Standards |

The MISP project developed a set of standards for threat intelligence sharing, including a list of IETF Internet-Drafts:

  • MISP core format which describes the core JSON format of MISP. Current Internet-Draft: 03
  • MISP taxonomy format which describes the taxonomy JSON format of MISP. Current Internet-Draft: 04
  • MISP galaxy format which describes the galaxy template format used to expand the threat actor modelling of MISP. Current Internet-Draft: 00
  • MISP object template format which describes the object template format used to construct combined and composite objects for the MISP core format. Current Internet-Draft: 00

In addition to standards, the MISP project maintains a list of taxonomies, warning-list, objects templates and galaxy clusters to support analysts.

MISP development takes place at the following GitHub organisation.

IODEF - Incident Object Description Exchange Format was originally described in RFC 5070 (2007) and RFC 6685 and replaced by RFC 7970 (2016). Specific extension like Structured Cybersecurity Information in IODEF: RFC 7203 defines extension classes like AttackPattern, Platform, Vulnerability, Scoring, Weakness, EventReport, Verification and Remediation.

IODEF development takes place at IETF Managed Incident Lightweight Exchange (mile) WG.

IDMEF - Intrusion Detection Message Exchange Format is described in RFC 4765 (2007).

OpenTPX - Open Threat Partner Exchange is a JSON format to exchange machine-readable threat intelligence along with network security related information.

OpenTPX development takes place at the following GitHub repository opentpx

STIX Structured Threat Information eXpression was originally developed by MITRE and version 1.2 was released in 2014. Core specifications are available for version 1.2 at and version 1.1 at

STIX Structured Threat Information Expression 2.0 is developed by the CTI TC at OASIS and the following documents were released for version 2.0: Core Concepts, STIX Objects, Cyber Observable Core Concepts and STIX Patterning.

STIX 2.0 development takes place at OASIS Cyber Threat Intelligence (CTI) TC.

Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. Specifications are available at the following location

Sigma development takes place at the following GitHub repository.

YARA is an open pattern-matching format to find textual or binary patterns in binary or stream of binary. Documentation of the YARA format is available at the following location

YARA development takes place at the following GitHub repository.

GENE is an open format to match Windows Event Logs (EVTX).

GENE development takes place at the following GitHub repository.


  1. EnglishmansDentist Exploit Analysis
  2. Arno0x/NtlmRelayToEWS: ntlm relay attack to Exchange Web Services
  3. sensepost/notruler: The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.
  4. GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.
  5. Escalating privileges with ACLs in Active Directory