idnits 2.17.1 draft-dulaunoy-misp-core-format-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 11 instances of too long lines in the document, the longest one being 18 characters in excess of 72. ** The abstract seems to contain references ([MISP-P]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 402 has weird spacing: '...tection link,...' == Line 404 has weird spacing: '...dropped md5, ...' == Line 421 has weird spacing: '...ibution threa...' == Line 426 has weird spacing: '...nalysis md5, ...' == Line 438 has weird spacing: '...l fraud btc, ...' == (27 more instances...) -- The document date (15 February 2022) is 800 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'MISP-R' is defined on line 2418, but no explicit reference was found in the text == Unused Reference: 'MISP-T' is defined on line 2422, but no explicit reference was found in the text Summary: 3 errors (**), 0 flaws (~~), 10 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Intended status: Informational CIRCL 5 Expires: 19 August 2022 15 February 2022 7 MISP core format 8 draft-dulaunoy-misp-core-format-15 10 Abstract 12 This document describes the MISP core format used to exchange 13 indicators and threat information between MISP (Open Source Threat 14 Intelligence Sharing Platform formerly known as Malware Information 15 Sharing Platform) instances. The JSON format includes the overall 16 structure along with the semantic associated for each respective key. 17 The format is described to support other implementations which reuse 18 the format and ensuring an interoperability with existing MISP 19 [MISP-P] software and other Threat Intelligence Platforms. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on 19 August 2022. 38 Copyright Notice 40 Copyright (c) 2022 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 45 license-info) in effect on the date of publication of this document. 46 Please review these documents carefully, as they describe your rights 47 and restrictions with respect to this document. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 52 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 53 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3 57 2.2.2. Event Objects . . . . . . . . . . . . . . . . . . . . 7 58 2.3. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8 59 2.3.1. Sample Attribute Object . . . . . . . . . . . . . . . 8 60 2.3.2. Attribute Attributes . . . . . . . . . . . . . . . . 8 61 2.4. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 14 62 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 15 63 2.4.2. ShadowAttribute Attributes . . . . . . . . . . . . . 15 64 2.4.3. ShadowAttribute Objects . . . . . . . . . . . . . . . 21 65 2.5. Object . . . . . . . . . . . . . . . . . . . . . . . . . 22 66 2.5.1. Sample Object . . . . . . . . . . . . . . . . . . . . 22 67 2.5.2. Object Attributes . . . . . . . . . . . . . . . . . . 23 68 2.6. Object References . . . . . . . . . . . . . . . . . . . . 27 69 2.6.1. Sample ObjectReference object . . . . . . . . . . . . 27 70 2.6.2. ObjectReference Attributes . . . . . . . . . . . . . 27 71 2.7. EventReport . . . . . . . . . . . . . . . . . . . . . . . 29 72 2.7.1. id . . . . . . . . . . . . . . . . . . . . . . . . . 29 73 2.7.2. UUID . . . . . . . . . . . . . . . . . . . . . . . . 30 74 2.7.3. event_id . . . . . . . . . . . . . . . . . . . . . . 30 75 2.7.4. name . . . . . . . . . . . . . . . . . . . . . . . . 30 76 2.7.5. content . . . . . . . . . . . . . . . . . . . . . . . 30 77 2.7.6. distribution . . . . . . . . . . . . . . . . . . . . 30 78 2.7.7. sharing_group_id . . . . . . . . . . . . . . . . . . 31 79 2.7.8. timestamp . . . . . . . . . . . . . . . . . . . . . . 31 80 2.7.9. deleted . . . . . . . . . . . . . . . . . . . . . . . 31 81 2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 82 2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 32 83 2.9. Sighting . . . . . . . . . . . . . . . . . . . . . . . . 32 84 2.9.1. Sample Sighting . . . . . . . . . . . . . . . . . . . 33 85 2.10. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 34 86 2.10.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 34 87 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 36 88 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 50 89 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 50 90 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 51 91 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 52 92 6. Security Considerations . . . . . . . . . . . . . . . . . . . 52 93 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 52 94 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 52 95 9. Normative References . . . . . . . . . . . . . . . . . . . . 52 96 10. Informative References . . . . . . . . . . . . . . . . . . . 53 97 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 99 1. Introduction 101 Sharing threat information became a fundamental requirements in the 102 Internet, security and intelligence community at large. Threat 103 information can include indicators of compromise, malicious file 104 indicators, financial fraud indicators or even detailed information 105 about a threat actor. MISP [MISP-P] started as an open source 106 project in late 2011 and the MISP format started to be widely used as 107 an exchange format within the community in the past years. The aim 108 of this document is to describe the specification and the MISP core 109 format. 111 1.1. Conventions and Terminology 113 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 114 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 115 document are to be interpreted as described in RFC 2119 [RFC2119]. 117 2. Format 119 2.1. Overview 121 The MISP core format is in the JSON [RFC8259] format. In MISP, an 122 event is composed of a single JSON object. 124 A capitalized key (like Event, Org) represent a data model and a non- 125 capitalised key is just an attribute. This nomenclature can support 126 an implementation to represent the MISP format in another data 127 structure. 129 2.2. Event 131 An event is a simple meta structure scheme where attributes and meta- 132 data are embedded to compose a coherent set of indicators. An event 133 can be composed from an incident, a security analysis report or a 134 specific threat actor analysis. The meaning of an event only depends 135 of the information embedded in the event. 137 2.2.1. Event Attributes 139 2.2.1.1. uuid 141 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 142 the event. The uuid MUST be preserved for any updates or transfer of 143 the same event. UUID version 4 is RECOMMENDED when assigning it to a 144 new event. 146 uuid is represented as a JSON string. uuid MUST be present. 148 2.2.1.2. id 150 id represents the human-readable identifier associated to the event 151 for a specific MISP instance. A human-readable identifier MUST be 152 represented as an unsigned integer. 154 id is represented as a JSON string. id SHALL be present. 156 2.2.1.3. published 158 published represents the event publication state. If the event was 159 published, the published value MUST be true. In any other 160 publication state, the published value MUST be false. 162 published is represented as a JSON boolean. published MUST be 163 present. 165 2.2.1.4. info 167 info represents the information field of the event. info is a free- 168 text value to provide a human-readable summary of the event. info 169 SHOULD NOT be bigger than 256 characters and SHOULD NOT include new- 170 lines. 172 info is represented as a JSON string. info MUST be present. 174 2.2.1.5. threat_level_id 176 threat_level_id represents the threat level. 178 4: Undefined 179 3: Low 180 2: Medium 181 1: High 183 If a higher granularity is required, a MISP taxonomy applied as a Tag 184 SHOULD be preferred. 186 threat_level_id is represented as a JSON string. threat_level_id 187 SHALL be present. 189 2.2.1.6. analysis 191 analysis represents the analysis level. 193 0: Initial 194 1: Ongoing 195 2: Complete 197 If a higher granularity is required, a MISP taxonomy applied as a Tag 198 SHOULD be preferred. 200 analysis is represented as a JSON string. analysis SHALL be present. 202 2.2.1.7. date 204 date represents a reference date to the event in ISO 8601 format 205 (date only: YYYY-MM-DD). This date corresponds to the date the event 206 occurred, which may be in the past. 208 date is represented as a JSON string. date MUST be present. 210 2.2.1.8. timestamp 212 timestamp represents a reference time when the event, or one of the 213 attributes within the event was created, or last updated/edited on 214 the instance. timestamp is expressed in seconds (decimal) since 1st 215 of January 1970 (Unix timestamp). The time zone MUST be UTC. 217 timestamp is represented as a JSON string. timestamp MUST be present. 219 2.2.1.9. publish_timestamp 221 publish_timestamp represents a reference time when the event was 222 published on the instance. published_timestamp is expressed in 223 seconds (decimal) since 1st of January 1970 (Unix timestamp). At 224 each publication of an event, publish_timestamp MUST be updated. The 225 time zone MUST be UTC. If the published_timestamp is present and the 226 published flag is set to false, the publish_timestamp represents the 227 previous publication timestamp. If the event was never published, 228 the published_timestamp MUST be set to 0. 230 publish_timestamp is represented as a JSON string. publish_timestamp 231 MUST be present. 233 2.2.1.10. org_id 235 org_id represents a human-readable identifier referencing an Org 236 object of the organisation which generated the event. A human- 237 readable identifier MUST be represented as an unsigned integer. 239 The org_id MUST be updated when the event is generated by a new 240 instance. 242 org_id is represented as a JSON string. org_id MUST be present. 