution": "5", 1101 "sharing_group_id": "0", 1102 "comment": "", 1103 "deleted": false, 1104 "ObjectReference": [], 1105 "Attribute": [ 1106 { 1107 "id": "7822", 1108 "type": "filename", 1109 "category": "Payload delivery", 1110 "to_ids": true, 1111 "uuid": "59bfe3fb-bde0-4dfe-b5b1-2b10a07724d1", 1112 "event_id": "56", 1113 "distribution": "0", 1114 "timestamp": "1505747963", 1115 "comment": "", 1116 "sharing_group_id": "0", 1117 "deleted": false, 1118 "disable_correlation": false, 1119 "object_id": "588", 1120 "object_relation": "filename", 1121 "value": "StarCraft.exe", 1122 "ShadowAttribute": [], 1123 "first_seen": null, 1124 "last_seen": null 1125 }, 1126 "first_seen": "2019-06-02T22:14:28.711954+00:00", 1127 "last_seen": null 1128 ] 1129 } 1131 Figure 1 1133 2.6.2. Object Attributes 1134 2.6.2.1. uuid 1136 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1137 the object. The uuid MUST be preserved for any updates or transfer 1138 of the same object. UUID version 4 is RECOMMENDED when assigning it 1139 to a new object. 1141 2.6.2.2. id 1143 id represents the human-readable identifier associated to the object 1144 for a specific MISP instance. A human-readable identifier MUST be 1145 represented as an unsigned integer. 1147 id is represented as a JSON string. id SHALL be present. 1149 2.6.2.3. name 1151 name represents the human-readable name of the object describing the 1152 intent of the object package. 1154 name is represented as a JSON string. name MUST be present 1156 2.6.2.4. meta-category 1158 meta-category represents the sub-category of objects that the given 1159 object belongs to. meta-categories are not tied to a fixed list of 1160 options but can be created on the fly. 1162 meta-category is represented as a JSON string. meta-category MUST be 1163 present 1165 2.6.2.5. description 1167 description is a human-readable description of the given object type, 1168 as derived from the template used for creation. 1170 description is represented as a JSON string. id SHALL be present. 1172 2.6.2.6. template_uuid 1174 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1175 the template used to create the object. The uuid MUST be preserved 1176 to preserve the object's association with the correct template used 1177 for creation. UUID version 4 is RECOMMENDED when assigning it to a 1178 new object. 1180 2.6.2.7. template_version 1182 template_version represents a numeric incrementing version of the 1183 template used to create the object. It is used to associate the 1184 object to the correct version of the template and together with the 1185 template_uuid forms an association to the correct template type and 1186 version. 1188 version is represented as a JSON string. version MUST be present. 1190 2.6.2.8. event_id 1192 event_id represents the human-readable identifier of the event that 1193 the object belongs to on a specific MISP instance. A human-readable 1194 identifier MUST be represented as an unsigned integer. 1196 event_id is represented as a JSON string. event_id SHALL be present. 1198 2.6.2.9. timestamp 1200 timestamp represents a reference time when the object was created or 1201 last modified. timestamp is expressed in seconds (decimal) since 1st 1202 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1204 timestamp is represented as a JSON string. timestamp MUST be present. 1206 2.6.2.10. distribution 1208 distribution represents the basic distribution rules of the object. 1209 The system must adhere to the distribution setting for access control 1210 and for dissemination of the object. 1212 distribution is represented by a JSON string. distribution MUST be 1213 present and be one of the following options: 1215 0 1216 Your Organisation Only 1218 1 1219 This Community Only 1221 2 1222 Connected Communities 1224 3 1225 All Communities 1227 4 1228 Sharing Group 1230 2.6.2.11. sharing_group_id 1232 sharing_group_id represents a human-readable identifier referencing a 1233 Sharing Group object that defines the distribution of the object, if 1234 distribution level "4" is set. A human-readable identifier MUST be 1235 represented as an unsigned integer. 1237 sharing_group_id is represented by a JSON string and SHOULD be 1238 present. If a distribution level other than "4" is chosen the 1239 sharing_group_id MUST be set to "0". 1241 2.6.2.12. comment 1243 comment is a contextual comment field. 1245 comment is represented by a JSON string. comment MAY be present. 1247 2.6.2.13. deleted 1249 deleted represents a setting that allows attributes to be revoked. 