idnits 2.17.1 draft-dulaunoy-misp-object-template-format-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 4 instances of too long lines in the document, the longest one being 58 characters in excess of 72. ** The abstract seems to contain references ([MISP-O]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 23, 2019) is 1767 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) Summary: 5 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Intended status: Informational CIRCL 5 Expires: December 25, 2019 June 23, 2019 7 MISP object template format 8 draft-dulaunoy-misp-object-template-format-03 10 Abstract 12 This document describes the MISP object template format which 13 describes a simple JSON format to represent the various templates 14 used to construct MISP objects. A public directory of common 15 vocabularies MISP object templates [MISP-O] is available and relies 16 on the MISP object reference format. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on December 25, 2019. 35 Copyright Notice 37 Copyright (c) 2019 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 54 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1.1. Object Template . . . . . . . . . . . . . . . . . . . 3 57 2.1.2. attributes . . . . . . . . . . . . . . . . . . . . . 4 58 2.1.3. Sample Object Template object . . . . . . . . . . . . 6 59 2.1.4. Object Relationships . . . . . . . . . . . . . . . . 9 60 3. Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 10 61 3.1. Existing and public MISP object templates . . . . . . . . 10 62 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 63 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 64 5.1. Normative References . . . . . . . . . . . . . . . . . . 18 65 5.2. Informative References . . . . . . . . . . . . . . . . . 18 66 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 68 1. Introduction 70 Due to the increased maturity of threat information sharing, the need 71 arose for more complex and exhaustive data-points to be shared across 72 the various sharing communities. MISP's information sharing in 73 general relied on a flat structure of attributes contained within an 74 event, where attributes served as atomic secluded data-points with 75 some commonalities as defined by the encapsulating event. However, 76 this flat structure restricted the use of more diverse and complex 77 data-points described by a list of atomic values, a problem solved by 78 the MISP object structure. 80 MISP objects combine a list of attributes to represent a singular 81 object with various facets. In order to bootstrap the object 82 creation process and to maintain uniformity among objects describing 83 similar data-points, the MISP object template format serves as a 84 reusable and share-able blueprint format. 86 MISP object templates also include a vocabulary to describe the 87 various inter object and object to attribute relationships and are 88 leveraged by MISP object references. 90 1.1. Conventions and Terminology 92 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 93 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 94 document are to be interpreted as described in RFC 2119 [RFC2119]. 96 2. Format 98 MISP object templates are composed of the MISP object template (MUST) 99 structure itself and a list of MISP object template elements (SHOULD) 100 describing the list of possible attributes belonging to the resulting 101 object, along with their context and settings. 103 MISP object templates themselves consist of a name (MUST), a meta- 104 category (MUST) and a description (SHOULD). They are identified by a 105 uuid (MUST) and a version (MUST). For any updates or transfer of the 106 same object reference. UUID version 4 is RECOMMENDED when assigning 107 it to a new object reference. The list of requirements when it comes 108 to the contained MISP object template elements is defined in the 109 requirements field (OPTIONAL). 111 MISP object template elements consist of an object_relation (MUST), a 112 type (MUST), an object_template_id (SHOULD), a ui_priority (SHOULD), 113 a list of categories (MAY), a list of sane_default values (MAY) or a 114 values_list (MAY). 116 2.1. Overview 118 The MISP object template format uses the JSON [RFC4627] format. Each 119 template is represented as a JSON object with meta information 120 including the following fields: uuid, requiredOneOf, description, 121 version, meta-category, name. 123 2.1.1. Object Template 125 2.1.1.1. uuid 127 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 128 the object template. The uuid MUST be preserved for to keep 129 consistency of the templates across instances. UUID version 4 is 130 RECOMMENDED when assigning it to a new object template. 132 uuid is represented as a JSON string. uuid MUST be present. 