244 2.2.1.11. orgc_id 246 orgc_id represents a human-readable identifier referencing an Orgc 247 object of the organisation which created the event. 249 The orgc_id and Org object MUST be preserved for any updates or 250 transfer of the same event. 252 orgc_id is represented as a JSON string. orgc_id MUST be present. 254 2.2.1.12. attribute_count 256 attribute_count represents the number of attributes in the event. 257 attribute_count is expressed in decimal. 259 attribute_count is represented as a JSON string. attribute_count 260 SHALL be present. 262 2.2.1.13. distribution 264 distribution represents the basic distribution rules of the event. 265 The system must adhere to the distribution setting for access control 266 and for dissemination of the event. 268 distribution is represented by a JSON string. distribution MUST be 269 present and be one of the following options: 271 0 Your Organisation Only 272 1 This Community Only 273 2 Connected Communities 274 3 All Communities 275 4 Sharing Group 277 2.2.1.14. sharing_group_id 279 sharing_group_id represents a human-readable identifier referencing a 280 Sharing Group object that defines the distribution of the event, if 281 distribution level "4" is set. A human-readable identifier MUST be 282 represented as an unsigned integer. 284 sharing_group_id is represented by a JSON string and SHOULD be 285 present. If a distribution level other than "4" is chosen the 286 sharing_group_id MUST be set to "0". 288 2.2.1.15. extends_uuid 290 extends_uuid represents which event is extended by this event. The 291 extends_uuid is described as a Universally Unique IDentifier (UUID) 292 [RFC4122] with the UUID of the extended event. 294 extends_uuid is represented as a JSON string. extends_uuid SHOULD be 295 present. 297 2.2.2. Event Objects 299 2.2.2.1. Org 301 An Org object is composed of an uuid, name and id. 303 The uuid represents the Universally Unique IDentifier (UUID) 304 [RFC4122] of the organisation. The organisation UUID is globally 305 assigned to an organisation and SHALL be kept overtime. 307 The name is a readable description of the organisation and SHOULD be 308 present. The id is a human-readable identifier generated by the 309 instance and used as reference in the event. A human-readable 310 identifier MUST be represented as an unsigned integer. 312 uuid, name and id are represented as a JSON string. uuid, name and id 313 MUST be present. 315 2.2.2.1.1. Sample Org Object 317 "Org": { 318 "id": "2", 319 "name": "CIRCL", 320 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 321 } 323 2.2.2.2. Orgc 325 An Orgc object is composed of an uuid, name and id. 327 The uuid MUST be preserved for any updates or transfer of the same 328 event. UUID version 4 is RECOMMENDED when assigning it to a new 329 event. The organisation UUID is globally assigned to an organisation 330 and SHALL be kept overtime. 332 The name is a readable description of the organisation and SHOULD be 333 present. The id is a human-readable identifier generated by the 334 instance and used as reference in the event. A human-readable 335 identifier MUST be represented as an unsigned integer. 337 uuid, name and id are represented as a JSON string. uuid, name and id 338 MUST be present. 340 2.3. Attribute 342 Attributes are used to describe the indicators and contextual data of 343 an event. The main information contained in an attribute is made up 344 of a category-type-value triplet, where the category and type give 345 meaning and context to the value. Through the various category-type 346 combinations a wide range of information can be conveyed. 348 A MISP document MUST at least includes category-type-value triplet 349 described in section "Attribute Attributes". 351 2.3.1. Sample Attribute Object 353 "Attribute": { 354 "id": "346056", 355 "type": "comment", 356 "category": "Other", 357 "to_ids": false, 358 "uuid": "57f4f6d9-cd20-458b-84fd-109ec0a83869", 359 "event_id": "3357", 360 "distribution": "5", 361 "timestamp": "1475679332", 362 "comment": "", 363 "sharing_group_id": "0", 364 "deleted": false, 365 "value": "Hello world", 366 "SharingGroup": [], 367 "ShadowAttribute": [], 368 "RelatedAttribute": [], 369 "first_seen": "2019-06-02T22:14:28.711954+00:00", 370 "last_seen": null 371 } 373 2.3.2. Attribute Attributes 375 2.3.2.1. uuid 377 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 378 the event. The uuid MUST be preserved for any updates or transfer of 379 the same event. UUID version 4 is RECOMMENDED when assigning it to a 380 new event. 382 uuid is represented as a JSON string. uuid MUST be present. 384 2.3.2.2. id 386 id represents the human-readable identifier associated to the event 387 for a specific MISP instance. A human-readable identifier MUST be 388 represented as an unsigned integer. 390 id is represented as a JSON string. id SHALL be present. 392 2.3.2.3. type 394 type represents the means through which an attribute tries to 395 describe the intent of the attribute creator, using a list of pre- 396 defined attribute types. 398 type is represented as a JSON string. type MUST be present and it 399 MUST be a valid selection for the chosen category. The list of valid 400 category-type combinations is as follows: 402 Antivirus detection link, comment, text, hex, attachment, other, 403 anonymised 404 Artifacts dropped md5, sha1, sha224, sha256, sha384, sha512, 405 sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, 406 ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, 407 filename, filename|md5, filename|sha1, filename|sha224, 408 filename|sha256, filename|sha384, filename|sha512, 409 filename|sha512/224, filename|sha512/256, filename|sha3-224, 410 filename|sha3-256, filename|sha3-384, filename|sha3-512, 411 filename|authentihash, filename|vhash, filename|ssdeep, 412 filename|tlsh, filename|imphash, filename|impfuzzy, 413 filename|pehash, regkey, regkey|value, pattern-in-file, pattern- 414 in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, 415 attachment, malware-sample, named pipe, mutex, process-state, 416 windows-scheduled-task, windows-service-name, windows-service- 417 displayname, comment, text, hex, x509-fingerprint-sha1, x509- 418 fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, 419 kusto-query, mime-type, anonymised, pgp-public-key, pgp-private- 420 key 421 Attribution threat-actor, campaign-name, campaign-id, whois- 422 registrant-phone, whois-registrant-email, whois-registrant-name, 423 whois-registrant-org, whois-registrar, whois-creation-date, 424 comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 425 fingerprint-sha256, other, dns-soa-email, anonymised, email 426 External analysis md5, sha1, sha256, sha3-224, sha3-256, sha3-384, 427 sha3-512, filename, filename|md5, filename|sha1, filename|sha256, 428 filename|sha3-224, filename|sha3-256, filename|sha3-384, 429 filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 430 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 431 regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, 432 pattern-in-traffic, pattern-in-memory, filename-pattern, 433 vulnerability, cpe, weakness, attachment, malware-sample, link, 434 comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 435 fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh- 436 md5, hasshserver-md5, github-repository, other, cortex, 437 anonymised, community-id 438 Financial fraud btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, 439 bin, cc-number, prtn, phone-number, comment, text, other, hex, 440 anonymised 441 Internal reference text, link, comment, other, hex, anonymised, git- 442 commit-id 443 Network activity ip-src, ip-dst, ip-dst|port, ip-src|port, port, 444 hostname, domain, domain|ip, mac-address, mac-eui-64, email, 445 email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, 446 snort, pattern-in-file, filename-pattern, stix2-pattern, pattern- 447 in-traffic, attachment, comment, text, x509-fingerprint-md5, x509- 448 fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, 449 jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, 450 hostname|port, bro, zeek, anonymised, community-id, email-subject, 451 favicon-mmh3, dkim, dkim-signature, ssh-fingerprint 452 Other comment, text, other, size-in-bytes, counter, datetime, cpe, 453 port, float, hex, phone-number, boolean, anonymised, pgp-public- 454 key, pgp-private-key 455 Payload delivery md5, sha1, sha224, sha256, sha384, sha512, 456 sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, 457 ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, 458 tlsh, cdhash, filename, filename|md5, filename|sha1, 459 filename|sha224, filename|sha256, filename|sha384, 460 filename|sha512, filename|sha512/224, filename|sha512/256, 461 filename|sha3-224, filename|sha3-256, filename|sha3-384, 462 filename|sha3-512, filename|authentihash, filename|vhash, 463 filename|ssdeep, filename|tlsh, filename|imphash, 464 filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- 465 src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, 466 email-src, email-dst, email-subject, email-attachment, email-body, 467 url, user-agent, AS, pattern-in-file, pattern-in-traffic, 468 filename-pattern, stix2-pattern, yara, sigma, mime-type, 469 attachment, malware-sample, link, malware-type, comment, text, 470 hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509- 471 fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, 472 jarm-fingerprint, hassh-md5, hasshserver-md5, other, 473 hostname|port, email-dst-display-name, email-src-display-name, 474 email-header, email-reply-to, email-x-mailer, email-mime-boundary, 475 email-thread-index, email-message-id, mobile-application-id, 476 chrome-extension-id, whois-registrant-email, anonymised 477 Payload installation md5, sha1, sha224, sha256, sha384, sha512, 478 sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, 