{"id":27976442,"url":"https://github.com/misp/cexf","last_synced_at":"2025-07-01T12:03:54.770Z","repository":{"id":71992479,"uuid":"440108166","full_name":"MISP/cexf","owner":"MISP","description":"Common Exercise Format - CEXF ","archived":false,"fork":false,"pushed_at":"2024-08-15T07:58:24.000Z","size":73,"stargazers_count":10,"open_issues_count":2,"forks_count":0,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-06-30T02:03:23.436Z","etag":null,"topics":["cyber-range","cybersecurity","exercise","misp"],"latest_commit_sha":null,"homepage":"https://misp.github.io/cexf/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MISP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-12-20T09:15:12.000Z","updated_at":"2024-08-15T07:58:27.000Z","dependencies_parsed_at":null,"dependency_job_id":"75dd261f-64f7-4366-8e7b-5b91fce516fb","html_url":"https://github.com/MISP/cexf","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/MISP/cexf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fcexf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fcexf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fcexf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fcexf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MISP","download_url":"https://codeload.github.com/MISP/cexf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fcexf/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262959563,"owners_count":23391057,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyber-range","cybersecurity","exercise","misp"],"created_at":"2025-05-08T01:26:47.001Z","updated_at":"2025-07-01T12:03:54.730Z","avatar_url":"https://github.com/MISP.png","language":"Python","readme":"# Common Exercise Format (CEXF)\n\nCommon Exercise Format is a proposed format to describe cyber exercise including the exercise metadata, inject flow, the inject and the associated validations/scoring.\n\n# Why structuring exercises in a common format such as CEXF?\n\n- To ensure that an exercise contains all the required elements;\n- To validate exercise definitions, in particular potential issues such as the missing or incorrect elements;\n- To automate the planning and injects;\n- To trace the evolution of an exercise (via diff ang git);\n- To allow external contributions by using a common format;\n\n# CEXF Format description\n\n- [Common Exercise Format (CEXF) - format description](https://github.com/MISP/cexf/blob/main/format-description.md)\n\n# Platforms supporting the CEXF Format\n\n\n- [SkillAegis](https://github.com/MISP/SkillAegis) is a platform to design, run, and monitor exercise scenarios, enhancing skills in applications like MISP and training users in best practices for information management and protective tools. Its gamification system makes learning engaging, ensuring users acquire essential technical skills and adhere to industry standards.\n- An [open source platform](https://github.com/MISP/cexf/tree/main/platform) PoC to run exercises in CEXF format.\n\n# How to contribute and create an exercise\n\n- Create a new git repository with the JSON CEXF.\n- Create JSON file(s) to describe your exercise(s). You can have a look at [Common Exercise Format (CEXF) - format description](https://github.com/MISP/cexf/blob/main/format-description.md) or the [sample directory](https://github.com/MISP/cexf/tree/main/samples) for examples.\n- Propose a pull-request to have your exercise listed on this repository.