1250 Revoked attributes are not actionable and exist merely to inform 1251 other instances of a revocation. 1253 deleted is represented by a JSON boolean. deleted MUST be present. 1255 2.6.2.14. Attribute 1257 Attribute is an array of attributes that describe the object with 1258 data. 1260 Each attribute in an object MUST contain the parent event's ID in the 1261 event_id field and the parent object's ID in the object_id field. 1263 2.6.2.15. first_seen 1265 first_seen represents a reference time when the object was first 1266 seen. first_seen as an ISO 8601 datetime up to the micro-second with 1267 time zone support. 1269 first_seen is represented as a JSON string. first_seen MAY be 1270 present. 1272 2.6.2.16. last_seen 1274 last_seen represents a reference time when the object was last seen. 1275 last_seen as an ISO 8601 datetime up to the micro-second with time 1276 zone support. 1278 last_seen is represented as a JSON string. last_seen MAY be present. 1280 2.7. Object References 1282 Object References serve as a logical link between an Object and 1283 another referenced Object or Attribute. The relationship is 1284 categorised by an enumerated value from a fixed vocabulary. 1286 The relationship_type is recommended to be taken from the MISP object 1287 relationship list [[MISP-R]] is RECOMMENDED to ensure a coherent 1288 naming of the tags 1290 All Object References MUST contain an object_uuid, a referenced_uuid 1291 and a relationship type. 1293 2.7.1. Sample ObjectReference object 1295 "ObjectReference": { 1296 "id": "195", 1297 "uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1", 1298 "timestamp": "1505892908", 1299 "object_id": "591", 1300 "event_id": "113", 1301 "referenced_id": "590", 1302 "referenced_type": "1", 1303 "relationship_type": "derived-from", 1304 "comment": "", 1305 "deleted": false, 1306 "object_uuid": "59c1134d-8a40-4c14-ad94-0f7ba07724d1", 1307 "referenced_uuid": "59c1133c-9adc-4d06-a34b-0f7ca07724d1", 1308 } 1310 2.7.2. ObjectReference Attributes 1312 2.7.2.1. uuid 1314 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1315 the object reference. The uuid MUST be preserved for any updates or 1316 transfer of the same object reference. UUID version 4 is RECOMMENDED 1317 when assigning it to a new object reference. 1319 2.7.2.2. id 1321 id represents the human-readable identifier associated to the object 1322 reference for a specific MISP instance. 1324 id is represented as a JSON string. id SHALL be present. 1326 2.7.2.3. timestamp 1328 timestamp represents a reference time when the object was created or 1329 last modified. timestamp is expressed in seconds (decimal) since 1st 1330 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1332 timestamp is represented as a JSON string. timestamp MUST be present. 1334 2.7.2.4. object_id 1336 object_id represents the human-readable identifier of the object that 1337 the object reference belongs to on a specific MISP instance. A 1338 human-readable identifier MUST be represented as an unsigned integer. 1340 event_id is represented as a JSON string. event_id SHALL be present. 1342 2.7.2.5. event_id 1344 event_id represents the human-readable identifier of the event that 1345 the object reference belongs to on a specific MISP instance. A 1346 human-readable identifier MUST be represented as an unsigned integer. 1348 event_id is represented as a JSON string. event_id SHALL be present. 1350 2.7.2.6. referenced_id 1352 referenced_id represents the human-readable identifier of the object 1353 or attribute that the parent object of the object reference points to 1354 on a specific MISP instance. 1356 referenced_id is represented as a JSON string. referenced_id MAY be 1357 present. 1359 2.7.2.7. referenced_type 1361 referenced_type represents the numeric value describing what the 1362 object reference points to, "0" representing an attribute and "1" 1363 representing an object 1365 referenced_type is represented as a JSON string. referenced_type MAY 1366 be present. 1368 2.7.2.8. relationship_type 1370 relationship_type represents the human-readable context of the 1371 relationship between an object and another object or attribute as 1372 described by the object_reference. 1374 referenced_type is represented as a JSON string. relationship_type 1375 MUST be present. 1377 2.7.2.9. comment 1379 comment is a contextual comment field. 1381 comment is represented by a JSON string. comment MAY be present. 