134 2.1.1.2. requiredOneOf 136 requiredOneOf is represented as a JSON list and contains a list of 137 attribute relationships of which one must be present in the object to 138 be created based on the given template. The requiredOneOf field MAY 139 be present. 141 2.1.1.3. required 143 required is represented as a JSON list and contains a list of 144 attribute relationships of which all must be present in the object to 145 be created based on the given template. The required field MAY be 146 present. 148 2.1.1.4. description 150 description is represented as a JSON string and contains the assigned 151 meaning given to objects created using this template. The 152 description field MUST be present. 154 2.1.1.5. version 156 version represents a numeric incrementing version of the object 157 template. It is used to associate the object to the correct version 158 of the template and together with the uuid field forms an association 159 to the correct template type and version. 161 version is represented as a JSON string. version MUST be present. 163 2.1.1.6. meta-category 165 meta-category represents the sub-category of objects that the given 166 object template belongs to. meta-categories are not tied to a fixed 167 list of options but can be created on the fly. 169 meta-category is represented as a JSON string. meta-category MUST be 170 present. 172 2.1.1.7. name 174 name represents the human-readable name of the objects created using 175 the given template, describing the intent of the object package. 177 name is represented as a JSON string. name MUST be present 179 2.1.2. attributes 181 attributes is represented as a JSON list and contains a list of 182 template elements used as a template for creating the individual 183 attributes within the object that is to be created with the object. 185 attributes is represented as a JSON list. attributes MUST be present. 187 2.1.2.1. description 189 description is represented as a JSON string and contains the 190 description of the given attribute in the context of the object with 191 the given relationship. The description field MUST be present. 193 2.1.2.2. ui-priority 195 ui-priority is represented by a numeric values in JSON string format 196 and is meant to provide a priority for the given element in the 197 object template visualisation. The ui-priority MAY be present. 199 2.1.2.3. misp-attribute 201 misp-attribute is represented by a JSON string or a JSON object with 202 a list of values. The value(s) are taken from the pool of types 203 defined by the MISP core format's Attribute Object's type list. type 204 can contain a JSON object with a list of suggested value alternatives 205 encapsulated in a list within a sane_default key or a list of 206 enforced value alternatives encapsulated in a list_values key. 208 The misp-attribute field MUST be present. 210 2.1.2.4. disable_correlation 212 disable_correlation is represented by a JSON boolean. The 213 disable_correlation field flags the attribute(s) created by the given 214 object template element to be marked as non correlating. 216 The misp-attribute field MAY be present. 218 2.1.2.5. categories 220 categories is represented by a JSON list containing one or several 221 valid options from the list of verbs valid for the category field in 222 the Attribute object within the MISP core format. 224 The categories field MAY be present. 226 2.1.2.6. multiple 228 multiple is represented by a JSON boolean value. It marks the MISP 229 object template element as a multiple input field, allowing for 230 several attributes to be created by the element within the same 231 object. 233 The multiple field MAY be present. 235 2.1.2.7. sane_default 237 sane_default is represented by a JSON list containing one or several 238 recommended/sane values for an attribute. sane_default is mutually 239 exclusive with values_list. 241 The sane_default field MAY be present. 243 2.1.2.8. values_list 245 values_list is represented by a JSON List containing one or several 246 of fixed values for an attribute. values_list is mutually exclusive 247 with sane_default. 249 The value_list field MAY be present. 251 2.1.3. Sample Object Template object 253 The MISP object template directory is publicly available [MISP-O] in 254 a git repository and contains more than 60 object templates. As 255 illustration, two sample objects templates are included. 