2023-06-21 16:32:30 +02:00
|
|
|
{
|
|
|
|
"attributes": {
|
|
|
|
"criticality": {
|
|
|
|
"description": "Criticality of the incident",
|
|
|
|
"disable_correlation": true,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"sane_default": [
|
|
|
|
"Not Specified",
|
|
|
|
"False Positive",
|
|
|
|
"Low",
|
|
|
|
"Moderate",
|
|
|
|
"High",
|
|
|
|
"Extreme"
|
|
|
|
],
|
|
|
|
"ui-priority": 0
|
|
|
|
},
|
|
|
|
"description": {
|
|
|
|
"description": "Description of the incident.",
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"ui-priority": 1
|
|
|
|
},
|
|
|
|
"detection_method": {
|
|
|
|
"description": "Methods used to detect the activity.",
|
|
|
|
"disable_correlation": true,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"multiple": true,
|
|
|
|
"sane_default": [
|
|
|
|
"automated-tool",
|
|
|
|
"human-review",
|
|
|
|
"message-from-attacker",
|
|
|
|
"system-outage",
|
|
|
|
"user-reporting"
|
|
|
|
],
|
|
|
|
"ui-priority": 0
|
|
|
|
},
|
|
|
|
"determination": {
|
|
|
|
"description": "Determination on the outcome of the incident.",
|
|
|
|
"disable_correlation": true,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"sane_default": [
|
|
|
|
"blocked",
|
|
|
|
"successful-attempt",
|
|
|
|
"failed-attempt",
|
|
|
|
"false-positive",
|
|
|
|
"low-value",
|
|
|
|
"suspected"
|
|
|
|
],
|
|
|
|
"ui-priority": 0
|
|
|
|
},
|
|
|
|
"incident_type": {
|
|
|
|
"description": "Type of incident",
|
|
|
|
"disable_correlation": true,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"multiple": true,
|
|
|
|
"sane_default": [
|
|
|
|
"aggregation-information-phishing-schemes",
|
|
|
|
"benign",
|
|
|
|
"blocked",
|
|
|
|
"brute-force-attempt",
|
|
|
|
"c&c-server-hosting",
|
|
|
|
"compromised-system",
|
|
|
|
"confirmed",
|
|
|
|
"connection-malware-port",
|
|
|
|
"connection-malware-system",
|
|
|
|
"content-forbidden-by-law",
|
|
|
|
"control-system-bypass",
|
|
|
|
"copyrighted-content",
|
|
|
|
"data-exfiltration",
|
|
|
|
"deferred",
|
|
|
|
"deletion-information",
|
|
|
|
"denial-of-service",
|
|
|
|
"destruction",
|
|
|
|
"dictionary-attack-attempt",
|
|
|
|
"discarded",
|
|
|
|
"disruption-data-transmission",
|
|
|
|
"dissemination-malware-email",
|
|
|
|
"dissemination-phishing-emails",
|
|
|
|
"dns-cache-poisoning",
|
|
|
|
"dns-local-resolver-hijacking",
|
|
|
|
"dns-spoofing-registered",
|
|
|
|
"dns-rebinding",
|
|
|
|
"dns-server-compromise",
|
|
|
|
"dns-spoofing-unregistered",
|
|
|
|
"dns-stub-resolver-hijacking",
|
|
|
|
"dns-zone-transfer",
|
|
|
|
"domain-name-compromise",
|
|
|
|
"duplicate",
|
|
|
|
"email-flooding",
|
|
|
|
"equipment-loss",
|
|
|
|
"equipment-theft",
|
|
|
|
"exploit",
|
|
|
|
"exploit-attempt",
|
|
|
|
"exploit-framework-exhausting-resources",
|
|
|
|
"exploit-tool-exhausting-resources",
|
|
|
|
"failed",
|
|
|
|
"file-inclusion",
|
|
|
|
"file-inclusion-attempt",
|
|
|
|
"hosting-malware-webpage",
|
|
|
|
"hosting-phishing-sites",
|
|
|
|
"illegitimate-use-name",
|
|
|
|
"illegitimate-use-resources",
|
|
|
|
"infected-by-known-malware",
|
|
|
|
"insufficient-data",
|
|
|
|
"known-malware",
|
|
|
|
"lame-delegations",
|
|
|
|
"major",
|
|
|
|
"modification-information",
|
|
|
|
"misconfiguration",
|
|
|
|
"natural",
|
|
|
|
"network-scanning",
|
|
|
|
"no-apt",
|
|
|
|
"packet-flood",
|
|
|
|
"password-cracking-attempt",
|
|
|
|
"ransomware",
|
|
|
|
"refuted",
|
|
|
|
"scan-probe",
|
|
|
|
"silently-discarded",
|
|
|
|
"supply-chain-customer",
|
|
|
|
"supply-chain-vendor",
|
|
|
|
"spam",
|
|
|
|
"sql-injection",
|
|
|
|
"sql-injection-attempt",
|
|
|
|
"successful",
|
|
|
|
"system-probe",
|
|
|
|
"theft-access-credentials",
|
|
|
|
"unattributed",
|
|
|
|
"unauthorized-access-information",
|
|
|
|
"unauthorized-access-system",
|
|
|
|
"unauthorized-equipment",
|
|
|
|
"unauthorized-release",
|
|
|
|
"unauthorized-use",
|
|
|
|
"undetermined",
|
|
|
|
"unintentional",
|
|
|
|
"unknown-apt",
|
|
|
|
"unspecified",
|
|
|
|
"vandalism",
|
|
|
|
"wiretapping",
|
|
|
|
"worm-spreading",
|
|
|
|
"xss",
|
|
|
|
"xss-attempt"
|
|
|
|
],
|
|
|
|
"ui-priority": 0
|
|
|
|
},
|
|
|
|
"investigation_status": {
|
|
|
|
"description": "Current status of the incident investigation.",
|
|
|
|
"disable_correlation": true,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"sane_default": [
|
|
|
|
"closed",
|
|
|
|
"new",
|
|
|
|
"open"
|
|
|
|
],
|
|
|
|
"ui-priority": 0
|
|
|
|
},
|
|
|
|
"name": {
|
|
|
|
"description": "Name of the incident.",
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"ui-priority": 1
|
|
|
|
},
|
|
|
|
"recoverability": {
|
|
|
|
"description": "Recoverability of the incident, with respect to feasibility and required time and resources.",
|
|
|
|
"disable_correlation": true,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"sane_default": [
|
|
|
|
"extended",
|
|
|
|
"not-applicable",
|
|
|
|
"not-recoverable",
|
|
|
|
"regular",
|
|
|
|
"supplemented"
|
|
|
|
],
|
|
|
|
"ui-priority": 0
|
2023-07-07 11:36:42 +02:00
|
|
|
},
|
|
|
|
"score": {
|
|
|
|
"description": "Incident score, with a name, an optional description and the numeric score value.",
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"multiple": true,
|
|
|
|
"ui-priority": 0
|
2023-06-21 16:32:30 +02:00
|
|
|
}
|
|
|
|
},
|
|
|
|
"description": "Incident object template as described in STIX 2.1 Incident object and its core extension.",
|
|
|
|
"meta-category": "misc",
|
|
|
|
"name": "incident",
|
2023-06-22 12:28:04 +02:00
|
|
|
"required": [
|
|
|
|
"name"
|
|
|
|
],
|
2023-06-21 16:32:30 +02:00
|
|
|
"uuid": "38597424-f9bb-4865-9b4b-819172df0334",
|
|
|
|
"version": 1
|
|
|
|
}
|