1383 2.7.2.10. deleted 1385 deleted represents a setting that allows object references to be 1386 revoked. Revoked object references are not actionable and exist 1387 merely to inform other instances of a revocation. 1389 deleted is represented by a JSON boolean. deleted MUST be present. 1391 2.7.2.11. object_uuid 1393 object_uuid represents the Universally Unique IDentifier (UUID) 1394 [RFC4122] of the object that the given object reference belongs to. 1395 The object_uuid MUST be preserved to preserve the object reference's 1396 association with the object. 1398 2.7.2.12. referenced_uuid 1400 referenced_uuid represents the Universally Unique IDentifier (UUID) 1401 [RFC4122] of the object or attribute that is being referenced by the 1402 object reference. The referenced_uuid MUST be preserved to preserve 1403 the object reference's association with the object or attribute. 1405 2.8. EventReport 1407 EventReport are used to complement an event with one or more report 1408 in Markdown format. The EventReport contains unstructured 1409 information which can be linked to Attributes, Objects, Tags or 1410 Galaxy with an extension to the Markdown marking language. 1412 2.8.1. id 1414 id represents the human-readable identifier associated to the 1415 EventReport for a specific MISP instance. A human-readable 1416 identifier MUST be represented as an unsigned integer. 1418 id is represented as a JSON string. id SHALL be present. 1420 2.8.2. UUID 1422 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1423 the EventReport. The uuid MUST be preserved for any updates or 1424 transfer of the same EventReport. UUID version 4 is RECOMMENDED when 1425 assigning it to a new EventReport. 1427 uuid is represented as a JSON string. uuid MUST be present. 1429 2.8.3. event_id 1431 event_id represents the human-readable identifier associating the 1432 EventReport to an event on a specific MISP instance. A human- 1433 readable identifier MUST be represented as an unsigned integer. 1435 event_id is represented as a JSON string. event_id MUST be present. 1437 2.8.4. name 1439 name represents the information field of the EventReport. name is a 1440 free-text value to provide a human-readable summary of the report. 1441 name SHOULD NOT be bigger than 256 characters and SHOULD NOT include 1442 new-lines. 1444 name is represented as a JSON string. name MUST be present. 1446 2.8.5. content 1448 content includes the raw EventReport in Markdown format with or 1449 without the specific MISP Markdown markup extension. 1451 The markdown extension for MISP is composed with a symbol as prefix 1452 then between square bracket the scope (attribute, object, tag or 1453 galaxymatrix) followed by the UUID in parenthesis. 1455 content is represented as a JSON string. content MUST be present. 1457 2.8.6. distribution 1459 distribution represents the basic distribution rules of the 1460 EventReport. The system must adhere to the distribution setting for 1461 access control and for dissemination of the EventReport. 1463 distribution is represented by a JSON string. distribution MUST be 1464 present and be one of the following options: 1466 0 1467 Your Organisation Only 1469 1 1470 This Community Only 1472 2 1473 Connected Communities 1475 3 1476 All Communities 1478 4 1479 Sharing Group 1481 5 1482 Inherit Event 1484 2.8.7. sharing_group_id 1486 sharing_group_id represents the local id to the MISP local instance 1487 of the Sharing Group associated for the distribution. 1489 sharing_group_id is represented by a JSON string. sharing_group_id 1490 MUST be present and set to "0" if not used. 1492 2.8.8. timestamp 1494 timestamp represents a reference time when the EventReport was 1495 created or last modified. timestamp is expressed in seconds (decimal) 1496 since 1st of January 1970 (Unix timestamp). The time zone MUST be 1497 UTC. 1499 timestamp is represented as a JSON string. timestamp MUST be present. 1501 2.8.9. deleted 1503 deleted represents a setting that allows EventReport to be revoked. 1504 Revoked EventReport are not actionable and exist merely to inform 1505 other instances of a revocation. 1507 deleted is represented by a JSON boolean. deleted MUST be present. 1509 2.9. Tag 1511 A tag is a simple method to classify an event with a simple string. 1512 The tag name can be freely chosen. The tag name can be also chosen 1513 from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. 