257 2.1.3.1. credit-card object template 258 { 259 "requiredOneOf": [ 260 "cc-number" 261 ], 262 "attributes": { 263 "version": { 264 "description": "Version of the card.", 265 "ui-priority": 0, 266 "misp-attribute": "text" 267 }, 268 "comment": { 269 "description": "A description of the card.", 270 "ui-priority": 0, 271 "misp-attribute": "comment" 272 }, 273 "card-security-code": { 274 "description": "Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.", 275 "ui-priority": 0, 276 "misp-attribute": "text" 277 }, 278 "name": { 279 "description": "Name of the card owner.", 280 "ui-priority": 0, 281 "misp-attribute": "text" 282 }, 283 "issued": { 284 "description": "Initial date of validity or issued date.", 285 "ui-priority": 0, 286 "misp-attribute": "datetime" 287 }, 288 "expiration": { 289 "description": "Maximum date of validity", 290 "ui-priority": 0, 291 "misp-attribute": "datetime" 292 }, 293 "cc-number": { 294 "description": "credit-card number as encoded on the card.", 295 "ui-priority": 0, 296 "misp-attribute": "cc-number" 297 } 298 }, 299 "version": 2, 300 "description": "A payment card like credit card, debit card or any similar cards which can be used for financial transactions.", 301 "meta-category": "financial", 302 "uuid": "2b9c57aa-daba-4330-a738-56f18743b0c7", 303 "name": "credit-card" 304 } 305 2.1.3.2. credential object template 307 { 308 "requiredOneOf": [ 309 "password" 310 ], 311 "attributes": { 312 "text": { 313 "description": "A description of the credential(s)", 314 "disable_correlation": true, 315 "ui-priority": 1, 316 "misp-attribute": "text" 317 }, 318 "username": { 319 "description": "Username related to the password(s)", 320 "ui-priority": 1, 321 "misp-attribute": "text" 322 }, 323 "password": { 324 "description": "Password", 325 "multiple": true, 326 "ui-priority": 1, 327 "misp-attribute": "text" 328 }, 329 "type": { 330 "description": "Type of password(s)", 331 "ui-priority": 1, 332 "misp-attribute": "text", 333 "values_list": [ 334 "password", 335 "api-key", 336 "encryption-key", 337 "unknown" 338 ] 339 }, 340 "origin": { 341 "description": "Origin of the credential(s)", 342 "ui-priority": 1, 343 "misp-attribute": "text", 344 "sane_default": [ 345 "bruteforce-scanning", 346 "malware-analysis", 347 "memory-analysis", 348 "network-analysis", 349 "leak", 350 "unknown" 351 ] 352 }, 353 "format": { 354 "description": "Format of the password(s)", 355 "ui-priority": 1, 356 "misp-attribute": "text", 357 "values_list": [ 358 "clear-text", 359 "hashed", 360 "encrypted", 361 "unknown" 362 ] 363 }, 364 "notification": { 365 "description": "Mention of any notification(s) towards the potential owner(s) of the credential(s)", 366 "ui-priority": 1, 367 "misp-attribute": "text", 368 "multiple": true, 369 "values_list": [ 370 "victim-notified", 371 "service-notified", 372 "none" 373 ] 374 } 375 }, 376 "version": 2, 377 "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", 378 "meta-category": "misc", 379 "uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", 380 "name": "credential" 381 } 383 2.1.4. Object Relationships 385 2.1.4.1. name 387 name represents the human-readable relationship type which can be 388 used when creating MISP object relations. 390 name is represented as a JSON string. name MUST be present. 392 2.1.4.2. description 394 description is represented as a JSON string and contains the 395 description of the object relationship type. The description field 396 MUST be present. 398 2.1.4.3. format 400 format is represented by a JSON list containing a list of formats 401 that the relationship type is valid for and can be mapped to. The 402 format field MUST be present. 404 3. Directory 406 The MISP object template directory is publicly available [MISP-O] in 407 a git repository. The repository contains an objects directory, 408 which contains a directory per object type, containing a file named 409 definition.json which contains the definition of the object template 410 in the above described format. 412 A relationships directory is also included, containing a 413 definition.json file which contains a list of MISP object relation 414 definitions. There are more than 125 existing templates object 415 documented in [MISP-O-DOC]. 417 3.1. Existing and public MISP object templates 419 o tsk-chats - An Object Template to gather information from 420 evidential or interesting exchange of messages identified during a 421 digital forensic investigation. 423 o tsk-web-bookmark - An Object Template to add evidential bookmarks 424 identified during a digital forensic investigation. 426 o tsk-web-cookie - An TSK-Autopsy Object Template to represent 427 cookies identified during a forensic investigation. 429 o tsk-web-downloads - An Object Template to add web-downloads. 431 o tsk-web-history - An Object Template to share web history 432 information. 434 o tsk-web-search-query - An Object Template to share web search 435 query information. 437 o ail-leak - An information leak as defined by the AIL Analysis 438 Information Leak framework. 440 o ais-info - Automated Indicator Sharing (AIS) Information Source 441 Markings. 