2018-10-25 17:31:36 +02:00
|
|
|
{
|
|
|
|
"required": [
|
|
|
|
"source",
|
|
|
|
"type",
|
|
|
|
"name"
|
|
|
|
],
|
|
|
|
"attributes": {
|
|
|
|
"event-id": {
|
|
|
|
"description": "A unique number which identifies the event.",
|
|
|
|
"ui-priority": 1,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"name": {
|
|
|
|
"description": "Name of the event.",
|
|
|
|
"ui-priority": 2,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"event-channel": {
|
|
|
|
"description": " Channel through which the event occurred",
|
|
|
|
"ui-priority": 3,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true,
|
2018-10-25 17:35:50 +02:00
|
|
|
"sane_default": [
|
2018-10-25 17:31:36 +02:00
|
|
|
"Application",
|
|
|
|
"System",
|
|
|
|
"Security",
|
|
|
|
"Setup",
|
|
|
|
"other"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
"event-type": {
|
|
|
|
"description": "Event-type assigned to the event",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true,
|
2018-10-25 17:35:50 +02:00
|
|
|
"sane_default": [
|
2018-10-25 17:31:36 +02:00
|
|
|
"Admin",
|
|
|
|
"Operational",
|
|
|
|
"Audit",
|
|
|
|
"Analytic",
|
|
|
|
"Debug",
|
|
|
|
"other"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
"source": {
|
|
|
|
"description": "The source of the event log - application/software that logged the event.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text"
|
|
|
|
},
|
|
|
|
"event-date-time": {
|
|
|
|
"description": "Date and time when the event was logged.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "datetime",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"level": {
|
|
|
|
"description": "Determines the event severity.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"sane_default": [
|
|
|
|
"Information",
|
|
|
|
"Warning",
|
|
|
|
"Error",
|
|
|
|
"Critical",
|
|
|
|
"Success Audit",
|
|
|
|
"Failure Audit"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
"Computer": {
|
|
|
|
"description": "Computer name on which the event occurred",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"User": {
|
|
|
|
"description": "Name or the User ID the event is associated with.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"Operational-code": {
|
|
|
|
"description": "The opcode (numeric value or name) associated with the activity carried out by the event.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"log": {
|
|
|
|
"description": "Log file where the event was recorded.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"task-category": {
|
|
|
|
"description": "Activity by the event publisher",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"Keywords": {
|
|
|
|
"description": "Tags used for the event for the purpose of filtering or searching.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"sane_default": [
|
|
|
|
"Network",
|
|
|
|
"Security",
|
|
|
|
"Resource not found",
|
|
|
|
"other"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
"Processor-ID": {
|
|
|
|
"description": "ID of the processor that processed the event.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"Thread-ID": {
|
|
|
|
"description": "Thread id that generated the event.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"Session-ID": {
|
|
|
|
"description": "Terminal server session ID.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"Correlation-ID": {
|
|
|
|
"description": "Unique activity identity which relates the event to a process. ",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text"
|
|
|
|
},
|
|
|
|
"Relative-Correlation-ID": {
|
|
|
|
"description": "Related activity ID which identity similar activities which occurred as a part of the event.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"kernel-time": {
|
|
|
|
"description": "Execution time of the kernel mode instruction.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "datetime",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"user-time": {
|
|
|
|
"description": "Date and time when the user instruction was executed.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "datetime",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"Event-data": {
|
|
|
|
"description": "Event data description.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
},
|
|
|
|
"comment": {
|
|
|
|
"description": "Additional comments.",
|
|
|
|
"ui-priority": 0,
|
|
|
|
"misp-attribute": "text",
|
|
|
|
"disable_correlation": true
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"version": 1,
|
|
|
|
"description": "Event log object template to share information of the activities conducted on a system. ",
|
|
|
|
"meta-category": "misc",
|
|
|
|
"uuid": "94e3aee9-cb99-4503-9bf6-7da3db5de55e",
|
|
|
|
"name": "python-etvx-event-log"
|
|
|
|
}
|