1514 When an event is distributed outside an organisation, the use of MISP 1515 taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of 1516 the tags. A tag is represented as a JSON array where each element 1517 describes each tag associated. A tag array SHALL be at event level 1518 or attribute level. A tag element is described with a name, id, 1519 colour and exportable flag. 1521 exportable represents a setting if the tag is kept local or 1522 exportable to other MISP instances. exportable is represented by a 1523 JSON boolean. id is a human-readable identifier that references the 1524 tag on the local instance. colour represents an RGB value of the tag. 1526 name MUST be present. colour, id and exportable SHALL be present. 1528 2.9.1. Sample Tag 1530 "Tag": [{ 1531 "exportable": true, 1532 "colour": "#ffffff", 1533 "name": "tlp:white", 1534 "id": "2" }] 1536 2.10. Sighting 1538 A sighting is an ascertainment which describes whether an attribute 1539 has been seen under a given set of conditions. The sighting can 1540 include the organisation who sighted the attribute or can be 1541 anonymised. Sighting is composed of a JSON array in which each 1542 element describes one singular instance of a sighting. A sighting 1543 element is a JSON object composed of the following values: 1545 type MUST be present. type describes the type of a sighting. MISP 1546 allows 3 default types: 1548 +------------+------------------------------------------------------+ 1549 | Sighting | Description | 1550 | type | | 1551 +------------+------------------------------------------------------+ 1552 | 0 | denotes an attribute which has been seen | 1553 | 1 | denotes an attribute which has been seen and | 1554 | | confirmed as false-positive | 1555 | 2 | denotes an attribute which will be expired at the | 1556 | | time of the sighting | 1557 +------------+------------------------------------------------------+ 1559 uuid MUST be present. uuid references the uuid of the sighted 1560 attribute. 1562 date_sighting MUST be present. date_sighting is expressed in seconds 1563 (decimal) elapsed since 1st of January 1970 (Unix timestamp). 1564 date_sighting represents when the referenced attribute, designated by 1565 its uuid, is sighted. 1567 source MAY be present. source is represented as a JSON string and 1568 represents the human-readable version of the sighting source, which 1569 can be a given piece of software (e.g. SIEM), device or a specific 1570 analytical process. 1572 id, event_id and attribute_id MAY be present. 1574 id represents the human-readable identifier of the sighting reference 1575 which belongs to a specific MISP instance. event_id represents the 1576 human-readable identifier of the event referenced by the sighting and 1577 belongs to a specific MISP instance. attribute_id represents the 1578 human-readable identifier of the attribute referenced by the sighting 1579 and belongs to a specific MISP instance. 1581 org_id MAY be present along the JSON object describing the 1582 organisation. If the org_id is not present, the sighting is 1583 considered as anonymised. 1585 org_id represents the human-readable identifier of the organisation 1586 which did the sighting and belongs to a specific MISP instance. 1588 A human-readable identifier MUST be represented as an unsigned 1589 integer. 1591 2.10.1. Sample Sighting 1592 "Sighting": [ 1593 { 1594 "id": "13599", 1595 "attribute_id": "1201615", 1596 "event_id": "10164", 1597 "org_id": "2", 1598 "date_sighting": "1517581400", 1599 "uuid": "5a747459-41b4-4826-9b29-42dd950d210f", 1600 "source": "M2M-CIRCL", 1601 "type": "0", 1602 "Organisation": { 1603 "id": "2", 1604 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1605 "name": "CIRCL" 1606 } 1607 }, 1608 { 1609 "id": "13601", 1610 "attribute_id": "1201615", 1611 "event_id": "10164", 1612 "org_id": "2", 1613 "date_sighting": "1517581401", 1614 "uuid": "5a74745a-a190-4d04-b719-4916950d210f", 1615 "source": "M2M-CIRCL", 1616 "type": "0", 1617 "Organisation": { 1618 "id": "2", 1619 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1620 "name": "CIRCL" 1621 } 1622 } 1623 ] 1625 2.11. Galaxy 1627 A galaxy is a simple method to express a large object called cluster 1628 that can be attached to MISP events. A cluster can be composed of 1629 one or more elements. Elements are expressed as key-values. 