479 ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, 480 tlsh, cdhash, filename, filename|md5, filename|sha1, 481 filename|sha224, filename|sha256, filename|sha384, 482 filename|sha512, filename|sha512/224, filename|sha512/256, 483 filename|sha3-224, filename|sha3-256, filename|sha3-384, 484 filename|sha3-512, filename|authentihash, filename|vhash, 485 filename|ssdeep, filename|tlsh, filename|imphash, 486 filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- 487 traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, 488 sigma, vulnerability, cpe, weakness, attachment, malware-sample, 489 malware-type, comment, text, hex, x509-fingerprint-sha1, x509- 490 fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, 491 chrome-extension-id, other, mime-type, anonymised 492 Payload type comment, text, other, anonymised 493 Persistence mechanism filename, regkey, regkey|value, comment, text, 494 other, hex, anonymised 495 Person first-name, middle-name, last-name, full-name, date-of-birth, 496 place-of-birth, gender, passport-number, passport-country, 497 passport-expiration, redress-number, nationality, visa-number, 498 issue-date-of-the-visa, primary-residence, country-of-residence, 499 special-service-request, frequent-flyer-number, travel-details, 500 payment-details, place-port-of-original-embarkation, place-port- 501 of-clearance, place-port-of-onward-foreign-destination, passenger- 502 name-record-locator-number, comment, text, other, phone-number, 503 identity-card-number, anonymised, email, pgp-public-key, pgp- 504 private-key 505 Social network github-username, github-repository, github- 506 organisation, jabber-id, twitter-id, email, email-src, email-dst, 507 eppn, comment, text, other, whois-registrant-email, anonymised, 508 pgp-public-key, pgp-private-key 509 Support Tool link, text, attachment, comment, other, hex, anonymised 510 Targeting data target-user, target-email, target-machine, target- 511 org, target-location, target-external, comment, anonymised 513 Attributes are based on the usage within their different communities. 514 Attributes can be extended on a regular basis and this reference 515 document is updated accordingly. 517 2.3.2.4. category 519 category represents the intent of what the attribute is describing as 520 selected by the attribute creator, using a list of pre-defined 521 attribute categories. 523 category is represented as a JSON string. category MUST be present 524 and it MUST be a valid selection for the chosen type. The list of 525 valid category-type combinations is mentioned above. 527 2.3.2.5. to_ids 529 to_ids represents whether the attribute is meant to be actionable. 530 Actionable defined attributes that can be used in automated processes 531 as a pattern for detection in Local or Network Intrusion Detection 532 System, log analysis tools or even filtering mechanisms. 534 to_ids is represented as a JSON boolean. to_ids MUST be present. 536 2.3.2.6. event_id 538 event_id represents a human-readable identifier referencing the Event 539 object that the attribute belongs to. A human-readable identifier 540 MUST be represented as an unsigned integer. 542 The event_id SHOULD be updated when the event is imported to reflect 543 the newly created event's id on the instance. 545 event_id is represented as a JSON string. event_id MUST be present. 547 2.3.2.7. distribution 549 distribution represents the basic distribution rules of the 550 attribute. The system must adhere to the distribution setting for 551 access control and for dissemination of the attribute. 553 distribution is represented by a JSON string. distribution MUST be 554 present and be one of the following options: 556 0 Your Organisation Only 557 1 This Community Only 558 2 Connected Communities 559 3 All Communities 560 4 Sharing Group 561 5 Inherit Event 563 2.3.2.8. timestamp 565 timestamp represents a reference time when the attribute was created 566 or last modified. timestamp is expressed in seconds (decimal) since 567 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 569 timestamp is represented as a JSON string. timestamp MUST be present. 571 2.3.2.9. comment 573 comment is a contextual comment field. 575 comment is represented by a JSON string. comment MAY be present. 577 2.3.2.10. sharing_group_id 579 sharing_group_id represents a human-readable identifier referencing a 580 Sharing Group object that defines the distribution of the attribute, 581 if distribution level "4" is set. A human-readable identifier MUST 582 be represented as an unsigned integer. 584 sharing_group_id is represented by a JSON string and SHOULD be 585 present. If a distribution level other than "4" is chosen the 586 sharing_group_id MUST be set to "0". 588 2.3.2.11. deleted 590 deleted represents a setting that allows attributes to be revoked. 591 Revoked attributes are not actionable and exist merely to inform 592 other instances of a revocation. 594 deleted is represented by a JSON boolean. deleted MUST be present. 596 2.3.2.12. data 598 data contains the base64 encoded contents of an attachment or a 599 malware sample. For malware samples, the sample MUST be encrypted 600 using a password protected zip archive, with the password being 601 "infected". 603 data is represented by a JSON string in base64 encoding. data MUST be 604 set for attributes of type malware-sample and attachment. 606 2.3.2.13. RelatedAttribute 608 RelatedAttribute is an array of attributes correlating with the 609 current attribute. Each element in the array represents an JSON 610 object which contains an Attribute dictionnary with the external 611 attributes who correlate. Each Attribute MUST include the id, 612 org_id, info and a value. Only the correlations found on the local 613 instance are shown in RelatedAttribute. 615 RelatedAttribute MAY be present. 617 2.3.2.14. ShadowAttribute 619 ShadowAttribute is an array of shadow attributes that serve as 620 proposals by third parties to alter the containing attribute. The 621 structure of a ShadowAttribute is similar to that of an Attribute, 622 which can be accepted or discarded by the event creator. If 623 accepted, the original attribute containing the shadow attribute is 624 removed and the shadow attribute is converted into an attribute. 626 Each shadow attribute that references an attribute MUST contain the 627 containing attribute's ID in the old_id field and the event's ID in 628 the event_id field. 630 2.3.2.15. value 632 value represents the payload of an attribute. The format of the 633 value is dependent on the type of the attribute. 635 value is represented by a JSON string. value MUST be present. 637 2.3.2.16. first_seen 639 first_seen represents a reference time when the attribute was first 640 seen. first_seen is expressed as an ISO 8601 datetime up to the 641 micro-second with time zone support. 643 first_seen is represented as a JSON string. first_seen MAY be 644 present. 646 2.3.2.17. last_seen 648 last_seen represents a reference time when the attribute was last 649 seen. last_seen is expressed as an ISO 8601 datetime up to the micro- 650 second with time zone support. 652 last_seen is represented as a JSON string. last_seen MAY be present. 654 2.4. ShadowAttribute 656 ShadowAttributes are 3rd party created attributes that either propose 657 to add new information to an event or modify existing information. 658 They are not meant to be actionable until the event creator accepts 659 them - at which point they will be converted into attributes or 660 modify an existing attribute. 662 They are similar in structure to Attributes but additionally carry a 663 reference to the creator of the ShadowAttribute as well as a 664 revocation flag. 666 2.4.1. Sample Attribute Object 668 "ShadowAttribute": { 669 "id": "8", 670 "type": "ip-src", 671 "category": "Network activity", 672 "to_ids": false, 673 "uuid": "57d475f1-da78-4569-89de-1458c0a83869", 674 "event_uuid": "57d475e6-41c4-41ca-b450-145ec0a83869", 675 "event_id": "9", 676 "old_id": "319", 677 "comment": "", 678 "org_id": "1", 679 "proposal_to_delete": false, 680 "value": "5.5.5.5", 681 "deleted": false, 682 "Org": { 683 "id": "1", 684 "name": "MISP", 685 "uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869" 686 }, 687 "first_seen": "2019-06-02T22:14:28.711954+00:00", 688 "last_seen": null 689 } 691 2.4.2. ShadowAttribute Attributes 693 2.4.2.1. uuid 695 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 696 the event. The uuid MUST be preserved for any updates or transfer of 697 the same event. UUID version 4 is RECOMMENDED when assigning it to a 698 new event. 700 uuid is represented as a JSON string. uuid MUST be present. 702 2.4.2.2. id 704 id represents the human-readable identifier associated to the event 705 for a specific MISP instance. human-readable identifier MUST be 706 represented as an unsigned integer. id is represented as a JSON 707 string. id SHALL be present. 709 2.4.2.3. type 711 type represents the means through which an attribute tries to 712 describe the intent of the attribute creator, using a list of pre- 713 defined attribute types. 