443 o android-permission - A set of android permissions - one or more 444 permission(s) which can be linked to other objects (e.g. malware, 445 app). 447 o annotation - An annotation object allowing analysts to add 448 annotations, comments, executive summary to a MISP event, objects 449 or attributes. 451 o anonymisation - Anonymisation object describing an anonymisation 452 technique used to encode MISP attribute values. Reference: 453 . 455 o asn - Autonomous system object describing an autonomous system 456 which can include one or more network operators management an 457 entity (e.g. ISP) along with their routing policy, routing 458 prefixes or alike. 460 o authenticode-signerinfo - Authenticode Signer Info. 462 o av-signature - Antivirus detection signature. 464 o bank-account - An object describing bank account information based 465 on account description from goAML 4.0. 467 o bgp-hijack - Object encapsulating BGP Hijack description as 468 specified, for example, by bgpstream.com. 470 o cap-alert - Common Alerting Protocol Version (CAP) alert object. 472 o cap-info - Common Alerting Protocol Version (CAP) info object. 474 o cap-resource - Common Alerting Protocol Version (CAP) resource 475 object. 477 o coin-address - An address used in a cryptocurrency. 479 o cookie - An HTTP cookie (web cookie, browser cookie) is a small 480 piece of data that a server sends to the user's web browser. The 481 browser may store it and send it back with the next request to the 482 same server. Typically, it's used to tell if two requests came 483 from the same browser -- keeping a user logged-in, for example. 484 It remembers stateful information for the stateless HTTP protocol. 485 (as defined by the Mozilla foundation. 487 o cortex - Cortex object describing a complete cortex analysis. 488 Observables would be attribute with a relationship from this 489 object. 491 o cortex-taxonomy - Cortex object describing an Cortex Taxonomy (or 492 mini report). 494 o course-of-action - An object describing a specific measure taken 495 to prevent or respond to an attack. 497 o cowrie - Cowrie honeypot object template. 499 o credential - Credential describes one or more credential(s) 500 including password(s), api key(s) or decryption key(s). 502 o credit-card - A payment card like credit card, debit card or any 503 similar cards which can be used for financial transactions. 505 o ddos - DDoS object describes a current DDoS activity from a 506 specific or/and to a specific target. Type of DDoS can be 507 attached to the object as a taxonomy. 509 o device - An object to define a device. 511 o diameter-attack - Attack as seen on diameter authentication 512 against a GSM, UMTS or LTE network. 514 o domain-ip - A domain and IP address seen as a tuple in a specific 515 time frame. 517 o elf - Object describing a Executable and Linkable Format. 519 o elf-section - Object describing a section of an Executable and 520 Linkable Format. 522 o email - Email object describing an email with meta-information. 524 o exploit-poc - Exploit-poc object describing a proof of concept or 525 exploit of a vulnerability. This object has often a relationship 526 with a vulnerability object. 528 o facial-composite - An object which describes a facial composite. 530 o fail2ban - Fail2ban event. 532 o file - File object describing a file with meta-information. 534 o forensic-case - An object template to describe a digital forensic 535 case. 537 o forensic-evidence - An object template to describe a digital 538 forensic evidence. 540 o geolocation - An object to describe a geographic location. 542 o gtp-attack - GTP attack object as seen on a GSM, UMTS or LTE 543 network. 545 o http-request - A single HTTP request header. 547 o ilr-impact - Institut Luxembourgeois de Regulation - Impact. 549 o ilr-notification-incident - Institut Luxembourgeois de Regulation 550 - Notification d'incident. 552 o internal-reference - Internal reference. 554 o interpol-notice - An object which describes a Interpol notice. 556 o ip-api-address - IP Address information. Useful if you are 557 pulling your ip information from ip-api.com. 559 o ip-port - An IP address (or domain or hostname) and a port seen as 560 a tuple (or as a triple) in a specific time frame. 562 o irc - An IRC object to describe an IRC server and the associated 563 channels. 565 o ja3 - JA3 is a new technique for creating SSL client fingerprints 566 that are easy to produce and can be easily shared for threat 567 intelligence. Fingerprints are composed of Client Hello packet; 568 SSL Version, Accepted Ciphers, List of Extensions, Elliptic 569 Curves, and Elliptic Curve Formats. 570 . 572 o legal-entity - An object to describe a legal entity. 574 o lnk - LNK object describing a Windows LNK binary file (aka Windows 575 shortcut). 