1631 2.11.1. Sample Galaxy 1632 "Galaxy": [ { 1633 "id": "18", 1634 "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3", 1635 "name": "Threat Actor", 1636 "type": "threat-actor", 1637 "description": "Threat actors are characteristics of malicious actors 1638 (or adversaries) representing a cyber attack threat 1639 including presumed intent and historically observed behaviour.", 1640 "version": "1", 1641 "GalaxyCluster": [ 1642 { 1643 "id": "1699", 1644 "uuid": "7cdff317-a673-4474-84ec-4f1754947823", 1645 "type": "threat-actor", 1646 "value": "Anunak", 1647 "tag_name": "misp-galaxy:threat-actor=\"Anunak\"", 1648 "description": "Groups targeting financial organizations 1649 or people with significant financial assets.", 1650 "galaxy_id": "18", 1651 "source": "MISP Project", 1652 "authors": [ 1653 "Alexandre Dulaunoy", 1654 "Florian Roth", 1655 "Thomas Schreck", 1656 "Timo Steffens", 1657 "Various" 1658 ], 1659 "tag_id": "111", 1660 "meta": { 1661 "synonyms": [ 1662 "Carbanak", 1663 "Carbon Spider" 1664 ], 1665 "country": [ 1666 "RU" 1667 ], 1668 "motive": [ 1669 "Cybercrime" 1670 ] 1671 } 1672 } 1673 ] 1674 } 1675 ] 1677 3. JSON Schema 1679 The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP 1680 core format as literally described before. The JSON Schema is used 1681 to validate MISP events at creation time or parsing. 1683 { 1684 "$schema": "http://json-schema.org/draft-04/schema#", 1685 "title": "Validator for misp events", 1686 "id": "https://github.com/MISP/MISP/blob/2.4/format/2.4/schema.json", 1687 "defs": { 1688 "org": { 1689 "type": "object", 1690 "additionalProperties": false, 1691 "properties": { 1692 "id": { 1693 "type": "string" 1694 }, 1695 "name": { 1696 "type": "string" 1697 }, 1698 "uuid": { 1699 "type": "string" 1700 } 1701 }, 1702 "required": [ 1703 "uuid" 1704 ] 1705 }, 1706 "orgc": { 1707 "type": "object", 1708 "additionalProperties": false, 1709 "properties": { 1710 "id": { 1711 "type": "string" 1712 }, 1713 "name": { 1714 "type": "string" 1715 }, 1716 "uuid": { 1717 "type": "string" 1718 } 1719 }, 1720 "required": [ 1721 "uuid" 1722 ] 1723 }, 1724 "sharing_group": { 1725 "type": "object", 1726 "additionalProperties": false, 1727 "properties": { 1728 "id": { 1729 "type": "string" 1730 }, 1731 "name": { 1732 "type": "string" 1733 }, 1734 "releasability": { 1735 "type": "string" 1736 }, 1737 "description": { 1738 "type": "string" 1739 }, 1740 "uuid": { 1741 "type": "string" 1742 }, 1743 "organisation_uuid": { 1744 "type": "string" 1745 }, 1746 "org_id": { 1747 "type": "string" 1748 }, 1749 "sync_user_id": { 1750 "type": "string" 1751 }, 1752 "active": { 1753 "type": "boolean" 1754 }, 1755 "created": { 1756 "type": "string" 1757 }, 1758 "modified": { 1759 "type": "string" 1760 }, 1761 "local": { 1762 "type": "boolean" 1763 }, 1764 "roaming": { 1765 "type": "boolean" 1766 }, 1767 "Organisation": { 1768 "$ref": "#/defs/org" 1769 }, 1770 "SharingGroupOrg": { 1771 "type": "array", 1772 "uniqueItems": true, 1773 "items": { 1774 "$ref": "#/defs/sharing_group_org" 1775 } 1776 }, 1777 "SharingGroupServer": { 1778 "type": "array", 1779 "uniqueItems": true, 1780 "items": { 1781 "$ref": "#/defs/sharing_group_server" 1782 } 1783 }, 1784 "required": [ 1785 "uuid" 1786 ] 1787 }, 1788 "required": [ 1789 "uuid" 1790 ] 1791 }, 1792 "sharing_group_org": { 1793 "type": "object", 1794 "additionalProperties": false, 1795 "properties": { 1796 "id": { 1797 "type": "string" 1798 }, 1799 "sharing_group_id": { 1800 "type": "string" 1801 }, 1802 "org_id": { 1803 "type": "string" 1804 }, 1805 "extend": { 1806 "type": "boolean" 1807 }, 1808 "Organisation": { 1809 "$ref": "#/defs/org" 1810 } 1811 } 1812 }, 1813 "sharing_group_server": { 1814 "type": "object", 1815 "additionalProperties": false, 1816 "properties": { 1817 "id": { 1818 "type": "string" 1819 }, 1820 "sharing_group_id": { 1821 "type": "string" 1822 }, 1823 "server_id": { 1824 "type": "string" 1825 }, 1826 "all_orgs": { 1827 "type": "boolean" 1828 }, 1829 "Server": { 1830 "$ref": "#/defs/server" 1831 } 1832 } 1833 }, 1834 "server": { 1835 "type": "object", 1836 "additionalProperties": false, 1837 "properties": { 1838 "id": { 1839 "type": "string" 1840 }, 1841 "url": { 1842 "type": "string" 1843 }, 1844 "name": { 1845 "type": "string" 1846 } 1847 } 1848 }, 1849 "object": { 1850 "type": "object", 1851 "additionalProperties": false, 1852 "properties": { 1853 "uuid": { 1854 "type": "string" 1855 }, 1856 "name": { 1857 "type": "string" 1858 }, 1859 "event_id": { 1860 "type": "string" 1861 }, 1862 "description": { 1863 "type": "string" 1864 }, 1865 "template_uuid": { 1866 "type": "string" 1867 }, 1868 "template_version": { 1869 "type": "string" 1870 }, 1871 "id": { 1872 "type": "string" 1873 }, 1874 "meta-category": { 1875 "type": "string" 1876 }, 1877 "deleted": { 1878 "type": "boolean" 1879 }, 1880 "timestamp": { 1881 "type": "string" 1882 }, 1883 "first_seen": { 1884 "type": "string" 1885 }, 