When to model a concept via object vs taxonomy vs galaxy in MISP?

Question

Taxonomies in MISP are a triple of (namespace, predicate, value) referred to as "machinetags".

Galaxies seem to be similar. The MISP galaxy docs state that

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes.

Objects in MISP allow combinations of attributes, and the format definitions provide a common set of formats for modeling complex objects. Objects can also model relationships to other objects.

Taxonomies, galaxies, and objects are all defined via a set of open JSON definitions.

What is not clear is when should I use a tag from a taxonomy, a galaxy cluster, or an object to model some attribute about an event. The overlap between machine tags in a taxonomy and clusters in a galaxy is particularly unclear to me

Additional information

The JSON definitions of events for all these types can be found here:

• Taxonomies: https://github.com/MISP/misp-taxonomies
• Galaxy: https://github.com/MISP/misp-galaxy
• Objects: https://github.com/MISP/misp-objects

According to the docs, "galaxy" is a reserved namespace within the MISP taxonomy.

The docs for all 3 invite contributions of additional elements

• https://github.com/MISP/misp-taxonomies#how-to-contribute-your-taxonomy
• https://github.com/MISP/misp-galaxy#how-to-contribute
• https://github.com/MISP/misp-objects#how-to-contribute-misp-objects

The RFCs for the core format, taxonomy, galaxy, and objects can be found here:

• https://datatracker.ietf.org/doc/html/draft-dulaunoy-misp-core-format-03
• https://datatracker.ietf.org/doc/html/draft-dulaunoy-misp-taxonomy-format-04
• https://datatracker.ietf.org/doc/html/draft-dulaunoy-misp-galaxy-format-01
• https://datatracker.ietf.org/doc/html/draft-dulaunoy-misp-object-template-format-00

This topic (when to use taxonomy vs galaxy vs object) is not addressed in recent training materials: https://www.circl.lu/assets/files/misp-training/luxembourg2018/6-taxonomies.pdf

Ideas

Objects vs attributes

Both of different from tags since they allow the user to set values. So for the attribute Artifacts dropped: md5 the user can set the value of the md5 hash. Tags are just binary flags.

Objects are different from attributes since they can model a bundle of tags that can describe a single concept, like a user or a bank account, and they can then model relationships between these tag bundles.

Perhaps the difference between taxonomy and galaxy is related to the complexity of the definitions?

Each machine tag in a taxonomy usually just has value and expanded defined: https://github.com/MISP/misp-taxonomies/blob/master/veris/machinetag.json

Each machine tag in a galaxy has value, description, uuid, and meta (which is a nested object containing more details: https://github.com/MISP/misp-galaxy/blob/master/clusters/android.json

The sample galaxy from the core format RFC adds significantly more details than a tag: https://datatracker.ietf.org/doc/html/draft-dulaunoy-misp-core-format-03#section-2.10.1

Answer 1

The following decision process can be used to select how to model an attribute of an event via MISP.

1. If you can model a property of your event using a MISP default attribute, use one of those.
2. If the property requires multiple attributes to describe it (or you need to model relationships between attributes), use an object to group those attributes together.
3. If the property is a binary value (the event either has the property or it doesn't), use a tag. Try to select an existing value from an existing taxonomy.
4. If the property is a binary value but needs more more metadata associated with it than a normal tag can support, use a galaxy cluster.

The distinction between 3 and 4 (taxonomy and galaxy) is supported by the responses to this question.