ciscosecurity/tr-05-misp
POST /health
POST /observe/observables
Verdict
,Judgment
,Indicator
,Sighting
,Relationship
.POST /refer/observables
POST /version
ip
domain
hostname
url
sha1
sha256
md5
Each response from the MISP API for the supported observables generates the following CTIM entities:
Judgements
are based on .threat_level_id
of each event in response.
CTIM Disposition Name | MISP threat_level_id |
---|---|
Malicious | 1 (High) |
Suspicious | 2 (Medium) |
Common | 3 (Low) |
Unknown | 4 (Undefined) |
Verdict
is chosen from all of the Judgements
on that observable. The highest priority Judgement
becomes the active Verdict
.
Indicators
and Sightings
are taken from each event in response.
Sightings
are based on .date
.
Indicators
are based on .info
.
The Sighting
to Indicator
Relationship is sighting-of
.
The Judgement
to Indicator
Relationship is element-of
.
docker pull ciscosecurity/tr-05-misp