1886 "last_seen": { 1887 "type": "string" 1888 }, 1889 "distribution": { 1890 "type": "string" 1891 }, 1892 "sharing_group_id": { 1893 "type": "string" 1894 }, 1895 "comment": { 1896 "type": "string" 1897 }, 1898 "ObjectReference": { 1899 "type": "array", 1900 "uniqueItems": true, 1901 "items": { 1902 "$ref": "#/defs/objectreference" 1903 } 1904 }, 1905 "Attribute": { 1906 "type": "array", 1907 "uniqueItems": true, 1908 "items": { 1909 "$ref": "#/defs/attribute" 1910 } 1911 } 1912 } 1913 }, 1914 "sighthing": { 1915 "type": "object", 1916 "additionalProperties": false, 1917 "properties": { 1918 "id": { 1919 "type": "string" 1920 }, 1921 "attribute_id": { 1922 "type": "string" 1923 }, 1924 "event_id": { 1925 "type": "string" 1926 }, 1927 "source": { 1928 "type": "string" 1929 }, 1930 "type": { 1931 "type": "string" 1932 }, 1933 "org_id": { 1934 "type": "string" 1935 }, 1936 "date_sighting": { 1937 "type": "string" 1938 }, 1939 "uuid": { 1940 "type": "string" 1941 }, 1942 "Organisation": { 1943 "$ref": "#/defs/organisation" 1944 } 1945 } 1946 }, 1947 "organisation": { 1948 "type": "object", 1949 "additionalProperties": false, 1950 "properties": { 1951 "id": { 1952 "type": "string" 1953 }, 1954 "uuid": { 1955 "type": "string" 1956 }, 1957 "name": { 1958 "type": "string" 1959 } 1960 } 1961 }, 1962 "objectreference": { 1963 "type": "object", 1964 "additionalProperties": false, 1965 "properties": { 1966 "deleted": { 1967 "type": "boolean" 1968 }, 1969 "object_id": { 1970 "type": "string" 1971 }, 1972 "event_id": { 1973 "type": "string" 1974 }, 1975 "timestamp": { 1976 "type": "string" 1977 }, 1978 "id": { 1979 "type": "string" 1980 }, 1981 "uuid": { 1982 "type": "string" 1983 }, 1984 "type": { 1985 "type": "string" 1986 }, 1987 "referenced_id": { 1988 "type": "string" 1989 }, 1990 "referenced_uuid": { 1991 "type": "string" 1992 }, 1993 "referenced_type": { 1994 "type": "string" 1995 }, 1996 "relationship_type": { 1997 "type": "string" 1998 }, 1999 "object_uuid": { 2000 "type": "string" 2001 }, 2002 "comment": { 2003 "type": "string" 2004 }, 2005 "Object": { 2006 "$ref": "#/defs/object" 2007 } 2008 } 2009 }, 2010 "attribute": { 2011 "type": "object", 2012 "additionalProperties": false, 2013 "properties": { 2014 "id": { 2015 "type": "string" 2016 }, 2017 "old_id": { 2018 "type": "string" 2019 }, 2020 "type": { 2021 "type": "string" 2022 }, 2023 "category": { 2024 "type": "string" 2025 }, 2026 "to_ids": { 2027 "type": "boolean" 2028 }, 2029 "uuid": { 2030 "type": "string" 2031 }, 2032 "event_id": { 2033 "type": "string" 2034 }, 2035 "event_uuid": { 2036 "type": "string" 2037 }, 2038 "proposal_to_delete": { 2039 "type": "boolean" 2040 }, 2041 "validationIssue": { 2042 "type": "boolean" 2043 }, 2044 "Org": { 2045 "$ref": "#/defs/organisation" 2046 }, 2047 "org_id": { 2048 "type": "string" 2049 }, 2050 "distribution": { 2051 "type": "string" 2052 }, 2053 "timestamp": { 2054 "type": "string" 2055 }, 2056 "first_seen": { 2057 "type": "string" 2058 }, 2059 "last_seen": { 2060 "type": "string" 2062 }, 2063 "comment": { 2064 "type": "string" 2065 }, 2066 "sharing_group_id": { 2067 "type": "string" 2068 }, 2069 "deleted": { 2070 "type": "boolean" 2071 }, 2072 "disable_correlation": { 2073 "type": "boolean" 2074 }, 2075 "value": { 2076 "type": "string" 2077 }, 2078 "data": { 2079 "type": "string" 2080 }, 2081 "object_relation": { 2082 "type": ["string", "null"] 2083 }, 2084 "object_id": { 2085 "type": "string" 2086 }, 2087 "SharingGroup": { 2088 "$ref": "#/defs/sharing_group" 2089 }, 2090 "ShadowAttribute": { 2091 "type": "array", 2092 "uniqueItems": true, 2093 "items": { 2094 "$ref": "#/defs/attribute" 2095 } 2096 }, 2097 "Sighting": { 2098 "type": "array", 2099 "uniqueItems": true, 2100 "items": { 2101 "$ref": "#/defs/sighthing" 2102 } 2103 }, 2104 "Galaxy": { 2105 "type": "array", 2106 "uniqueItems": true, 2107 "items": { 2108 "$ref": "#/defs/galaxy" 2109 } 2111 }, 2112 "Tag": { 2113 "uniqueItems": true, 2114 "type": "array", 2115 "items": { 2116 "$ref": "#/defs/tag" 2117 } 2118 } 2119 } 2120 }, 2121 "event": { 2122 "type": "object", 2123 "additionalProperties": false, 2124 "properties": { 2125 "id": { 2126 "type": "string" 2127 }, 2128 "orgc_id": { 2129 "type": "string" 2130 }, 2131 "org_id": { 2132 "type": "string" 2133 }, 2134 "date": { 2135 "type": "string" 2136 }, 2137 "extends_uuid": { 2138 "type": "string" 2139 }, 2140 "threat_level_id": { 2141 "type": "string" 2142 }, 2143 "info": { 2144 "type": "string" 2145 }, 2146 "published": { 2147 "type": "boolean" 2148 }, 2149 "uuid": { 