From 38303b282f6f383f10851b01c54dfe9253bf166b Mon Sep 17 00:00:00 2001
From: Quentin JEROME <qjerome@users.noreply.github.com>
Date: Wed, 6 Oct 2021 19:42:45 +0200
Subject: [PATCH] Added edr-report MISP Object definition

---
 objects/edr-report/definition.json | 92 ++++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 objects/edr-report/definition.json

diff --git a/objects/edr-report/definition.json b/objects/edr-report/definition.json
new file mode 100644
index 0000000..6395a0f
--- /dev/null
+++ b/objects/edr-report/definition.json
@@ -0,0 +1,92 @@
+{
+    "attributes": {
+        "id": {
+            "description": "Report unique identifier",
+            "misp-attribute": "text",
+            "ui-priority": 1
+        },
+        "product": {
+            "description": "EDR product name",
+            "disable_correlation": true,
+            "misp-attribute": "text",
+            "ui-priority": 1
+        },
+        "endpoint-id": {
+            "description": "Unique identifier of the endpoint concerned by the report",
+            "misp-attribute": "text",
+            "ui-priority": 1
+        },
+        "hostname": {
+            "description": "Endpoint hostname",
+            "misp-attribute": "text",
+            "ui-priority": 1
+        },
+        "ip": {
+            "description": "Endpoint IP address",
+            "disable_correlation": true,
+            "misp-attribute": "ip-src",
+            "ui-priority": 1
+        },
+        "event": {
+            "description": "EDR event which triggered reporting",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "ui-priority": 1
+        },
+        "comment": {
+            "description": "Any valuable comment about the report",
+            "disable_correlation": true,
+            "misp-attribute": "text",
+            "ui-priority": 0
+        },
+        "processes": {
+            "description": "JSON file containing metadata about running processes at the time of detection",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "ui-priority": 0
+        },
+        "modules": {
+            "description": "JSON file containing metadata about modules loaded on the system",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "ui-priority": 0
+        },
+        "drivers": {
+            "description": "JSON file containing metadata about drivers loaded on the system",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "ui-priority": 0
+        },
+        "command": {
+            "description": "JSON file containing the output of a command ran at report generation",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "multiple": true,
+            "ui-priority": 0
+        },
+        "executable": {
+            "description": "Executable file involved in report generation",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "multiple": true,
+            "ui-priority": 0
+        },
+        "additional-file": {
+            "description": "Additional file involved in report generation",
+            "disable_correlation": true,
+            "misp-attribute": "attachment",
+            "multiple": true,
+            "ui-priority": 0
+        }
+    },
+    "description": "An Object Template to encode an EDR detection report",
+    "meta-category": "misc",
+    "name": "edr-report",
+    "requiredOneOf": [
+        "id",
+        "endpoint-id",
+        "event"
+    ],
+    "uuid": "eeeca35c-cfcb-49f9-81be-e0c31d83c116",
+    "version": 1
+}
\ No newline at end of file