Added edr-report MISP Object definition

2021-10-06 19:42:45 +02:00 · 2021-10-06 19:42:45 +02:00 · 38303b282f
parent cefd58b101
commit 38303b282f
1 changed files with 92 additions and 0 deletions
--- a/objects/edr-report/definition.json
+++ b/objects/edr-report/definition.json
@ -0,0 +1,92 @@
+{
+    "attributes": {
+        "id": {
+            "description": "Report unique identifier",
+            "misp-attribute": "text",
+            "ui-priority": 1
+        },
+        "product": {
+            "description": "EDR product name",
+            "disable_correlation": true,
+            "misp-attribute": "text",
+            "ui-priority": 1
+        },
+        "endpoint-id": {
+            "description": "Unique identifier of the endpoint concerned by the report",
+            "misp-attribute": "text",
+            "ui-priority": 1
+        },
+        "hostname": {
+            "description": "Endpoint hostname",
+            "misp-attribute": "text",
+            "ui-priority": 1
+        },
+        "ip": {
+            "description": "Endpoint IP address",
+            "disable_correlation": true,
+            "misp-attribute": "ip-src",
+            "ui-priority": 1
+        },
+        "event": {
+            "description": "EDR event which triggered reporting",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "ui-priority": 1
+        },
+        "comment": {
+            "description": "Any valuable comment about the report",
+            "disable_correlation": true,
+            "misp-attribute": "text",
+            "ui-priority": 0
+        },
+        "processes": {
+            "description": "JSON file containing metadata about running processes at the time of detection",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "ui-priority": 0
+        },
+        "modules": {
+            "description": "JSON file containing metadata about modules loaded on the system",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "ui-priority": 0
+        },
+        "drivers": {
+            "description": "JSON file containing metadata about drivers loaded on the system",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "ui-priority": 0
+        },
+        "command": {
+            "description": "JSON file containing the output of a command ran at report generation",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "multiple": true,
+            "ui-priority": 0
+        },
+        "executable": {
+            "description": "Executable file involved in report generation",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "multiple": true,
+            "ui-priority": 0
+        },
+        "additional-file": {
+            "description": "Additional file involved in report generation",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "multiple": true,
+            "ui-priority": 0
+        }
+    },
+    "description": "An Object Template to encode an EDR detection report",
+    "meta-category": "misc",
+    "name": "edr-report",
+    "requiredOneOf": [
+        "id",
+        "endpoint-id",
+        "event"
+    ],
+    "uuid": "eeeca35c-cfcb-49f9-81be-e0c31d83c116",
+    "version": 1
+}