2150 "type": "string" 2151 }, 2152 "attribute_count": { 2153 "type": "string" 2154 }, 2155 "analysis": { 2156 "type": "string" 2157 }, 2158 "timestamp": { 2159 "type": "string" 2160 }, 2161 "distribution": { 2162 "type": "string" 2163 }, 2164 "proposal_email_lock": { 2165 "type": "boolean" 2166 }, 2167 "locked": { 2168 "type": "boolean" 2169 }, 2170 "publish_timestamp": { 2171 "type": "string" 2172 }, 2173 "sharing_group_id": { 2174 "type": "string" 2175 }, 2176 "disable_correlation": { 2177 "type": "boolean" 2178 }, 2179 "event_creator_email": { 2180 "type": "string" 2181 }, 2182 "Org": { 2183 "$ref": "#/defs/org" 2184 }, 2185 "Orgc": { 2186 "$ref": "#/defs/org" 2187 }, 2188 "SharingGroup": { 2189 "$ref": "#/defs/sharing_group" 2190 }, 2191 "Attribute": { 2192 "type": "array", 2193 "uniqueItems": true, 2194 "items": { 2195 "$ref": "#/defs/attribute" 2196 } 2197 }, 2198 "ShadowAttribute": { 2199 "type": "array", 2200 "uniqueItems": true, 2201 "items": { 2202 "$ref": "#/defs/attribute" 2203 } 2204 }, 2205 "RelatedEvent": { 2206 "type": "array", 2207 "uniqueItems": true, 2208 "items": { 2209 "type": "object", 2210 "additionalProperties": false, 2211 "properties": { 2212 "Event":{ 2213 "$ref": "#/defs/event" 2214 } 2215 } 2216 } 2217 }, 2218 "Galaxy": { 2219 "type": "array", 2220 "uniqueItems": true, 2221 "items": { 2222 "$ref": "#/defs/galaxy" 2223 } 2224 }, 2225 "Object": { 2226 "type": "array", 2227 "uniqueItems": true, 2228 "items": { 2229 "$ref": "#/defs/object" 2230 } 2231 }, 2232 "Tag": { 2233 "type": "array", 2234 "uniqueItems": true, 2235 "items": { 2236 "$ref": "#/defs/tag" 2237 } 2238 } 2239 } 2240 }, 2241 "tag": { 2242 "type": "object", 2243 "additionalProperties": false, 2244 "properties": { 2245 "id": { 2246 "type": "string" 2247 }, 2248 "name": { 2249 "type": "string" 2250 }, 2251 "colour": { 2252 "type": "string" 2253 }, 2254 "exportable": { 2255 "type": "boolean" 2256 }, 2257 "hide_tag": { 2258 "type": "boolean" 2259 }, 2260 "user_id": { 2261 "type": "string" 2262 } 2263 } 2264 }, 2265 "galaxy": { 2266 "type": "object", 2267 "additionalProperties": false, 2268 "properties": { 2269 "id": { 2270 "type": "string" 2271 }, 2272 "uuid": { 2273 "type": "string" 2274 }, 2275 "name": { 2276 "type": "string" 2277 }, 2278 "type": { 2279 "type": "string" 2280 }, 2281 "description": { 2282 "type": "string" 2283 }, 2284 "version": { 2285 "type": "string" 2286 }, 2287 "icon": { 2288 "type": "string" 2289 }, 2290 "namespace": { 2291 "type": "string" 2292 }, 2293 "GalaxyCluster": { 2294 "type": "array", 2295 "uniqueItems": true, 2296 "items": { 2297 "$ref": "#/defs/galaxy_cluster" 2298 } 2299 } 2300 } 2301 }, 2302 "galaxy_cluster": { 2303 "type": "object", 2304 "additionalProperties": false, 2305 "properties": { 2306 "id": { 2307 "type": "string" 2308 }, 2309 "uuid": { 2310 "type": "string" 2311 }, 2312 "type": { 2313 "type": "string" 2314 }, 2315 "value": { 2316 "type": "string" 2317 }, 2318 "tag_name": { 2319 "type": "string" 2320 }, 2321 "description": { 2322 "type": "string" 2323 }, 2324 "galaxy_id": { 2325 "type": "string" 2326 }, 2327 "version": { 2328 "type": "string" 2329 }, 2330 "source": { 2331 "type": "string" 2332 }, 2333 "authors": { 2334 "type": "array", 2335 "uniqueItems": true, 2336 "items": { 2337 "type": "string" 2338 } 2339 }, 2340 "tag_id": { 2341 "type": "string" 2342 }, 2343 "meta": { 2344 "type": "object" 2345 } 2346 } 2347 } 2348 }, 2349 "type": "object", 2350 "properties": { 2351 "Event": { 2352 "$ref": "#/defs/event" 2353 } 2354 }, 2355 "required": [ 2356 "Event" 2357 ] 2358 } 2360 4. Manifest 2362 MISP events can be shared over an HTTP repository, a file package or 2363 USB key. A manifest file is used to provide an index of MISP events 2364 allowing to only fetch the recently updated files without the need to 2365 parse each json file. 2367 4.1. Format 2369 A manifest file is a simple JSON file named manifest.json in a 2370 directory where the MISP events are located. Each MISP event is a 2371 file located in the same directory with the event uuid as filename 2372 with the json extension. 2374 The manifest format is a JSON object composed of a dictionary where 2375 the field is the uuid of the event. 