577 o macho - Object describing a file in Mach-O format. 579 o macho-section - Object describing a section of a file in Mach-O 580 format. 582 o mactime-timeline-analysis - Mactime template, used in forensic 583 investigations to describe the timeline of a file activity. 585 o malware-config - Malware configuration recovered or extracted from 586 a malicious binary. 588 o microblog - Microblog post like a Twitter tweet or a post on a 589 Facebook wall. 591 o mutex - Object to describe mutual exclusion locks (mutex) as seen 592 in memory or computer program. 594 o netflow - Netflow object describes an network object based on the 595 Netflowv5/v9 minimal definition. 597 o network-connection - A local or remote network connection. 599 o network-socket - Network socket object describes a local or remote 600 network connections based on the socket data structure. 602 o misc - An object which describes an organization. 604 o original-imported-file - Object describing the original file used 605 to import data in MISP. 607 o passive-dns - Passive DNS records as expressed in draft-dulaunoy- 608 dnsop-passive-dns-cof-01. 610 o paste - Paste or similar post from a website allowing to share 611 privately or publicly posts. 613 o pcap-metadata - Network packet capture metadata. 615 o pe - Object describing a Portable Executable. 617 o pe-section - Object describing a section of a Portable Executable. 619 o person - An object which describes a person or an identity. 621 o phishing - Phishing template to describe a phishing website and 622 its analysis. 624 o phishing-kit - Object to describe a phishing-kit. 626 o phone - A phone or mobile phone object which describe a phone. 628 o process - Object describing a system process. 630 o python-etvx-event-log - Event log object template to share 631 information of the activities conducted on a system. . 633 o r2graphity - Indicators extracted from files using radare2 and 634 graphml. 636 o regexp - An object describing a regular expression (regex or 637 regexp). The object can be linked via a relationship to other 638 attributes or objects to describe how it can be represented as a 639 regular expression. 641 o registry-key - Registry key object describing a Windows registry 642 key with value and last-modified timestamp. 644 o regripper-NTUser - Regripper Object template designed to present 645 user specific configuration details extracted from the NTUSER.dat 646 hive. 648 o regripper-sam-hive-single-user - Regripper Object template 649 designed to present user profile details extracted from the SAM 650 hive. 652 o regripper-sam-hive-user-group - Regripper Object template designed 653 to present group profile details extracted from the SAM hive. 655 o regripper-software-hive-BHO - Regripper Object template designed 656 to gather information of the browser helper objects installed on 657 the system. 659 o regripper-software-hive-appInit-DLLS - Regripper Object template 660 designed to gather information of the DLL files installed on the 661 system. 663 o regripper-software-hive-application-paths - Regripper Object 664 template designed to gather information of the application paths. 666 o regripper-software-hive-applications-installed - Regripper Object 667 template designed to gather information of the applications 668 installed on the system. 670 o regripper-software-hive-command-shell - Regripper Object template 671 designed to gather information of the shell commands executed on 672 the system. 674 o regripper-software-hive-windows-general-info - Regripper Object 675 template designed to gather general windows information extracted 676 from the software-hive. 678 o regripper-software-hive-software-run - Regripper Object template 679 designed to gather information of the applications set to run on 680 the system. 682 o regripper-software-hive-userprofile-winlogon - Regripper Object 683 template designed to gather user profile information when the user 684 logs onto the system, gathered from the software hive. 686 o regripper-system-hive-firewall-configuration - Regripper Object 687 template designed to present firewall configuration information 688 extracted from the system-hive. 690 o regripper-system-hive-general-configuration - Regripper Object 691 template designed to present general system properties extracted 692 from the system-hive. 694 o regripper-system-hive-network-information. - Regripper object 695 template designed to gather network information from the system- 696 hive. 698 o regripper-system-hive-services-drivers - Regripper Object template 699 designed to gather information regarding the services/drivers from 700 the system-hive. 702 o report - Metadata used to generate an executive level report. 