715 type is represented as a JSON string. type MUST be present and it 716 MUST be a valid selection for the chosen category. The list of valid 717 category-type combinations is as follows: 719 Antivirus detection link, comment, text, hex, attachment, other, 720 anonymised 721 Artifacts dropped md5, sha1, sha224, sha256, sha384, sha512, 722 sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, 723 ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, cdhash, 724 filename, filename|md5, filename|sha1, filename|sha224, 725 filename|sha256, filename|sha384, filename|sha512, 726 filename|sha512/224, filename|sha512/256, filename|sha3-224, 727 filename|sha3-256, filename|sha3-384, filename|sha3-512, 728 filename|authentihash, filename|vhash, filename|ssdeep, 729 filename|tlsh, filename|imphash, filename|impfuzzy, 730 filename|pehash, regkey, regkey|value, pattern-in-file, pattern- 731 in-memory, filename-pattern, pdb, stix2-pattern, yara, sigma, 732 attachment, malware-sample, named pipe, mutex, process-state, 733 windows-scheduled-task, windows-service-name, windows-service- 734 displayname, comment, text, hex, x509-fingerprint-sha1, x509- 735 fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, 736 kusto-query, mime-type, anonymised, pgp-public-key, pgp-private- 737 key 738 Attribution threat-actor, campaign-name, campaign-id, whois- 739 registrant-phone, whois-registrant-email, whois-registrant-name, 740 whois-registrant-org, whois-registrar, whois-creation-date, 741 comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 742 fingerprint-sha256, other, dns-soa-email, anonymised, email 743 External analysis md5, sha1, sha256, sha3-224, sha3-256, sha3-384, 744 sha3-512, filename, filename|md5, filename|sha1, filename|sha256, 745 filename|sha3-224, filename|sha3-256, filename|sha3-384, 746 filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 747 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 748 regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, 749 pattern-in-traffic, pattern-in-memory, filename-pattern, 750 vulnerability, cpe, weakness, attachment, malware-sample, link, 751 comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 752 fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh- 753 md5, hasshserver-md5, github-repository, other, cortex, 754 anonymised, community-id 755 Financial fraud btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, 756 bin, cc-number, prtn, phone-number, comment, text, other, hex, 757 anonymised 758 Internal reference text, link, comment, other, hex, anonymised, git- 759 commit-id 760 Network activity ip-src, ip-dst, ip-dst|port, ip-src|port, port, 761 hostname, domain, domain|ip, mac-address, mac-eui-64, email, 762 email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, 763 snort, pattern-in-file, filename-pattern, stix2-pattern, pattern- 764 in-traffic, attachment, comment, text, x509-fingerprint-md5, x509- 765 fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, 766 jarm-fingerprint, hassh-md5, hasshserver-md5, other, hex, cookie, 767 hostname|port, bro, zeek, anonymised, community-id, email-subject, 768 favicon-mmh3, dkim, dkim-signature, ssh-fingerprint 769 Other comment, text, other, size-in-bytes, counter, datetime, cpe, 770 port, float, hex, phone-number, boolean, anonymised, pgp-public- 771 key, pgp-private-key 772 Payload delivery md5, sha1, sha224, sha256, sha384, sha512, 773 sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, 774 ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, 775 tlsh, cdhash, filename, filename|md5, filename|sha1, 776 filename|sha224, filename|sha256, filename|sha384, 777 filename|sha512, filename|sha512/224, filename|sha512/256, 778 filename|sha3-224, filename|sha3-256, filename|sha3-384, 779 filename|sha3-512, filename|authentihash, filename|vhash, 780 filename|ssdeep, filename|tlsh, filename|imphash, 781 filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- 782 src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, 783 email-src, email-dst, email-subject, email-attachment, email-body, 784 url, user-agent, AS, pattern-in-file, pattern-in-traffic, 785 filename-pattern, stix2-pattern, yara, sigma, mime-type, 786 attachment, malware-sample, link, malware-type, comment, text, 787 hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509- 788 fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, 789 jarm-fingerprint, hassh-md5, hasshserver-md5, other, 790 hostname|port, email-dst-display-name, email-src-display-name, 791 email-header, email-reply-to, email-x-mailer, email-mime-boundary, 792 email-thread-index, email-message-id, mobile-application-id, 793 chrome-extension-id, whois-registrant-email, anonymised 794 Payload installation md5, sha1, sha224, sha256, sha384, sha512, 795 sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, 796 ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, 797 tlsh, cdhash, filename, filename|md5, filename|sha1, 798 filename|sha224, filename|sha256, filename|sha384, 799 filename|sha512, filename|sha512/224, filename|sha512/256, 800 filename|sha3-224, filename|sha3-256, filename|sha3-384, 801 filename|sha3-512, filename|authentihash, filename|vhash, 802 filename|ssdeep, filename|tlsh, filename|imphash, 803 filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- 804 traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, 805 sigma, vulnerability, cpe, weakness, attachment, malware-sample, 806 malware-type, comment, text, hex, x509-fingerprint-sha1, x509- 807 fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, 808 chrome-extension-id, other, mime-type, anonymised 810 Payload type comment, text, other, anonymised 811 Persistence mechanism filename, regkey, regkey|value, comment, text, 812 other, hex, anonymised 813 Person first-name, middle-name, last-name, full-name, date-of-birth, 814 place-of-birth, gender, passport-number, passport-country, 815 passport-expiration, redress-number, nationality, visa-number, 816 issue-date-of-the-visa, primary-residence, country-of-residence, 817 special-service-request, frequent-flyer-number, travel-details, 818 payment-details, place-port-of-original-embarkation, place-port- 819 of-clearance, place-port-of-onward-foreign-destination, passenger- 820 name-record-locator-number, comment, text, other, phone-number, 821 identity-card-number, anonymised, email, pgp-public-key, pgp- 822 private-key 823 Social network github-username, github-repository, github- 824 organisation, jabber-id, twitter-id, email, email-src, email-dst, 825 eppn, comment, text, other, whois-registrant-email, anonymised, 826 pgp-public-key, pgp-private-key 827 Support Tool link, text, attachment, comment, other, hex, anonymised 828 Targeting data target-user, target-email, target-machine, target- 829 org, target-location, target-external, comment, anonymised 831 Attributes are based on the usage within their different communities. 832 Attributes can be extended on a regular basis and this reference 833 document is updated accordingly. 835 2.4.2.4. category 837 category represents the intent of what the attribute is describing as 838 selected by the attribute creator, using a list of pre-defined 839 attribute categories. 841 category is represented as a JSON string. category MUST be present 842 and it MUST be a valid selection for the chosen type. The list of 843 valid category-type combinations is mentioned above. 845 2.4.2.5. to_ids 847 to_ids represents whether the Attribute to be created if the 848 ShadowAttribute is accepted is meant to be actionable. Actionable 849 defined attributes that can be used in automated processes as a 850 pattern for detection in Local or Network Intrusion Detection System, 851 log analysis tools or even filtering mechanisms. 853 to_ids is represented as a JSON boolean. to_ids MUST be present. 855 2.4.2.6. event_id 857 event_id represents a human-readable identifier referencing the Event 858 object that the ShadowAttribute belongs to. 860 The event_id SHOULD be updated when the event is imported to reflect 861 the newly created event's id on the instance. 863 event_id is represented as a JSON string. event_id MUST be present. 865 2.4.2.7. old_id 867 old_id represents a human-readable identifier referencing the 868 Attribute object that the ShadowAttribute belongs to. A 869 ShadowAttribute can this way target an existing Attribute, implying 870 that it is a proposal to modify an existing Attribute, or 871 alternatively it can be a proposal to create a new Attribute for the 872 containing Event. 874 The old_id SHOULD be updated when the event is imported to reflect 875 the newly created Attribute's id on the instance. Alternatively, if 876 the ShadowAttribute proposes the creation of a new Attribute, it 877 should be set to 0. 879 old_id is represented as a JSON string. old_id MUST be present. 881 2.4.2.8. timestamp 883 timestamp represents a reference time when the attribute was created 884 or last modified. timestamp is expressed in seconds (decimal) since 885 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 887 timestamp is represented as a JSON string. timestamp MUST be present. 889 2.4.2.9. comment 891 comment is a contextual comment field. 893 comment is represented by a JSON string. comment MAY be present. 895 2.4.2.10. org_id 897 org_id represents a human-readable identifier referencing the 898 proposal creator's Organisation object. A human-readable identifier 899 MUST be represented as an unsigned integer. 901 Whilst attributes can only be created by the event creator 902 organisation, shadow attributes can be created by third parties. 903 org_id tracks the creator organisation. 905 org_id is represented by a JSON string and MUST be present. 907 2.4.2.11. proposal_to_delete 909 proposal_to_delete is a boolean flag that sets whether the shadow 910 attribute proposes to alter an attribute, or whether it proposes to 911 remove it completely. 913 Accepting a shadow attribute with this flag set will remove the 914 target attribute. 916 proposal_to_delete is a JSON boolean and it MUST be present. If 917 proposal_to_delete is set to true, old_id MUST NOT be 0. 919 2.4.2.12. deleted 921 deleted represents a setting that allows shadow attributes to be 922 revoked. Revoked shadow attributes only serve to inform other 923 instances that the shadow attribute is no longer active. 925 deleted is represented by a JSON boolean. deleted SHOULD be present. 927 2.4.2.13. data 929 data contains the base64 encoded contents of an attachment or a 930 malware sample. For malware samples, the sample MUST be encrypted 931 using a password protected zip archive, with the password being 932 "infected". 