- MISP Threat Sharing Standard
- IODEF - Incident Object Description Exchange Format
- IDMEF - Intrusion Detection Message Exchange Format
- OpenTPX - Open Threat Partner Exchange
- STIX Structured Threat Information eXpression 1.1 and 1.2
- STIX Structured Threat Information Expression 2.0
- Sigma - Generic Signature Format for SIEM Systems
- YARA - The pattern matching swiss knife for malware researchers (and everyone else)
- GENE - Go Evtx sigNature Engine
MISP Threat Sharing Standard
The MISP project developed a set of standards for threat intelligence sharing, including a list of IETF Internet-Drafts:
- MISP core format which describes the core JSON format of MISP. Current Internet-Draft: 15
- MISP taxonomy format which describes the taxonomy JSON format of MISP. Current Internet-Draft: 07
- MISP galaxy format which describes the galaxy template format used to expand the threat actor modelling of MISP. Current Internet-Draft: 00
- MISP object template format which describes the object template format used to construct combined and composite objects for the MISP core format. Current Internet-Draft: 07
In addition to standards, the MISP project maintains a list of taxonomies, warning-list, objects templates and galaxy clusters to support analysts.
MISP development takes place at the following GitHub organisation.
IODEF - Incident Object Description Exchange Format
IODEF - Incident Object Description Exchange Format was originally described in RFC 5070 (2007) and RFC 6685 and replaced by RFC 7970 (2016). Specific extension like Structured Cybersecurity Information in IODEF: RFC 7203 defines extension classes like AttackPattern, Platform, Vulnerability, Scoring, Weakness, EventReport, Verification and Remediation.
IODEF development takes place at IETF Managed Incident Lightweight Exchange (mile) WG.
IDMEF - Intrusion Detection Message Exchange Format
IDMEF - Intrusion Detection Message Exchange Format is described in RFC 4765 (2007).
OpenTPX - Open Threat Partner Exchange
OpenTPX - Open Threat Partner Exchange is a JSON format to exchange machine-readable threat intelligence along with network security related information.
OpenTPX development takes place at the following GitHub repository opentpx
STIX Structured Threat Information eXpression 1.1 and 1.2
STIX Structured Threat Information eXpression was originally developed by MITRE and version 1.2 was released in 2014. Core specifications are available for version 1.2 at http://stixproject.github.io/releases/1.2/ and version 1.1 at https://stix.mitre.org/language/version1.1/.
STIX Structured Threat Information Expression 2.0
STIX Structured Threat Information Expression 2.0 is developed by the CTI TC at OASIS and the following documents were released for version 2.0: Core Concepts, STIX Objects, Cyber Observable Core Concepts and STIX Patterning.
STIX 2.0 development takes place at OASIS Cyber Threat Intelligence (CTI) TC.
Sigma - Generic Signature Format for SIEM Systems
Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. Specifications are available at the following location https://github.com/Neo23x0/sigma/wiki/Specification.
Sigma development takes place at the following GitHub repository.
YARA - The pattern matching swiss knife for malware researchers (and everyone else)
YARA is an open pattern-matching format to find textual or binary patterns in binary or stream of binary. Documentation of the YARA format is available at the following location https://yara.readthedocs.io.
YARA development takes place at the following GitHub repository.
GENE - Go Evtx sigNature Engine
GENE is an open format to match Windows Event Logs (EVTX).
GENE development takes place at the following GitHub repository.