704 o research-scanner - Information related to known scanning activity 705 (e.g. from research projects). 707 o rogue-dns - Rogue DNS as defined by CERT.br. 709 o rtir - RTIR - Request Tracker for Incident Response. 711 o sandbox-report - Sandbox report. 713 o sb-signature - Sandbox detection signature. 715 o script - Object describing a computer program written to be run in 716 a special run-time environment. The script or shell script can be 717 used for malicious activities but also as support tools for threat 718 analysts. 720 o shell-commands - Object describing a series of shell commands 721 executed. This object can be linked with malicious files in order 722 to describe a specific execution of shell commands. 724 o short-message-service - Short Message Service (SMS) object 725 template describing one or more SMS message. Restriction of the 726 initial format 3GPP 23.038 GSM character set doesn't apply. 728 o shortened-link - Shortened link and its redirect target. 730 o splunk - Splunk / Splunk ES object. 732 o ss7-attack - SS7 object of an attack seen on a GSM, UMTS or LTE 733 network via SS7 logging. 735 o ssh-authorized-keys - An object to store ssh authorized keys file. 737 o stix2-pattern - An object describing a STIX pattern. The object 738 can be linked via a relationship to other attributes or objects to 739 describe how it can be represented as a STIX pattern. 741 o suricata - An object describing one or more Suricata rule(s) along 742 with version and contextual information. 744 o target-system - Description about an targeted system, this could 745 potentially be a compromissed internal system. 747 o threatgrid-report - ThreatGrid report. 749 o timecode - Timecode object to describe a start of video sequence 750 (e.g. CCTV evidence) and the end of the video sequence. 752 o timesketch-timeline - A timesketch timeline object based on 753 mandatory field in timesketch to describe a log entry. 755 o timesketch_message - A timesketch message entry. 757 o timestamp - A generic timestamp object to represent time including 758 first time and last time seen. Relationship will then define the 759 kind of time relationship. 761 o tor-hiddenservice - Tor hidden service (onion service) object. 763 o tor-node - Tor node (which protects your privacy on the internet 764 by hiding the connection between users Internet address and the 765 services used by the users) description which are part of the Tor 766 network at a time. 768 o tracking-id - Analytics and tracking ID such as used in Google 769 Analytics or other analytic platform. 771 o transaction - An object to describe a financial transaction. 773 o url - url object describes an url along with its normalized field 774 (like extracted using faup parsing library) and its metadata. 776 o vehicle - Vehicle object template to describe a vehicle 777 information and registration. 779 o victim - Victim object describes the target of an attack or abuse. 781 o virustotal-report - VirusTotal report. 783 o vulnerability - Vulnerability object describing a common 784 vulnerability enumeration which can describe published, 785 unpublished, under review or embargo vulnerability for software, 786 equipments or hardware. 788 o whois - Whois records information for a domain name or an IP 789 address. 791 o x509 - x509 object describing a X.509 certificate. 793 o yabin - yabin.py generates Yara rules from function prologs, for 794 matching and hunting binaries. ref: . 797 o yara - An object describing a YARA rule along with its version. 799 4. Acknowledgements 801 The authors wish to thank all the MISP community who are supporting 802 the creation of open standards in threat intelligence sharing. 804 5. References 806 5.1. Normative References 808 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 809 Requirement Levels", BCP 14, RFC 2119, 810 DOI 10.17487/RFC2119, March 1997, 811 . 813 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 814 Unique IDentifier (UUID) URN Namespace", RFC 4122, 815 DOI 10.17487/RFC4122, July 2005, 816 . 818 [RFC4627] Crockford, D., "The application/json Media Type for 819 JavaScript Object Notation (JSON)", RFC 4627, 820 DOI 10.17487/RFC4627, July 2006, 821 . 823 5.2. Informative References 825 [MISP-O] MISP, "MISP Objects - shared and common object templates", 826 . 828 [MISP-O-DOC] 829 "MISP objects directory", 2018, 830 . 832 Authors' Addresses 834 Alexandre Dulaunoy 835 Computer Incident Response Center Luxembourg 836 16, bd d'Avranches 837 Luxembourg L-1611 838 Luxembourg 840 Phone: +352 247 88444 841 Email: alexandre.dulaunoy@circl.lu 843 Andras Iklody 844 Computer Incident Response Center Luxembourg 845 16, bd d'Avranches 846 Luxembourg L-1611 847 Luxembourg 849 Phone: +352 247 88444 850 Email: andras.iklody@circl.lu