934 data is represented by a JSON string in base64 encoding. data MUST be 935 set for shadow attributes of type malware-sample and attachment. 937 2.4.2.14. first_seen 939 first_seen represents a reference time when the attribute was first 940 seen. first_seen as an ISO 8601 datetime up to the micro-second with 941 time zone support. 943 first_seen is represented as a JSON string. first_seen MAY be 944 present. 946 2.4.2.15. last_seen 948 last_seen represents a reference time when the attribute was last 949 seen. last_seen as an ISO 8601 datetime up to the micro-second with 950 time zone support. 952 last_seen is represented as a JSON string. last_seen MAY be present. 954 2.4.2.16. value 956 value represents the payload of an attribute. The format of the 957 value is dependent on the type of the attribute. 959 value is represented by a JSON string. value MUST be present. 961 2.4.3. ShadowAttribute Objects 963 2.4.3.1. Org 965 An Org object is composed of an uuid, name and id. 967 The uuid represents the Universally Unique IDentifier (UUID) 968 [RFC4122] of the organization. The organization UUID is globally 969 assigned to an organization and SHALL be kept overtime. 971 The name is a readable description of the organization and SHOULD be 972 present. The id is a human-readable identifier generated by the 973 instance and used as reference in the event. A human-readable 974 identifier MUST be represented as an unsigned integer. 976 uuid, name and id are represented as a JSON string. uuid, name and id 977 MUST be present. 979 2.4.3.1.1. Sample Org Object 981 "Org": { 982 "id": "2", 983 "name": "CIRCL", 984 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 985 } 987 2.5. Object 989 Objects serve as a contextual bond between a list of attributes 990 within an event. Their main purpose is to describe more complex 991 structures than can be described by a single attribute Each object is 992 created using an Object Template and carries the meta-data of the 993 template used for its creation within. Objects belong to a meta- 994 category and are defined by a name. 996 The schema used is described by the template_uuid and 997 template_version fields. 999 A MISP document containing an Object MUST contain a name, a meta- 1000 category, a description, a template_uuid and a template_version as 1001 described in the "Object Attributes" section. 1003 2.5.1. Sample Object 1004 "Object": { 1005 "id": "588", 1006 "name": "file", 1007 "meta-category": "file", 1008 "description": "File object describing a file with meta-information", 1009 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", 1010 "template_version": "3", 1011 "event_id": "56", 1012 "uuid": "398b0094-0384-4c48-9bf0-22b3dff9c4d3", 1013 "timestamp": "1505747965", 1014 "distribution": "5", 1015 "sharing_group_id": "0", 1016 "comment": "", 1017 "deleted": false, 1018 "ObjectReference": [], 1019 "Attribute": [ 1020 { 1021 "id": "7822", 1022 "type": "filename", 1023 "category": "Payload delivery", 1024 "to_ids": true, 1025 "uuid": "59bfe3fb-bde0-4dfe-b5b1-2b10a07724d1", 1026 "event_id": "56", 1027 "distribution": "0", 1028 "timestamp": "1505747963", 1029 "comment": "", 1030 "sharing_group_id": "0", 1031 "deleted": false, 1032 "disable_correlation": false, 1033 "object_id": "588", 1034 "object_relation": "filename", 1035 "value": "StarCraft.exe", 1036 "ShadowAttribute": [], 1037 "first_seen": null, 1038 "last_seen": null 1039 }, 1040 "first_seen": "2019-06-02T22:14:28.711954+00:00", 1041 "last_seen": null 1042 ] 1043 } 1045 2.5.2. Object Attributes 1046 2.5.2.1. uuid 1048 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1049 the object. The uuid MUST be preserved for any updates or transfer 1050 of the same object. UUID version 4 is RECOMMENDED when assigning it 1051 to a new object. 1053 2.5.2.2. id 1055 id represents the human-readable identifier associated to the object 1056 for a specific MISP instance. A human-readable identifier MUST be 1057 represented as an unsigned integer. 1059 id is represented as a JSON string. id SHALL be present. 1061 2.5.2.3. name 1063 name represents the human-readable name of the object describing the 1064 intent of the object package. 1066 name is represented as a JSON string. name MUST be present. 1068 2.5.2.4. meta-category 1070 meta-category represents the sub-category of objects that the given 1071 object belongs to. meta-categories are not tied to a fixed list of 1072 options but can be created on the fly. 1074 meta-category is represented as a JSON string. meta-category MUST be 1075 present. 1077 2.5.2.5. description 1079 description is a human-readable description of the given object type, 1080 as derived from the template used for creation. 1082 description is represented as a JSON string. description SHALL be 1083 present. 1085 2.5.2.6. template_uuid 1087 template_uuid represents the Universally Unique IDentifier (UUID) 1088 [RFC4122] of the template used to create the object. The uuid MUST 1089 be preserved to preserve the object's association with the correct 1090 template used for creation. UUID version 4 is RECOMMENDED when 1091 assigning it to a new object. 1093 template_uuid is represented as a JSON string. template_uuid MUST be 1094 present. 1096 2.5.2.7. template_version 1098 template_version represents a numeric incrementing version of the 1099 template used to create the object. It is used to associate the 1100 object to the correct version of the template and together with the 1101 template_uuid forms an association to the correct template type and 1102 version. 1104 template_version is represented as a JSON string. template_version 1105 MUST be present. 1107 2.5.2.8. event_id 1109 event_id represents the human-readable identifier of the event that 1110 the object belongs to on a specific MISP instance. A human-readable 1111 identifier MUST be represented as an unsigned integer. 1113 event_id is represented as a JSON string. event_id SHALL be present. 1115 2.5.2.9. timestamp 1117 timestamp represents a reference time when the object was created or 1118 last modified. timestamp is expressed in seconds (decimal) since 1st 1119 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1121 timestamp is represented as a JSON string. timestamp MUST be present. 1123 2.5.2.10. distribution 1125 distribution represents the basic distribution rules of the object. 1126 The system must adhere to the distribution setting for access control 1127 and for dissemination of the object. 1129 distribution is represented by a JSON string. distribution MUST be 1130 present and be one of the following options: 1132 0 Your Organisation Only 1133 1 This Community Only 1134 2 Connected Communities 1135 3 All Communities 1136 4 Sharing Group 1138 2.5.2.11. sharing_group_id 1140 sharing_group_id represents a human-readable identifier referencing a 1141 Sharing Group object that defines the distribution of the object, if 1142 distribution level "4" is set. A human-readable identifier MUST be 1143 represented as an unsigned integer. 1145 sharing_group_id is represented by a JSON string and SHOULD be 1146 present. If a distribution level other than "4" is chosen the 1147 sharing_group_id MUST be set to "0". 1149 2.5.2.12. comment 1151 comment is a contextual comment field. 1153 comment is represented by a JSON string. comment MAY be present. 1155 2.5.2.13. deleted 1157 deleted represents a setting that allows objects to be revoked. 1158 Revoked objects are not actionable and exist merely to inform other 1159 instances of a revocation. 1161 deleted is represented by a JSON boolean. deleted MUST be present. 1163 2.5.2.14. Attribute 1165 Attribute is an array of attributes that describe the object with 1166 data. 1168 Each attribute in an object MUST contain the parent event's ID in the 1169 event_id field and the parent object's ID in the object_id field. 1171 2.5.2.15. first_seen 1173 first_seen represents a reference time when the object was first 1174 seen. first_seen as an ISO 8601 datetime up to the micro-second with 1175 time zone support. 1177 first_seen is represented as a JSON string. first_seen MAY be 1178 present. 1180 2.5.2.16. last_seen 1182 last_seen represents a reference time when the object was last seen. 1183 last_seen as an ISO 8601 datetime up to the micro-second with time 1184 zone support. 1186 last_seen is represented as a JSON string. last_seen MAY be present. 1188 2.6. Object References 1190 Object References serve as a logical link between an Object and 1191 another referenced Object or Attribute. The relationship is 1192 categorised by an enumerated value from a fixed vocabulary. 1194 The relationship_type is recommended to be taken from the MISP object 1195 relationship list [[MISP-R]] is RECOMMENDED to ensure a coherent 1196 naming of the tags 1198 All Object References MUST contain an object_uuid, a referenced_uuid 1199 and a relationship type. 1201 2.6.1. Sample ObjectReference object 1203 "ObjectReference": { 1204 "id": "195", 1205 "uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1", 1206 "timestamp": "1505892908", 1207 "object_id": "591", 1208 "event_id": "113", 1209 "referenced_id": "590", 1210 "referenced_type": "1", 1211 "relationship_type": "derived-from", 1212 "comment": "", 1213 "deleted": false, 1214 "object_uuid": "59c1134d-8a40-4c14-ad94-0f7ba07724d1", 1215 "referenced_uuid": "59c1133c-9adc-4d06-a34b-0f7ca07724d1", 1216 } 1218 2.6.2. ObjectReference Attributes 1220 2.6.2.1. uuid 1222 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1223 the object reference. The uuid MUST be preserved for any updates or 1224 transfer of the same object reference. UUID version 4 is RECOMMENDED 1225 when assigning it to a new object reference. 