• Threat Intelligence Standards and Formats
• MISP Threat Sharing Standard
• IODEF — Incident Object Description Exchange Format
• IDMEF — Intrusion Detection Message Exchange Format
• OpenTPX — Open Threat Partner Exchange
• STIX — Structured Threat Information eXpression (1.1 and 1.2)
• STIX — Structured Threat Information eXpression (2.0)
• Sigma — Generic Signature Format for SIEM Systems
• YARA — The Pattern-Matching Swiss Knife
• GENE — Go Evtx sigNature Engine

Threat Intelligence Standards and Formats

This page provides an overview of key open standards, formats, and specifications used in the field of threat intelligence and cybersecurity.
These standards enable interoperability, improve collaboration, and help security teams exchange actionable information more effectively.
Below is a non-exhaustive list of widely adopted initiatives.

MISP Threat Sharing Standard

The MISP project has developed a set of standards for threat intelligence sharing, documented as Standards under the MISP Standard umbrella:

• MISP core format — defines the core JSON format of MISP. https://www.misp-standard.org/rfc/misp-standard-core.html
• MISP taxonomy format — defines the taxonomy JSON format of MISP. https://www.misp-standard.org/rfc/misp-standard-taxonomy-format.html
• MISP galaxy format — defines the galaxy template format used to expand MISP’s threat actor modelling. https://www.misp-standard.org/rfc/misp-standard-galaxy-format.html
• MISP object template format — defines the object template format used to construct combined and composite objects for the MISP core format. https://www.misp-standard.org/rfc/misp-standard-object-template-format.html

In addition, the MISP project maintains a wide range of supporting resources:

• Taxonomies
• Warning-lists
• Object templates
• Galaxy clusters

MISP development takes place at the official GitHub organisation.

IODEF — Incident Object Description Exchange Format

IODEF (Incident Object Description Exchange Format) was first described in RFC 5070 (2007) and RFC 6685, and later replaced by RFC 7970 (2016).

An important extension is defined in RFC 7203 — Structured Cybersecurity Information in IODEF — which adds classes for AttackPattern, Platform, Vulnerability, Scoring, Weakness, EventReport, Verification, and Remediation.

Development continues within the IETF Managed Incident Lightweight Exchange (MILE) Working Group.

IDMEF — Intrusion Detection Message Exchange Format

IDMEF (Intrusion Detection Message Exchange Format) is specified in RFC 4765 (2007).

OpenTPX — Open Threat Partner Exchange

OpenTPX (Open Threat Partner Exchange) is a JSON format designed to exchange machine-readable threat intelligence along with network security-related information.

Development takes place at the opentpx GitHub repository.

STIX — Structured Threat Information eXpression (1.1 and 1.2)

STIX was originally developed by MITRE. Version 1.2 was released in 2014, with specifications available here:

• STIX 1.2
• STIX 1.1

STIX — Structured Threat Information eXpression (2.0)

STIX 2.0 is developed by the OASIS Cyber Threat Intelligence (CTI) Technical Committee.

The following documents were released for version 2.0:

• Core Concepts
• STIX Objects
• Cyber Observable Core Concepts
• STIX Patterning

Sigma — Generic Signature Format for SIEM Systems

Sigma is a generic and open signature format that allows analysts to describe relevant log events in a straightforward way.

Specifications are available in the Sigma wiki.
Development takes place at the Sigma GitHub repository.

YARA — The Pattern-Matching Swiss Knife

YARA is an open format used to identify textual or binary patterns in files, binaries, or streams.

Documentation is available at yara.readthedocs.io.
Development takes place at the YARA GitHub repository.

GENE — Go Evtx sigNature Engine

GENE is an open format designed to detect and match patterns in Windows Event Logs (EVTX).

Development takes place at the GENE GitHub repository.