From 0c98a925f3db3184a9f44fdce7adcb3d3150806e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Sep 2018 13:54:59 +0200 Subject: [PATCH] chg: [forensic-case] object added based on the original one from @Aks6193 The idea is to separate the evidences from the case itself as you can have multiple acquisitions for a specific case. Another object template is required such as [forensic-evidence] to be able to link between the forensic-case object and one or more evidences. --- objects/forensic-case/definition.json | 47 +++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 objects/forensic-case/definition.json diff --git a/objects/forensic-case/definition.json b/objects/forensic-case/definition.json new file mode 100644 index 0000000..a15b7c2 --- /dev/null +++ b/objects/forensic-case/definition.json @@ -0,0 +1,47 @@ +{ + "requiredOneOf": [ + "case-number" + ], + "attributes": { + "case-number": { + "description": "Any unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "case-name": { + "description": "Name to address the case.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "name-of-the-analyst": { + "description": "Name(s) of the analyst assigned to the case.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "analysis-start-date": { + "description": "Date when the analysis began.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "An object template to describe a digital forensic case.", + "meta-category": "misc", + "uuid": "3ea36022-ae93-455e-88b1-d43aca789cac", + "name": "forensic-case" +}