misp-objects/objects/edr-report/definition.json

92 lines
3.1 KiB
JSON
Raw Blame History

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

{
"attributes": {
"id": {
"description": "Report unique identifier",
"misp-attribute": "text",
"ui-priority": 1
},
"product": {
"description": "EDR product name",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"endpoint-id": {
"description": "Unique identifier of the endpoint concerned by the report",
"misp-attribute": "text",
"ui-priority": 1
},
"hostname": {
"description": "Endpoint hostname",
"misp-attribute": "text",
"ui-priority": 1
},
"ip": {
"description": "Endpoint IP address",
"disable_correlation": true,
"misp-attribute": "ip-src",
"ui-priority": 1
},
"event": {
"description": "EDR event which triggered reporting",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 1
},
"comment": {
"description": "Any valuable comment about the report",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"processes": {
"description": "JSON file containing metadata about running processes at the time of detection",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 0
},
"modules": {
"description": "JSON file containing metadata about modules loaded on the system",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 0
},
"drivers": {
"description": "JSON file containing metadata about drivers loaded on the system",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 0
},
"command": {
"description": "JSON file containing the output of a command ran at report generation",
"disable_correlation": true,
"misp-attribute": "attachment",
"multiple": true,
"ui-priority": 0
},
"executable": {
"description": "Executable file involved in report generation",
"disable_correlation": true,
"misp-attribute": "attachment",
"multiple": true,
"ui-priority": 0
},
"additional-file": {
"description": "Additional file involved in report generation",
"disable_correlation": true,
"misp-attribute": "attachment",
"multiple": true,
"ui-priority": 0
}
},
"description": "An Object Template to encode an EDR detection report",
"meta-category": "misc",
"name": "edr-report",
"requiredOneOf": [
"id",
"endpoint-id",
"event"
],
"uuid": "eeeca35c-cfcb-49f9-81be-e0c31d83c116",
"version": 1
}