1227 2.6.2.2. id 1229 id represents the human-readable identifier associated to the object 1230 reference for a specific MISP instance. 1232 id is represented as a JSON string. id SHALL be present. 1234 2.6.2.3. timestamp 1236 timestamp represents a reference time when the object was created or 1237 last modified. timestamp is expressed in seconds (decimal) since 1st 1238 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1240 timestamp is represented as a JSON string. timestamp MUST be present. 1242 2.6.2.4. object_id 1244 object_id represents the human-readable identifier of the object that 1245 the object reference belongs to on a specific MISP instance. A 1246 human-readable identifier MUST be represented as an unsigned integer. 1248 object_id is represented as a JSON string. object_id SHALL be 1249 present. 1251 2.6.2.5. event_id 1253 event_id represents the human-readable identifier of the event that 1254 the object reference belongs to on a specific MISP instance. A 1255 human-readable identifier MUST be represented as an unsigned integer. 1257 event_id is represented as a JSON string. event_id SHALL be present. 1259 2.6.2.6. referenced_id 1261 referenced_id represents the human-readable identifier of the object 1262 or attribute that the parent object of the object reference points to 1263 on a specific MISP instance. 1265 referenced_id is represented as a JSON string. referenced_id MAY be 1266 present. 1268 2.6.2.7. referenced_type 1270 referenced_type represents the numeric value describing what the 1271 object reference points to, "0" representing an attribute and "1" 1272 representing an object 1274 referenced_type is represented as a JSON string. referenced_type MAY 1275 be present. 1277 2.6.2.8. relationship_type 1279 relationship_type represents the human-readable context of the 1280 relationship between an object and another object or attribute as 1281 described by the object_reference. 1283 relationship_type is represented as a JSON string. relationship_type 1284 MUST be present. 1286 2.6.2.9. comment 1288 comment is a contextual comment field. 1290 comment is represented by a JSON string. comment MAY be present. 1292 2.6.2.10. deleted 1294 deleted represents a setting that allows object references to be 1295 revoked. Revoked object references are not actionable and exist 1296 merely to inform other instances of a revocation. 1298 deleted is represented by a JSON boolean. deleted MUST be present. 1300 2.6.2.11. object_uuid 1302 object_uuid represents the Universally Unique IDentifier (UUID) 1303 [RFC4122] of the object that the given object reference belongs to. 1304 The object_uuid MUST be preserved to preserve the object reference's 1305 association with the object. 1307 2.6.2.12. referenced_uuid 1309 referenced_uuid represents the Universally Unique IDentifier (UUID) 1310 [RFC4122] of the object or attribute that is being referenced by the 1311 object reference. The referenced_uuid MUST be preserved to preserve 1312 the object reference's association with the object or attribute. 1314 2.7. EventReport 1316 EventReport are used to complement an event with one or more report 1317 in Markdown format. The EventReport contains unstructured 1318 information which can be linked to Attributes, Objects, Tags or 1319 Galaxy with an extension to the Markdown marking language. 1321 2.7.1. id 1323 id represents the human-readable identifier associated to the 1324 EventReport for a specific MISP instance. A human-readable 1325 identifier MUST be represented as an unsigned integer. 1327 id is represented as a JSON string. id SHALL be present. 1329 2.7.2. UUID 1331 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1332 the EventReport. The uuid MUST be preserved for any updates or 1333 transfer of the same EventReport. UUID version 4 is RECOMMENDED when 1334 assigning it to a new EventReport. 1336 uuid is represented as a JSON string. uuid MUST be present. 1338 2.7.3. event_id 1340 event_id represents the human-readable identifier associating the 1341 EventReport to an event on a specific MISP instance. A human- 1342 readable identifier MUST be represented as an unsigned integer. 1344 event_id is represented as a JSON string. event_id MUST be present. 1346 2.7.4. name 1348 name represents the information field of the EventReport. name is a 1349 free-text value to provide a human-readable summary of the report. 1350 name SHOULD NOT be bigger than 256 characters and SHOULD NOT include 1351 new-lines. 1353 name is represented as a JSON string. name MUST be present. 1355 2.7.5. content 1357 content includes the raw EventReport in Markdown format with or 1358 without the specific MISP Markdown markup extension. 1360 The markdown extension for MISP is composed with a symbol as prefix 1361 then between square bracket the scope (attribute, object, tag or 1362 galaxymatrix) followed by the UUID in parenthesis. 1364 content is represented as a JSON string. content MUST be present. 1366 2.7.6. distribution 1368 distribution represents the basic distribution rules of the 1369 EventReport. The system must adhere to the distribution setting for 1370 access control and for dissemination of the EventReport. 1372 distribution is represented by a JSON string. distribution MUST be 1373 present and be one of the following options: 1375 0 Your Organisation Only 1376 1 This Community Only 1377 2 Connected Communities 1378 3 All Communities 1379 4 Sharing Group 1380 5 Inherit Event 1382 2.7.7. sharing_group_id 1384 sharing_group_id represents the local id to the MISP local instance 1385 of the Sharing Group associated for the distribution. 1387 sharing_group_id is represented by a JSON string. sharing_group_id 1388 MUST be present and set to "0" if not used. 1390 2.7.8. timestamp 1392 timestamp represents a reference time when the EventReport was 1393 created or last modified. timestamp is expressed in seconds (decimal) 1394 since 1st of January 1970 (Unix timestamp). The time zone MUST be 1395 UTC. 1397 timestamp is represented as a JSON string. timestamp MUST be present. 1399 2.7.9. deleted 1401 deleted represents a setting that allows EventReport to be revoked. 1402 Revoked EventReport are not actionable and exist merely to inform 1403 other instances of a revocation. 1405 deleted is represented by a JSON boolean. deleted MUST be present. 1407 2.8. Tag 1409 A tag is a simple method to classify an event with a simple string. 1410 The tag name can be freely chosen. The tag name can be also chosen 1411 from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. 1412 When an event is distributed outside an organisation, the use of MISP 1413 taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of 1414 the tags. A tag is represented as a JSON array where each element 1415 describes each tag associated. A tag array SHALL be at event level 1416 or attribute level. A tag element is described with a name, id, 1417 colour and exportable flag. 1419 exportable represents a setting if the tag is kept local or 1420 exportable to other MISP instances. exportable is represented by a 1421 JSON boolean. id is a human-readable identifier that references the 1422 tag on the local instance. colour represents an RGB value of the tag. 1424 name MUST be present. colour, id and exportable SHALL be present. 1426 2.8.1. Sample Tag 1428 "Tag": [{ 1429 "exportable": true, 1430 "colour": "#ffffff", 1431 "name": "tlp:white", 1432 "id": "2" }] 1434 2.9. Sighting 1436 A sighting is an ascertainment which describes whether an attribute 1437 has been seen under a given set of conditions. The sighting can 1438 include the organisation who sighted the attribute or can be 1439 anonymised. Sighting is composed of a JSON array in which each 1440 element describes one singular instance of a sighting. A sighting 1441 element is a JSON object composed of the following values: 1443 type MUST be present. type describes the type of a sighting. MISP 1444 allows 3 default types: 1446 +===============+==========================================+ 1447 | Sighting type | Description | 1448 +===============+==========================================+ 1449 | 0 | denotes an attribute which has been seen | 1450 +---------------+------------------------------------------+ 1451 | 1 | denotes an attribute which has been seen | 1452 | | and confirmed as false-positive | 1453 +---------------+------------------------------------------+ 1454 | 2 | denotes an attribute which will be | 1455 | | expired at the time of the sighting | 1456 +---------------+------------------------------------------+ 1458 Table 1 1460 uuid MUST be present. uuid references the uuid of the sighted 1461 attribute. 1463 date_sighting MUST be present. date_sighting is expressed in seconds 1464 (decimal) elapsed since 1st of January 1970 (Unix timestamp). 1465 date_sighting represents when the referenced attribute, designated by 1466 its uuid, is sighted. 1468 source MAY be present. source is represented as a JSON string and 1469 represents the human-readable version of the sighting source, which 1470 can be a given piece of software (e.g. SIEM), device or a specific 1471 analytical process. 1473 id, event_id and attribute_id are represented as a JSON string and 1474 MAY be present. 1476 id represents the human-readable identifier of the sighting reference 1477 which belongs to a specific MISP instance. event_id represents the 1478 human-readable identifier of the event referenced by the sighting and 1479 belongs to a specific MISP instance. attribute_id represents the 1480 human-readable identifier of the attribute referenced by the sighting 1481 and belongs to a specific MISP instance. 1483 org_id MAY be present along the JSON object describing the 1484 organisation. If the org_id is not present, the sighting is 1485 considered as anonymised. 1487 org_id represents the human-readable identifier of the organisation 1488 which did the sighting and belongs to a specific MISP instance. 