2377 Each uuid is composed of a JSON object with the following fields 2378 which came from the original event referenced by the same uuid: 2380 o info (MUST) 2382 o Orgc object (MUST) 2384 o analysis (SHALL) 2386 o timestamp (MUST) 2388 o date (MUST) 2390 o threat_level_id (SHALL) 2392 In addition to the fields originating from the event, the following 2393 fields can be added: 2395 o integrity:sha256 represents the SHA256 value in hexadecimal 2396 representation of the associated MISP event file to ensure 2397 integrity of the file. (SHOULD) 2399 o integrity:pgp represents a detached PGP signature [RFC4880] of the 2400 associated MISP event file to ensure integrity of the file. 2401 (SHOULD) 2403 If a detached PGP signature is used for each MISP event, a detached 2404 PGP signature is a MUST to ensure integrity of the manifest file. A 2405 detached PGP signature for a manifest file is a manifest.json.asc 2406 file containing the PGP signature. 2408 4.1.1. Sample Manifest 2410 { 2411 "57c6ac4c-c60c-4f79-a38f-b666950d210f": { 2412 "info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo", 2413 "Orgc": { 2414 "id": "2", 2415 "name": "CIRCL", 2416 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 2417 }, 2418 "analysis": "0", 2419 "Tag": [ 2420 { 2421 "colour": "#3d7a00", 2422 "name": "circl:incident-classification=\"malware\"" 2423 }, 2424 { 2425 "colour": "#ffffff", 2426 "name": "tlp:white" 2427 } 2428 ], 2429 "timestamp": "1472638251", 2430 "date": "2016-08-31", 2431 "threat_level_id": "3" 2432 }, 2433 "5720accd-dd28-45f8-80e5-4605950d210f": { 2434 "info": "Malspam 2016-04-27 - Locky", 2435 "Orgc": { 2436 "id": "2", 2437 "name": "CIRCL" 2438 }, 2439 "analysis": "2", 2440 "Tag": [ 2441 { 2442 "colour": "#ffffff", 2443 "name": "tlp:white" 2444 }, 2445 { 2446 "colour": "#3d7a00", 2447 "name": "circl:incident-classification=\"malware\"" 2448 }, 2449 { 2450 "colour": "#2c4f00", 2451 "name": "malware_classification:malware-category=\"Ransomware\"" 2452 } 2453 ], 2454 "timestamp": "1461764231", 2455 "date": "2016-04-27", 2456 "threat_level_id": "3" 2457 } 2458 } 2460 5. Implementation 2462 MISP format is implemented by different software including the MISP 2463 threat sharing platform and libraries like PyMISP [MISP-P]. 2464 Implementations use the format as an export/import mechanism, staging 2465 transport format or synchronisation format as used in the MISP core 2466 platform. MISP format doesn't impose any restriction on the data 2467 representation of the format in data-structure of other 2468 implementations. 2470 6. Security Considerations 2472 MISP events might contain sensitive or confidential information. 2473 Adequate access control and encryption measures shall be implemented 2474 to ensure the confidentiality of the MISP events. 2476 Adversaries might include malicious content in MISP events and 2477 attributes. Implementation MUST consider the input of malicious 2478 inputs beside the standard threat information that might already 2479 include malicious intended inputs. 2481 7. Acknowledgements 2483 The authors wish to thank all the MISP community who are supporting 2484 the creation of open standards in threat intelligence sharing. A 2485 special thank to Nicolas Bareil for the review of the JSON Schema. 2487 8. References 2489 9. References 2490 9.1. Normative References 2492 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2493 Requirement Levels", BCP 14, RFC 2119, 2494 DOI 10.17487/RFC2119, March 1997, 2495 . 2497 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 2498 Unique IDentifier (UUID) URN Namespace", RFC 4122, 2499 DOI 10.17487/RFC4122, July 2005, 2500 . 2502 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. 2503 Thayer, "OpenPGP Message Format", RFC 4880, 2504 DOI 10.17487/RFC4880, November 2007, 2505 . 2507 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 2508 Interchange Format", STD 90, RFC 8259, 2509 DOI 10.17487/RFC8259, December 2017, 2510 . 2512 9.2. Informative References 2514 [JSON-SCHEMA] 2515 Wright, A., "JSON Schema: A Media Type for Describing JSON 2516 Documents", 2016, 2517 . 2519 [MISP-P] Community, M., "MISP Project - Open Source Threat 2520 Intelligence Platform and Open Standards For Threat 2521 Information Sharing", . 2523 [MISP-R] Community, M., "MISP Object Relationship Types - common 2524 vocabulary of relationships", . 2527 [MISP-T] Community, M., "MISP Taxonomies - shared and common 2528 vocabularies of tags", 2529 . 2531 Authors' Addresses 2532 Alexandre Dulaunoy 2533 Computer Incident Response Center Luxembourg 2534 16, bd d'Avranches 2535 Luxembourg L-1160 2536 Luxembourg 2538 Phone: +352 247 88444 2539 Email: alexandre.dulaunoy@circl.lu 2541 Andras Iklody 2542 Computer Incident Response Center Luxembourg 2543 16, bd d'Avranches 2544 Luxembourg L-1160 2545 Luxembourg 2547 Phone: +352 247 88444 2548 Email: andras.iklody@circl.lu