\n\n## Common Exercise format - Sample\n\n\n```json\n{\n \"exercise\": {\n \"description\": \"Simple Spear Phishing e-mail example, mimicing a fraud case\",\n \"expanded\": \"# Simple Spear Phishing e-mail example, mimicing a fraud case\",\n \"meta\": {\n \"author\": \"MISP Project\",\n \"level\": \"beginner\"\n },\n \"name\": \"Phishing e-mail\",\n \"namespace\": \"phishing\",\n \"tags\": [\n \"exercise:software-scope=\\\"misp\\\"\",\n \"state:production\"\n ],\n \"total_duration\": \"7200\",\n \"uuid\": \"75d7460-af9d-4098-8ad1-754457076b32\",\n \"valid_until\": \"20310611\",\n \"version\": \"20210611\"\n },\n \"inject_flow\": [\n {\n \"description\": \"Initial inject of an incident email to start the exercise.\",\n \"inject_uuid\": \"19272db1-a7c4-4cb3-aa33-df775b8fec8c\",\n \"reporting_callback\": [],\n \"requirements\": {},\n \"sequence\": {\n \"completion_trigger\": [\n \"time_expiration\",\n \"completion\"\n ],\n \"followed_by\": [\n \"c104aa37-e394-43ce-b82b-a733d3745468\"\n ],\n \"trigger\": [\n \"startex\"\n ]\n },\n \"timing\": {\n \"triggered_at\": null\n }\n },\n {\n \"description\": \"Inject related to network acticity.\",\n \"inject_uuid\": \"c104aa37-e394-43ce-b82b-a733d3745468\",\n \"reporting_callback\": [],\n \"requirements\": {\n \"inject_uuid\": \"19272db1-a7c4-4cb3-aa33-df775b8fec8c\",\n \"resolution_requirement\": \"Publishing\"\n },\n \"sequence\": {\n \"completion_trigger\": [\n \"time_expiration\",\n \"completion\"\n ],\n \"trigger\": \"inject-resolution\"\n },\n \"timing\": {\n \"triggered_at\": null\n }\n }\n ],\n \"inject_payloads\": [\n {\n \"name\": \"email-incident\",\n \"parameters\": {\n \"content\": \"RnJvbSBjc2lydEB0ZWxjby5sdQoKRGVhciB4eSwKCldlIGhhdmUgaGFkIGEgZmFpbGVkIHNwZWFycGhpc2hpbmcgYXR0ZW1wdCB0YXJnZXRpbmcgb3VyIENFTyByZWNlbnRseSB3aXRoIHRoZSBmb2xsb3dpbmcgZGV0YWlsczoKCk91ciBDRU8gcmVjZWl2ZWQgYW4gRS1tYWlsIG9uIDAzLzAyLzIwMjEgMTU6NTYgY29udGFpbmluZyBhIHBlcnNvbmFsaXNlZCBtZXNzYWdlIGFib3V0IGEgcmVwb3J0IGNhcmQgZm9yIHRoZWlyIGNoaWxkLiBUaGUgYXR0YWNrZXIgcHJldGVuZGVkIHRvIGJlIHdvcmtpbmcgZm9yIHRoZSBzY2hvb2wgb2YgdGhlIENFT+KAmXMgZGF1Z2h0ZXIsIHNlbmRpbmcgdGhlIG1haWwgZnJvbSBhIHNwb29mZWQgYWRkcmVzcyAoam9obi5kb2VAbHV4ZW1ib3VyZy5lZHUpLiBKb2huIERvZSBpcyBhIHRlYWNoZXIgb2YgdGhlIHN0dWRlbnQuIFRoZSBlbWFpbCB3YXMgcmVjZWl2ZWQgZnJvbSB0aHJvd2F3YXktZW1haWwtcHJvdmlkZXIuY29tICgxMzcuMjIxLjEwNi4xMDQpLiAKClRoZSBlLW1haWwgY29udGFpbmVkIGEgbWFsaWNpb3VzIGZpbGUgKGZpbmQgaXQgYXR0YWNoZWQpIHRoYXQgd291bGQgdHJ5IHRvIGRvd25sb2FkIGEgc2Vjb25kYXJ5IHBheWxvYWQgZnJvbSBodHRwczovL2V2aWxwcm92aWRlci5jb20vdGhpcy1pcy1ub3QtbWFsaWNpb3VzLmV4ZSAoYWxzbyBhdHRhY2hlZCwgcmVzb2x2ZXMgdG8gMjYwNzo1MzAwOjYwOmNkNTI6MzA0Yjo3NjBkOmRhNzpkNSkuIEl0IGxvb2tzIGxpa2UgdGhlIHNhbXBsZSBpcyB0cnlpbmcgdG8gZXhwbG9pdCBDVkUtMjAxNS01NDY1LiBBZnRlciBhIGJyaWVmIHRyaWFnZSwgdGhlIHNlY29uZGFyeSBwYXlsb2FkIGhhcyBhIGhhcmRjb2RlZCBDMiBhdCBodHRwczovL2Fub3RoZXIuZXZpbC5wcm92aWRlci5jb206NTc2NjYgKDExOC4yMTcuMTgyLjM2KSB0byB3aGljaCBpdCB0cmkKZXMgdG8gZXhmaWx0cmF0ZSBsb2NhbCBjcmVkZW50aWFscy4gVGhpcyBpcyBob3cgZmFyIHdlIGhhdmUgZ290dGVuIHNvIGZhci4gUGxlYXNlIGJlIG1pbmRmdWwgdGhhdCB0aGlzIGlzIGFuIG9uZ29pbmcgaW52ZXN0aWdhdGlvbiwgd2Ugd291bGQgbGlrZSB0byBhdm9pZCBpbmZvcm1pbmcgdGhlIGF0dGFja2VyIG9mIHRoZSBkZXRlY3Rpb24gYW5kIGtpbmRseSBhc2sgeW91IHRvIG9ubHkgdXNlIHRoZSBjb250YWluZWQgaW5mb3JtYXRpb24gdG8gcHJvdGVjdCB5b3VyIGNvbnN0aXR1ZW50cy4KCkJlc3QgcmVnYXJkcywKCg==\",\n \"content-type\": \"base64\",\n \"filename\": \"email.eml\"\n },\n \"type\": \"file\",\n \"uuid\": \"930c6f6b-f89d-456d-a59d-5cb89bdec0b1\"\n },\n {\n \"name\": \"inject-network-connectivity\",\n \"parameters\": {\n \"destination\": \"player_network_mail_server\",\n \"port\": \"25\",\n \"source\": \"137.221.106.104\"\n },\n \"type\": \"tcp_connection\",\n \"uuid\": \"9b519819-36cc-48b1-8418-43831f2d3a6a\"\n }\n ],\n \"injects\": [\n {\n \"action\": \"email_to_participants\",\n \"action_payload_resource_uuid\": \"930c6f6b-f89d-456d-a59d-5cb89bdec0b1\",\n \"inject_evaluation\": [\n {\n \"parameters\": [\n {\n \"Event.info\": {\n \"comparison\": \"contains\",\n \"values\": [\n \"phishing\",\n \"CEO\"\n ]\n }\n }\n ],\n \"result\": \"MISP event creation\",\n \"score_range\": [\n 0,\n 10\n ]\n },\n {\n \"parameters\": [\n {\n \"Event.attribute\": {\n \"comparison\": \"equals\",\n \"values\": [\n {\n \"type\": [\n \"email-src\",\n \"email\"\n ],\n \"value\": \"john.doe@luxembourg.edu\"\n },\n {\n \"type\": \"domain\",\n \"value\": \"throwaway-email-provider.com\"\n },\n {\n \"type\": [\n \"ip-src\",\n \"ip-dst\"\n ],\n \"value\": \"137.221.106.104\"\n },\n {\n \"type\": [\n \"vulnerability\"\n ],\n \"value\": \"CVE-2015-5465\"\n }\n ]\n }\n }\n ],\n \"result\": \"MISP attribute capture\",\n \"score_range\": [\n 0,\n 40\n ]\n },\n {\n \"parameters\": [\n {\n \"Event.Object\": {\n \"comparison\": \"count\",\n \"values\": [\n \"\u003e3\"\n ]\n }\n }\n ],\n \"result\": \"MISP object use\",\n \"score_range\": [\n 0,\n 30\n ]\n },\n {\n \"parameters\": {\n \"OR\": [\n {\n \"Event.EventTag.Tag.{n}.Tag.name\": {\n \"comparison\": \"contains\",\n \"values\": [\n \"T1566\"\n ]\n }\n },\n {\n \"Event.Attribute.{n}.AttributeTag.{n}.Tag.name\": {\n \"comparison\": \"contains\",\n \"values\": [\n \"T1566\"\n ]\n }\n }\n ]\n },\n \"result\": \"Mitre ATT\u0026CK use\",\n \"score_range\": [\n 0,\n 10\n ]\n },\n {\n \"parameters\": [\n {\n \"Event.published\": {\n \"comparison\": \"is\",\n \"values\": [\n 1\n ]\n }\n }\n ],\n \"result\": \"Publishing\",\n \"score_range\": [\n 0,\n 10\n ]\n }\n ],\n \"name\": \"received e-mail from csirt@telco.lu\",\n \"target_tool\": \"MISP\",\n \"uuid\": \"19272db1-a7c4-4cb3-aa33-df775b8fec8c\"\n },\n {\n \"action\": \"network_connection\",\n \"action_payload_resource_uuid\": \"9b519819-36cc-48b1-8418-43831f2d3a6a\",\n \"inject_evaluation\": [\n {\n \"parameters\": [\n {\n \"source-ip\": {\n \"comparison\": \"is\",\n \"values\": [\n \"137.221.106.104\"\n ]\n }\n }\n ],\n \"result\": \"alert\",\n \"score_range\": [\n 0,\n 50\n ]\n }\n ],\n \"name\": \"malicious network flow\",\n \"target_tool\": \"Suricata\",\n \"uuid\": \"c104aa37-e394-43ce-b82b-a733d3745468\"\n }\n ]\n}\n```\n# License\n\n~~~~\n Copyright (c) 2021-2024 Alexandre Dulaunoy - a@foo.be\n Copyright (c) 2021-2024 CIRCL - Computer Incident Response Center Luxembourg\n Copyright (c) 2021-2024 Andras Iklody\n Copyright (c) 2021-2022 Koen Van Impe\n Copyright (c) 2024 Sami Mokaddem\n\n Redistribution and use in source and binary forms, with or without modification,\n are permitted provided that the following conditions are met:\n\n 1. Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n 2. Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\n THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\n ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\n WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,\n INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,\n BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF\n LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED\n OF THE POSSIBILITY OF SUCH DAMAGE.\n~~~~\n\n# Sponsors\n\nThe project is supported by\n\n- [\"Connecting Europe Facility – Cybersecurity Digital Service Infrastructure Maintenance and Evolution of Core Service Platform Cooperation Mechanism for CSIRTs – MeliCERTes Facility” (SMART 2018/1024)\"](https://digital-strategy.ec.europa.eu/en/news/open-platforms-collaborate-cyber-threats) which is an open platforms to collaborate on cyber threats.\n- MISP Project\n- CIRCL - Computer Incident Response Center Luxembourg\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmisp%2Fcexf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmisp%2Fcexf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmisp%2Fcexf/lists"}