Added edr-report MISP Object definition

pull/327/head
Quentin JEROME 2021-10-06 19:42:45 +02:00
parent cefd58b101
commit 38303b282f
1 changed files with 92 additions and 0 deletions

View File

@ -0,0 +1,92 @@
{
"attributes": {
"id": {
"description": "Report unique identifier",
"misp-attribute": "text",
"ui-priority": 1
},
"product": {
"description": "EDR product name",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"endpoint-id": {
"description": "Unique identifier of the endpoint concerned by the report",
"misp-attribute": "text",
"ui-priority": 1
},
"hostname": {
"description": "Endpoint hostname",
"misp-attribute": "text",
"ui-priority": 1
},
"ip": {
"description": "Endpoint IP address",
"disable_correlation": true,
"misp-attribute": "ip-src",
"ui-priority": 1
},
"event": {
"description": "EDR event which triggered reporting",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 1
},
"comment": {
"description": "Any valuable comment about the report",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"processes": {
"description": "JSON file containing metadata about running processes at the time of detection",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 0
},
"modules": {
"description": "JSON file containing metadata about modules loaded on the system",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 0
},
"drivers": {
"description": "JSON file containing metadata about drivers loaded on the system",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 0
},
"command": {
"description": "JSON file containing the output of a command ran at report generation",
"disable_correlation": true,
"misp-attribute": "attachment",
"multiple": true,
"ui-priority": 0
},
"executable": {
"description": "Executable file involved in report generation",
"disable_correlation": true,
"misp-attribute": "attachment",
"multiple": true,
"ui-priority": 0
},
"additional-file": {
"description": "Additional file involved in report generation",
"disable_correlation": true,
"misp-attribute": "attachment",
"multiple": true,
"ui-priority": 0
}
},
"description": "An Object Template to encode an EDR detection report",
"meta-category": "misc",
"name": "edr-report",
"requiredOneOf": [
"id",
"endpoint-id",
"event"
],
"uuid": "eeeca35c-cfcb-49f9-81be-e0c31d83c116",
"version": 1
}