misp-objects/objects/incident/definition.json

{
  "attributes": {
    "criticality": {
      "description": "Criticality of the incident",
      "disable_correlation": true,
      "misp-attribute": "text",
      "sane_default": [
        "Not Specified",
        "False Positive",
        "Low",
        "Moderate",
        "High",
        "Extreme"
      ],
      "ui-priority": 0
    },
    "description": {
      "description": "Description of the incident.",
      "misp-attribute": "text",
      "ui-priority": 1
    },
    "detection_method": {
      "description": "Methods used to detect the activity.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "sane_default": [
        "automated-tool",
        "human-review",
        "message-from-attacker",
        "system-outage",
        "user-reporting"
      ],
      "ui-priority": 0
    },
    "determination": {
      "description": "Determination on the outcome of the incident.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "sane_default": [
        "blocked",
        "successful-attempt",
        "failed-attempt",
        "false-positive",
        "low-value",
        "suspected"
      ],
      "ui-priority": 0
    },
    "incident_type": {
      "description": "Type of incident",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "sane_default": [
        "aggregation-information-phishing-schemes",
        "benign",
        "blocked",
        "brute-force-attempt",
        "c&c-server-hosting",
        "compromised-system",
        "confirmed",
        "connection-malware-port",
        "connection-malware-system",
        "content-forbidden-by-law",
        "control-system-bypass",
        "copyrighted-content",
        "data-exfiltration",
        "deferred",
        "deletion-information",
        "denial-of-service",
        "destruction",
        "dictionary-attack-attempt",
        "discarded",
        "disruption-data-transmission",
        "dissemination-malware-email",
        "dissemination-phishing-emails",
        "dns-cache-poisoning",
        "dns-local-resolver-hijacking",
        "dns-spoofing-registered",
        "dns-rebinding",
        "dns-server-compromise",
        "dns-spoofing-unregistered",
        "dns-stub-resolver-hijacking",
        "dns-zone-transfer",
        "domain-name-compromise",
        "duplicate",
        "email-flooding",
        "equipment-loss",
        "equipment-theft",
        "exploit",
        "exploit-attempt",
        "exploit-framework-exhausting-resources",
        "exploit-tool-exhausting-resources",
        "failed",
        "file-inclusion",
        "file-inclusion-attempt",
        "hosting-malware-webpage",
        "hosting-phishing-sites",
        "illegitimate-use-name",
        "illegitimate-use-resources",
        "infected-by-known-malware",
        "insufficient-data",
        "known-malware",
        "lame-delegations",
        "major",
        "modification-information",
        "misconfiguration",
        "natural",
        "network-scanning",
        "no-apt",
        "packet-flood",
        "password-cracking-attempt",
        "ransomware",
        "refuted",
        "scan-probe",
        "silently-discarded",
        "supply-chain-customer",
        "supply-chain-vendor",
        "spam",
        "sql-injection",
        "sql-injection-attempt",
        "successful",
        "system-probe",
        "theft-access-credentials",
        "unattributed",
        "unauthorized-access-information",
        "unauthorized-access-system",
        "unauthorized-equipment",
        "unauthorized-release",
        "unauthorized-use",
        "undetermined",
        "unintentional",
        "unknown-apt",
        "unspecified",
        "vandalism",
        "wiretapping",
        "worm-spreading",
        "xss",
        "xss-attempt"
      ],
      "ui-priority": 0
    },
    "investigation_status": {
      "description": "Current status of the incident investigation.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "sane_default": [
        "closed",
        "new",
        "open"
      ],
      "ui-priority": 0
    },
    "name": {
      "description": "Name of the incident.",
      "misp-attribute": "text",
      "ui-priority": 1
    },
    "recoverability": {
      "description": "Recoverability of the incident, with respect to feasibility and required time and resources.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "sane_default": [
        "extended",
        "not-applicable",
        "not-recoverable",
        "regular",
        "supplemented"
      ],
      "ui-priority": 0
    },
    "score": {
      "description": "Incident score, with a name, an optional description and the numeric score value.",
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    }
  },
  "description": "Incident object template as described in STIX 2.1 Incident object and its core extension.",
  "meta-category": "misc",
  "name": "incident",
  "required": [
    "name"
  ],
  "uuid": "38597424-f9bb-4865-9b4b-819172df0334",
  "version": 1
}