1490 A human-readable identifier MUST be considered as an unsigned 1491 integer. 1493 2.9.1. Sample Sighting 1494 "Sighting": [ 1495 { 1496 "id": "13599", 1497 "attribute_id": "1201615", 1498 "event_id": "10164", 1499 "org_id": "2", 1500 "date_sighting": "1517581400", 1501 "uuid": "5a747459-41b4-4826-9b29-42dd950d210f", 1502 "source": "M2M-CIRCL", 1503 "type": "0", 1504 "Organisation": { 1505 "id": "2", 1506 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1507 "name": "CIRCL" 1508 } 1509 }, 1510 { 1511 "id": "13601", 1512 "attribute_id": "1201615", 1513 "event_id": "10164", 1514 "org_id": "2", 1515 "date_sighting": "1517581401", 1516 "uuid": "5a74745a-a190-4d04-b719-4916950d210f", 1517 "source": "M2M-CIRCL", 1518 "type": "0", 1519 "Organisation": { 1520 "id": "2", 1521 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1522 "name": "CIRCL" 1523 } 1524 } 1525 ] 1527 2.10. Galaxy 1529 A galaxy is a simple method to express a large object called cluster 1530 that can be attached to MISP events. A cluster can be composed of 1531 one or more elements. Elements are expressed as key-values. 1533 2.10.1. Sample Galaxy 1534 "Galaxy": [ { 1535 "id": "18", 1536 "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3", 1537 "name": "Threat Actor", 1538 "type": "threat-actor", 1539 "description": "Threat actors are characteristics of malicious actors 1540 (or adversaries) representing a cyber attack threat 1541 including presumed intent and historically observed behaviour.", 1542 "version": "1", 1543 "GalaxyCluster": [ 1544 { 1545 "id": "1699", 1546 "uuid": "7cdff317-a673-4474-84ec-4f1754947823", 1547 "type": "threat-actor", 1548 "value": "Anunak", 1549 "tag_name": "misp-galaxy:threat-actor=\"Anunak\"", 1550 "description": "Groups targeting financial organizations 1551 or people with significant financial assets.", 1552 "galaxy_id": "18", 1553 "source": "MISP Project", 1554 "authors": [ 1555 "Alexandre Dulaunoy", 1556 "Florian Roth", 1557 "Thomas Schreck", 1558 "Timo Steffens", 1559 "Various" 1560 ], 1561 "tag_id": "111", 1562 "meta": { 1563 "synonyms": [ 1564 "Carbanak", 1565 "Carbon Spider" 1566 ], 1567 "country": [ 1568 "RU" 1569 ], 1570 "motive": [ 1571 "Cybercrime" 1572 ] 1573 } 1574 } 1575 ] 1576 } 1577 ] 1579 3. JSON Schema 1581 The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP 1582 core format as literally described before. The JSON Schema is used 1583 to validate MISP events at creation time or parsing. 1585 { 1586 "$schema": "http://json-schema.org/draft-04/schema#", 1587 "title": "Validator for misp events", 1588 "id": "https://github.com/MISP/MISP/blob/2.4/format/2.4/schema.json", 1589 "defs": { 1590 "org": { 1591 "type": "object", 1592 "additionalProperties": false, 1593 "properties": { 1594 "id": { 1595 "type": "string" 1596 }, 1597 "name": { 1598 "type": "string" 1599 }, 1600 "uuid": { 1601 "type": "string" 1602 } 1603 }, 1604 "required": [ 1605 "uuid" 1606 ] 1607 }, 1608 "orgc": { 1609 "type": "object", 1610 "additionalProperties": false, 1611 "properties": { 1612 "id": { 1613 "type": "string" 1614 }, 1615 "name": { 1616 "type": "string" 1617 }, 1618 "uuid": { 1619 "type": "string" 1620 } 1621 }, 1622 "required": [ 1623 "uuid" 1624 ] 1625 }, 1626 "sharing_group": { 1627 "type": "object", 1628 "additionalProperties": false, 1629 "properties": { 1630 "id": { 1631 "type": "string" 1632 }, 1633 "name": { 1634 "type": "string" 1635 }, 1636 "releasability": { 1637 "type": "string" 1638 }, 1639 "description": { 1640 "type": "string" 1641 }, 1642 "uuid": { 1643 "type": "string" 1644 }, 1645 "organisation_uuid": { 1646 "type": "string" 1647 }, 1648 "org_id": { 1649 "type": "string" 1650 }, 1651 "sync_user_id": { 1652 "type": "string" 1653 }, 1654 "active": { 1655 "type": "boolean" 1656 }, 1657 "created": { 1658 "type": "string" 1659 }, 1660 "modified": { 1661 "type": "string" 1662 }, 1663 "local": { 1664 "type": "boolean" 1665 }, 1666 "roaming": { 1667 "type": "boolean" 1668 }, 1669 "Organisation": { 1670 "$ref": "#/defs/org" 1671 }, 1672 "SharingGroupOrg": { 1673 "type": "array", 1674 "uniqueItems": true, 1675 "items": { 1676 "$ref": "#/defs/sharing_group_org" 1677 } 1678 }, 1679 "SharingGroupServer": { 1680 "type": "array", 1681 "uniqueItems": true, 1682 "items": { 1683 "$ref": "#/defs/sharing_group_server" 1684 } 1685 }, 1686 "required": [ 1687 "uuid" 1688 ] 1689 }, 1690 "required": [ 1691 "uuid" 1692 ] 1693 }, 1694 "sharing_group_org": { 1695 "type": "object", 1696 "additionalProperties": false, 1697 "properties": { 1698 "id": { 1699 "type": "string" 1700 }, 1701 "sharing_group_id": { 1702 "type": "string" 1703 }, 1704 "org_id": { 1705 "type": "string" 1706 }, 1707 "extend": { 1708 "type": "boolean" 1709 }, 1710 "Organisation": { 1711 "$ref": "#/defs/org" 1712 } 1713 } 1714 }, 1715 "sharing_group_server": { 1716 "type": "object", 1717 "additionalProperties": false, 1718 "properties": { 1719 "id": { 1720 "type": "string" 1721 }, 1722 "sharing_group_id": { 1723 "type": "string" 1724 }, 1725 "server_id": { 1726 "type": "string" 1727 }, 1728 "all_orgs": { 1729 "type": "boolean" 1730 }, 1731 "Server": { 1732 "$ref": "#/defs/server" 1733 } 1734 } 1735 }, 1736 "server": { 1737 "type": "object", 1738 "additionalProperties": false, 1739 "properties": { 1740 "id": { 1741 "type": "string" 1742 }, 1743 "url": { 1744 "type": "string" 1745 }, 1746 "name": { 1747 "type": "string" 1748 } 1749 } 1750 }, 1751 "object": { 1752 "type": "object", 1753 "additionalProperties": false, 1754 "properties": { 1755 "uuid": { 1756 "type": "string" 1757 }, 1758 "name": { 1759 "type": "string" 1760 }, 1761 "event_id": { 1762 "type": "string" 1763 }, 1764 "description": { 1765 "type": "string" 1766 }, 1767 "template_uuid": { 1768 "type": "string" 1769 }, 1770 "template_version": { 1771 "type": "string" 1772 }, 1773 "id": { 1774 "type": "string" 1775 }, 1776 "meta-category": { 1777 "type": "string" 1778 }, 1779 "deleted": { 1780 "type": "boolean" 1781 }, 1782 "timestamp": { 1783 "type": "string" 1784 }, 1785 "first_seen": { 1786 "type": "string" 1787 }, 1788 "last_seen": { 1789 "type": "string" 1790 }, 1791 "distribution": { 1792 "type": "string" 1793 }, 1794 "sharing_group_id": { 1795 "type": "string" 1796 }, 1797 "comment": { 1798 "type": "string" 1799 }, 1800 "ObjectReference": { 1801 "type": "array", 1802 "uniqueItems": true, 1803 "items": { 1804 "$ref": "#/defs/objectreference" 1805 } 1806 }, 1807 "Attribute": { 1808 "type": "array", 1809 "uniqueItems": true, 1810 "items": { 1811 "$ref": "#/defs/attribute" 1812 } 1813 } 1814 } 1815 }, 1816 "sighthing": { 1817 "type": "object", 1818 "additionalProperties": false, 1819 "properties": { 1820 "id": { 1821 "type": "string" 1822 }, 1823 "attribute_id": { 1824 "type": "string" 1825 }, 1826 "event_id": { 1827 "type": "string" 1828 }, 1829 "source": { 1830 "type": "string" 1831 }, 1832 "type": { 1833 "type": "string" 1834 }, 1835 "org_id": { 1836 "type": "string" 1837 }, 1838 "date_sighting": { 1839 "type": "string" 1840 }, 1841 "uuid": { 1842 "type": "string" 1843 }, 1844 "Organisation": { 1845 "$ref": "#/defs/organisation" 1846 } 1847 } 1848 }, 1849 "organisation": { 1850 "type": "object", 1851 "additionalProperties": false, 1852 "properties": { 1853 "id": { 1854 "type": "string" 1855 }, 1856 "uuid": { 1857 "type": "string" 1858 }, 1859 "name": { 1860 "type": "string" 1861 } 1862 } 1863 }, 1864 "objectreference": { 1865 "type": "object", 1866 "additionalProperties": false, 1867 "properties": { 1868 "deleted": { 1869 "type": "boolean" 1870 }, 1871 "object_id": { 1872 "type": "string" 1873 }, 1874 "event_id": { 1875 "type": "string" 1876 }, 1877 "timestamp": { 1878 "type": "string" 1879 }, 1880 "id": { 1881 "type": "string" 1882 }, 1883 "uuid": { 1884 "type": "string" 1885 }, 1886 "type": { 1887 "type": "string" 1888 }, 1889 "referenced_id": { 1890 "type": "string" 1891 }, 1892 "referenced_uuid": { 1893 "type": "string" 1894 }, 1895 "referenced_type": { 1896 "type": "string" 1897 }, 1898 "relationship_type": { 1899 "type": "string" 1900 }, 1901 "object_uuid": { 1902 "type": "string" 1903 }, 1904 "comment": { 1905 "type": "string" 1906 }, 1907 "Object": { 1908 "$ref": "#/defs/object" 1909 } 1910 } 1911 }, 1912 "attribute": { 1913 "type": "object", 1914 "additionalProperties": false, 1915 "properties": { 1916 "id": { 1917 "type": "string" 1918 }, 1919 "old_id": { 1920 "type": "string" 1921 }, 1922 "type": { 1923 "type": "string" 1924 }, 1925 "category": { 1926 "type": "string" 1927 }, 1928 "to_ids": { 1929 "type": "boolean" 1930 }, 1931 "uuid": { 1932 "type": "string" 1933 }, 1934 "event_id": { 1935 "type": "string" 1936 }, 1937 "event_uuid": { 1938 "type": "string" 1939 }, 1940 "proposal_to_delete": { 1941 "type": "boolean" 1942 }, 1943 "validationIssue": { 1944 "type": "boolean" 1945 }, 1946 "Org": { 1947 "$ref": "#/defs/organisation" 1948 }, 1949 "org_id": { 1950 "type": "string" 1951 }, 1952 "distribution": { 1953 "type": "string" 1954 }, 1955 "timestamp": { 1956 "type": "string" 1957 }, 1958 "first_seen": { 1959 "type": "string" 1960 }, 1961 "last_seen": { 1962 "type": "string" 1964 }, 1965 "comment": { 1966 "type": "string" 1967 }, 1968 "sharing_group_id": { 1969 "type": "string" 1970 }, 1971 "deleted": { 1972 "type": "boolean" 1973 }, 1974 "disable_correlation": { 1975 "type": "boolean" 1976 }, 1977 "value": { 1978 "type": "string" 1979 }, 1980 "data": { 1981 "type": "string" 1982 }, 1983 "object_relation": { 1984 "type": ["string", "null"] 1985 }, 1986 "object_id": { 1987 "type": "string" 1988 }, 1989 "SharingGroup": { 1990 "$ref": "#/defs/sharing_group" 1991 }, 1992 "ShadowAttribute": { 1993 "type": "array", 1994 "uniqueItems": true, 1995 "items": { 1996 "$ref": "#/defs/attribute" 1997 } 1998 }, 1999 "Sighting": { 2000 "type": "array", 2001 "uniqueItems": true, 2002 "items": { 2003 "$ref": "#/defs/sighthing" 2004 } 2005 }, 2006 "Galaxy": { 2007 "type": "array", 2008 "uniqueItems": true, 2009 "items": { 2010 "$ref": "#/defs/galaxy" 2011 } 2013 }, 2014 "Tag": { 2015 "uniqueItems": true, 2016 "type": "array", 2017 "items": { 2018 "$ref": "#/defs/tag" 2019 } 2020 } 2021 } 2022 }, 2023 "event": { 2024 "type": "object", 2025 "additionalProperties": false, 2026 "properties": { 2027 "id": { 2028 "type": "string" 2029 }, 2030 "orgc_id": { 2031 "type": "string" 2032 }, 2033 "org_id": { 2034 "type": "string" 2035 }, 2036 "date": { 2037 "type": "string" 2038 }, 2039 "extends_uuid": { 2040 "type": "string" 2041 }, 2042 "threat_level_id": { 2043 "type": "string" 2044 }, 2045 "info": { 2046 "type": "string" 2047 }, 2048 "published": { 2049 "type": "boolean" 2050 }, 2051 "uuid": { 2052 "type": "string" 2053 }, 2054 "attribute_count": { 2055 "type": "string" 2056 }, 2057 "analysis": { 2058 "type": "string" 2059 }, 2060 "timestamp": { 2061 "type": "string" 2062 }, 2063 "distribution": { 2064 "type": "string" 2065 }, 2066 "proposal_email_lock": { 2067 "type": "boolean" 2068 }, 2069 "locked": { 2070 "type": "boolean" 2071 }, 2072 "publish_timestamp": { 2073 "type": "string" 2074 }, 2075 "sharing_group_id": { 2076 "type": "string" 2077 }, 2078 "disable_correlation": { 2079 "type": "boolean" 2080 }, 2081 "event_creator_email": { 2082 "type": "string" 2083 }, 2084 "Org": { 2085 "$ref": "#/defs/org" 2086 }, 2087 "Orgc": { 2088 "$ref": "#/defs/org" 2089 }, 2090 "SharingGroup": { 2091 "$ref": "#/defs/sharing_group" 2092 }, 2093 "Attribute": { 2094 "type": "array", 2095 "uniqueItems": true, 2096 "items": { 2097 "$ref": "#/defs/attribute" 2098 } 2099 }, 2100 "ShadowAttribute": { 2101 "type": "array", 2102 "uniqueItems": true, 2103 "items": { 2104 "$ref": "#/defs/attribute" 2105 } 2106 }, 2107 "RelatedEvent": { 2108 "type": "array", 2109 "uniqueItems": true, 2110 "items": { 2111 "type": "object", 2112 "additionalProperties": false, 2113 "properties": { 2114 "Event":{ 2115 "$ref": "#/defs/event" 2116 } 2117 } 2118 } 2119 }, 2120 "Galaxy": { 2121 "type": "array", 2122 "uniqueItems": true, 2123 "items": { 2124 "$ref": "#/defs/galaxy" 2125 } 2126 }, 2127 "Object": { 2128 "type": "array", 2129 "uniqueItems": true, 2130 "items": { 2131 "$ref": "#/defs/object" 2132 } 2133 }, 2134 "Tag": { 2135 "type": "array", 2136 "uniqueItems": true, 2137 "items": { 2138 "$ref": "#/defs/tag" 2139 } 2140 } 2141 } 2142 }, 2143 "tag": { 2144 "type": "object", 2145 "additionalProperties": false, 2146 "properties": { 2147 "id": { 2148 "type": "string" 2149 }, 2150 "name": { 2151 "type": "string" 2152 }, 2153 "colour": { 2154 "type": "string" 2155 }, 2156 "exportable": { 2157 "type": "boolean" 2158 }, 2159 "hide_tag": { 2160 "type": "boolean" 2161 }, 2162 "user_id": { 2163 "type": "string" 2164 } 2165 } 2166 }, 2167 "galaxy": { 2168 "type": "object", 2169 "additionalProperties": false, 2170 "properties": { 2171 "id": { 2172 "type": "string" 2173 }, 2174 "uuid": { 2175 "type": "string" 2176 }, 2177 "name": { 2178 "type": "string" 2179 }, 2180 "type": { 2181 "type": "string" 2182 }, 2183 "description": { 2184 "type": "string" 2185 }, 2186 "version": { 2187 "type": "string" 2188 }, 2189 "icon": { 2190 "type": "string" 2191 }, 2192 "namespace": { 2193 "type": "string" 2194 }, 2195 "GalaxyCluster": { 2196 "type": "array", 2197 "uniqueItems": true, 2198 "items": { 2199 "$ref": "#/defs/galaxy_cluster" 2200 } 2201 } 2202 } 2203 }, 2204 "galaxy_cluster": { 2205 "type": "object", 2206 "additionalProperties": false, 2207 "properties": { 2208 "id": { 2209 "type": "string" 2210 }, 2211 "uuid": { 2212 "type": "string" 2213 }, 2214 "type": { 2215 "type": "string" 2216 }, 2217 "value": { 2218 "type": "string" 2219 }, 2220 "tag_name": { 2221 "type": "string" 2222 }, 2223 "description": { 2224 "type": "string" 2225 }, 2226 "galaxy_id": { 2227 "type": "string" 2228 }, 2229 "version": { 2230 "type": "string" 2231 }, 2232 "source": { 2233 "type": "string" 2234 }, 2235 "authors": { 2236 "type": "array", 2237 "uniqueItems": true, 2238 "items": { 2239 "type": "string" 2240 } 2241 }, 2242 "tag_id": { 2243 "type": "string" 2244 }, 2245 "meta": { 2246 "type": "object" 2247 } 2248 } 2249 } 2250 }, 2251 "type": "object", 2252 "properties": { 2253 "Event": { 2254 "$ref": "#/defs/event" 2255 } 2256 }, 2257 "required": [ 2258 "Event" 2259 ] 2260 } 2262 4. Manifest 2264 MISP events can be shared over an HTTP repository, a file package or 2265 USB key. A manifest file is used to provide an index of MISP events 2266 allowing to only fetch the recently updated files without the need to 2267 parse each json file. 2269 4.1. Format 2271 A manifest file is a simple JSON file named manifest.json in a 2272 directory where the MISP events are located. Each MISP event is a 2273 file located in the same directory with the event uuid as filename 2274 with the json extension. 2276 The manifest format is a JSON object composed of a dictionary where 2277 the field is the uuid of the event. 2279 Each uuid is composed of a JSON object with the following fields 2280 which came from the original event referenced by the same uuid: 2282 * info (MUST) 2283 * Orgc object (MUST) 2284 * analysis (SHALL) 2285 * timestamp (MUST) 2286 * date (MUST) 2287 * threat_level_id (SHALL) 2289 In addition to the fields originating from the event, the following 2290 fields can be added: 2292 * integrity:sha256 represents the SHA256 value in hexadecimal 2293 representation of the associated MISP event file to ensure 2294 integrity of the file. (SHOULD) 2295 * integrity:pgp represents a detached PGP signature [RFC4880] of the 2296 associated MISP event file to ensure integrity of the file. 2297 (SHOULD) 2299 If a detached PGP signature is used for each MISP event, a detached 2300 PGP signature is a MUST to ensure integrity of the manifest file. A 2301 detached PGP signature for a manifest file is a manifest.json.asc 2302 file containing the PGP signature. 2304 4.1.1. Sample Manifest 2306 { 2307 "57c6ac4c-c60c-4f79-a38f-b666950d210f": { 2308 "info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo", 2309 "Orgc": { 2310 "id": "2", 2311 "name": "CIRCL", 2312 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 2313 }, 2314 "analysis": "0", 2315 "Tag": [ 2316 { 2317 "colour": "#3d7a00", 2318 "name": "circl:incident-classification=\"malware\"" 2319 }, 2320 { 2321 "colour": "#ffffff", 2322 "name": "tlp:white" 2323 } 2324 ], 2325 "timestamp": "1472638251", 2326 "date": "2016-08-31", 2327 "threat_level_id": "3" 2328 }, 2329 "5720accd-dd28-45f8-80e5-4605950d210f": { 2330 "info": "Malspam 2016-04-27 - Locky", 2331 "Orgc": { 2332 "id": "2", 2333 "name": "CIRCL" 2334 }, 2335 "analysis": "2", 2336 "Tag": [ 2337 { 2338 "colour": "#ffffff", 2339 "name": "tlp:white" 2340 }, 2341 { 2342 "colour": "#3d7a00", 2343 "name": "circl:incident-classification=\"malware\"" 2344 }, 2345 { 2346 "colour": "#2c4f00", 2347 "name": "malware_classification:malware-category=\"Ransomware\"" 2348 } 2349 ], 2350 "timestamp": "1461764231", 2351 "date": "2016-04-27", 2352 "threat_level_id": "3" 2353 } 2354 } 2356 5. Implementation 2358 MISP format is implemented by different software including the MISP 2359 threat sharing platform and libraries like PyMISP [MISP-P]. 2360 Implementations use the format as an export/import mechanism, staging 2361 transport format or synchronisation format as used in the MISP core 2362 platform. MISP format doesn't impose any restriction on the data 2363 representation of the format in data-structure of other 2364 implementations. 2366 6. Security Considerations 2368 MISP events might contain sensitive or confidential information. 2369 Adequate access control and encryption measures shall be implemented 2370 to ensure the confidentiality of the MISP events. 2372 Adversaries might include malicious content in MISP events and 2373 attributes. Implementation MUST consider the input of malicious 2374 inputs beside the standard threat information that might already 2375 include malicious intended inputs. 2377 7. Acknowledgements 2379 The authors wish to thank all the MISP community who are supporting 2380 the creation of open standards in threat intelligence sharing. A 2381 special thank to Nicolas Bareil for the review of the JSON Schema. 2383 8. References 2385 9. Normative References 2387 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2388 Requirement Levels", BCP 14, RFC 2119, 2389 DOI 10.17487/RFC2119, March 1997, 2390 . 2392 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 2393 Unique IDentifier (UUID) URN Namespace", RFC 4122, 2394 DOI 10.17487/RFC4122, July 2005, 2395 . 2397 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. 2398 Thayer, "OpenPGP Message Format", RFC 4880, 2399 DOI 10.17487/RFC4880, November 2007, 2400 . 2402 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 2403 Interchange Format", STD 90, RFC 8259, 2404 DOI 10.17487/RFC8259, December 2017, 2405 . 2407 10. Informative References 2409 [JSON-SCHEMA] 2410 Wright, A., "JSON Schema: A Media Type for Describing JSON 2411 Documents", 2016, 2412 . 2414 [MISP-P] Community, M., "MISP Project - Open Source Threat 2415 Intelligence Platform and Open Standards For Threat 2416 Information Sharing", . 2418 [MISP-R] Community, M., "MISP Object Relationship Types - common 2419 vocabulary of relationships", . 2422 [MISP-T] Community, M., "MISP Taxonomies - shared and common 2423 vocabularies of tags", 2424 . 2426 Authors' Addresses 2428 Alexandre Dulaunoy 2429 Computer Incident Response Center Luxembourg 2430 16, bd d'Avranches 2431 L-L-1160 Luxembourg 2432 Luxembourg 2434 Phone: +352 247 88444 2435 Email: alexandre.dulaunoy@circl.lu 2436 Andras Iklody 2437 Computer Incident Response Center Luxembourg 2438 16, bd d'Avranches 2439 L-L-1160 Luxembourg 2440 Luxembourg 2442 Phone: +352 247 88444 2443 Email: andras.iklody@circl.lu