MISP Standards

MISP core format

This document describes the MISP core format used to exchange indicators and threat information between MISP instances. The JSON format includes the overall structure along with the semantics associated for each respective key. The format is described to support other implementations, aiming to reuse the format and ensuring the interoperability with the existing MISP software and other Threat Intelligence Platforms.

Specification: TXT - HTML

Lead: MISP Project

MISP object template format

This document describes the MISP object template format which describes a simple JSON format to represent the various templates used to construct MISP objects. A public directory of common MISP object templates is available and relies on the MISP object reference format.

Specification: TXT - HTML

Object template library: HTML - PDF

Lead: MISP Project

MISP taxonomy format

This document describes the MISP taxonomy format which describes a simple JSON format to represent machine tag (also called triple tag) vocabularies. A public directory of common vocabularies called MISP taxonomies is available and relies on the MISP taxonomy format. MISP taxonomies are used to classify cyber security events, threats, suspicious events, or indicators.

Specification: TXT - HTML

Taxonomy library: HTML - PDF

Lead: MISP Project

MISP galaxy format

This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to attach additional information structures such as MISP events or attributes. MISP galaxy is a public repository of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.

Specification: TXT - HTML

Galaxy library: HTML - PDF

Lead: MISP Project

Threat Actor Naming

This document provides advice on the naming of threat actors (also known as malicious actors). The objective is to provide practical advice for organizations such as security vendors or organizations attributing incidents to a group of threat actors. It also discusses the implications of naming a threat actor for intelligence analysts and threat intelligence platforms such as MISP.

Specification: TXT - HTML

SightingDB format

This document describes the format used by SightingDB to give automated context to a given Attribute by counting occurrences and tracking times of observability. SightingDB was designed to provide to MISP and other tools an interoperable, scalable and fast way to store and retrieve attributes sightings.

Specification: TXT - HTML

Lead: Devo Inc