From c5c8f35fb40444bc21c1db634729806c090eb43f Mon Sep 17 00:00:00 2001
From: Christian Studer <christian.studer@circl.lu>
Date: Thu, 22 Jun 2023 12:28:47 +0200
Subject: [PATCH] wip: [event] New object template to describe events that can
 happen during an incident

---
 objects/event/definition.json | 172 ++++++++++++++++++++++++++++++++++
 1 file changed, 172 insertions(+)
 create mode 100644 objects/event/definition.json

diff --git a/objects/event/definition.json b/objects/event/definition.json
new file mode 100644
index 0000000..58c6e1b
--- /dev/null
+++ b/objects/event/definition.json
@@ -0,0 +1,172 @@
+{
+  "attributes": {
+    "description": {
+      "description": "Description of the event.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "end_time": {
+      "description": "The date and time the event was last recorded.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "end_time_fidelity": {
+      "description": "Level of fidelity that the `end_time` is recorded in.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "day",
+        "hour",
+        "minute",
+        "month",
+        "second",
+        "year"
+      ],
+      "ui-priority": 0
+    },
+    "event_type": {
+      "description": "Type of event.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "aggregation-information-phishing-schemes",
+        "benign",
+        "blocked",
+        "brute-force-attempt",
+        "c&c-server-hosting",
+        "compromised-system",
+        "confirmed",
+        "connection-malware-port",
+        "connection-malware-system",
+        "content-forbidden-by-law",
+        "control-system-bypass",
+        "copyrighted-content",
+        "data-exfiltration",
+        "deferred",
+        "deletion-information",
+        "denial-of-service",
+        "destruction",
+        "dictionary-attack-attempt",
+        "discarded",
+        "disruption-data-transmission",
+        "dissemination-malware-email",
+        "dissemination-phishing-emails",
+        "dns-cache-poisoning",
+        "dns-local-resolver-hijacking",
+        "dns-spoofing-registered",
+        "dns-rebinding",
+        "dns-server-compromise",
+        "dns-spoofing-unregistered",
+        "dns-stub-resolver-hijacking",
+        "dns-zone-transfer",
+        "domain-name-compromise",
+        "duplicate",
+        "email-flooding",
+        "equipment-loss",
+        "equipment-theft",
+        "exploit",
+        "exploit-attempt",
+        "exploit-framework-exhausting-resources",
+        "exploit-tool-exhausting-resources",
+        "failed",
+        "file-inclusion",
+        "file-inclusion-attempt",
+        "hosting-malware-webpage",
+        "hosting-phishing-sites",
+        "illegitimate-use-name",
+        "illegitimate-use-resources",
+        "infected-by-known-malware",
+        "insufficient-data",
+        "known-malware",
+        "lame-delegations",
+        "major",
+        "modification-information",
+        "misconfiguration",
+        "natural",
+        "network-scanning",
+        "no-apt",
+        "packet-flood",
+        "password-cracking-attempt",
+        "ransomware",
+        "refuted",
+        "scan-probe",
+        "silently-discarded",
+        "supply-chain-customer",
+        "supply-chain-vendor",
+        "spam",
+        "sql-injection",
+        "sql-injection-attempt",
+        "successful",
+        "system-probe",
+        "theft-access-credentials",
+        "unattributed",
+        "unauthorized-access-information",
+        "unauthorized-access-system",
+        "unauthorized-equipment",
+        "unauthorized-release",
+        "unauthorized-use",
+        "undetermined",
+        "unintentional",
+        "unknown-apt",
+        "unspecified",
+        "vandalism",
+        "wiretapping",
+        "worm-spreading",
+        "xss",
+        "xss-attempt"
+      ],
+      "ui-priority": 0
+    },
+    "goal": {
+      "description": "The assumed objective of the event.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "name": {
+      "description": "Name of the event.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "start_time": {
+      "description": "The date and time the event was first recorded.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "start_time_fidelity": {
+      "description": "Level of fidelity that the `start_time` is recorded in.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "day",
+        "hour",
+        "minute",
+        "month",
+        "second",
+        "year"
+      ],
+      "ui-priority": 0
+    },
+    "status": {
+      "description": "Current status of the event.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "not-occurred",
+        "ongoing",
+        "occurred",
+        "pending",
+        "undetermined"
+      ],
+      "ui-priority": 1
+    }
+  },
+  "description": "Event object as described in STIX 2.1 Incident object extension.",
+  "meta-category": "misc",
+  "name": "event",
+  "required": [
+    "status"
+  ],
+  "uuid": "3853b726-6a9c-43b3-8ffb-23839b07d5a9",
+  "version": 1
+}
\ No newline at end of file