Merge pull request #472 from MISP/th3r3d-main

adulau · web-flow · commit bdcc37547de6 · 2026-01-03T10:42:45.000+01:00
Th3r3d main (new detection object - clean-up)
diff --git a/objects/detection/definition.json b/objects/detection/definition.json
@@ -0,0 +1,300 @@
+{
+  "attributes": {
+    "alert-severity-default": {
+      "description": "(Section 6) The default severity level of the alert.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 31,
+      "values_list": [
+        "Low",
+        "Medium",
+        "High",
+        "Critical"
+      ]
+    },
+    "alert-trigger-condition": {
+      "description": "(Section 6) The condition that triggers the automated playbook (e.g., IF 'detection-logic' RETURNS 'true').",
+      "misp-attribute": "text",
+      "ui-priority": 30
+    },
+    "analytic-robustness-justification": {
+      "description": "(Section 3) Justification for the chosen robustness level.",
+      "misp-attribute": "text",
+      "ui-priority": 14
+    },
+    "analytic-robustness-level": {
+      "description": "(Section 3) The robustness level of the analytic based on the 'Summiting the Pyramid' model.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 13,
+      "values_list": [
+        "Level 1: Ephemeral",
+        "Level 2: Core to Adversary-Brought Tool",
+        "Level 3: Core to Pre-Existing Tool",
+        "Level 4: Core to Some Implementations of a (Sub-)Technique",
+        "Level 5: Core to a (Sub-)Technique (Invariant Behavior)"
+      ]
+    },
+    "analytic-title": {
+      "description": "(Section 1) A clear, descriptive title of the detection rule (e.g., 'LSASS Memory Access via OpenProcess').",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "author": {
+      "description": "(Section 1) The name or team responsible for creating/maintaining the analytic.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 5
+    },
+    "d3fend-tactic": {
+      "description": "(Section 7) The D3FEND Tactic this analytic maps to (e.g., Detect (D3-DET)).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 40
+    },
+    "d3fend-technique": {
+      "description": "(Section 7) The D3FEND Technique this analytic maps to (e.g., Process Spawn Analysis (D3-PSA)).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 41
+    },
+    "data-event": {
+      "description": "(Section 3) The specific event(s) required (e.g., Sysmon Event ID 10).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 17
+    },
+    "data-platform": {
+      "description": "(Section 3) The platform where the data is sourced (e.g., Windows, Linux, Network).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 15
+    },
+    "data-source": {
+      "description": "(Section 3) The specific data source (e.g., EDR, Sysmon, Zeek).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 16
+    },
+    "date-created": {
+      "description": "(Section 1) The date the analytic was initially created.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 6
+    },
+    "date-modified": {
+      "description": "(Section 1) The date the analytic was last modified.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 7
+    },
+    "description": {
+      "description": "(Section 2) A brief, high-level summary of the detection's purpose. What threat or behavior is this designed to catch? Why is it important?",
+      "misp-attribute": "text",
+      "ui-priority": 8
+    },
+    "detection-logic": {
+      "description": "(Section 4) The detection logic, preferably in the vendor-agnostic SIGMA format. Include heavy commenting to explain the logic.",
+      "misp-attribute": "sigma",
+      "ui-priority": 21
+    },
+    "event-robustness-column": {
+      "description": "(Section 3) The robustness of the event source telemetry.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 18,
+      "values_list": [
+        "Host-Based: Application (A)",
+        "Host-Based: User-Mode (U)",
+        "Host-Based: Kernel-Mode (K)",
+        "Network-Based: Protocol Payload (P)",
+        "Network-Based: Protocol Header (H)"
+      ]
+    },
+    "event-robustness-justification": {
+      "description": "(Section 3) Justification for the chosen event robustness column.",
+      "misp-attribute": "text",
+      "ui-priority": 19
+    },
+    "exclusion-strategy": {
+      "description": "(Section 4) The strategy for filtering out false positives. Focus on robust, context-rich attributes.",
+      "misp-attribute": "text",
+      "ui-priority": 23
+    },
+    "final-summiting-score": {
+      "description": "(Section 3) The combined robustness score (e.g., 4K, 3U).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 20
+    },
+    "hypothesis": {
+      "description": "(Section 2) The scientific hypothesis for the detection. E.g., 'We hypothesize that an adversary performing will execute [Procedure]. This can be observed through [Observables]...'",
+      "misp-attribute": "text",
+      "ui-priority": 9
+    },
+    "id": {
+      "description": "(Section 1) A unique identifier for tracking the analytic (e.g., DE-TA0006-T1003.001-001).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 2
+    },
+    "investigation-steps": {
+      "description": "(Section 5) A clear, step-by-step checklist for deeper investigation by a responding analyst.",
+      "misp-attribute": "text",
+      "ui-priority": 28
+    },
+    "known-false-positives": {
+      "description": "(Section 4) A list of any legitimate activities or tools that may trigger this alert.",
+      "misp-attribute": "text",
+      "ui-priority": 22
+    },
+    "mitre-attack-subtechnique": {
+      "description": "(Section 2) The MITRE ATT&CK Sub-technique(s) this analytic addresses (e.g., 'LSASS Memory (T1003.001)'). Use the attack-pattern object for full mapping.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 12
+    },
+    "mitre-attack-tactic": {
+      "description": "(Section 2) The MITRE ATT&CK Tactic(s) this analytic addresses (e.g., 'Credential Access (TA0006)'). Use the attack-pattern object for full mapping.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 10
+    },
+    "mitre-attack-technique": {
+      "description": "(Section 2) The MITRE ATT&CK Technique(s) this analytic addresses (e.g., 'OS Credential Dumping (T1003)'). Use the attack-pattern object for full mapping.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 11
+    },
+    "mitre-engage-approach": {
+      "description": "(Section 7) The MITRE Engage Approach this analytic uses (e.g., Detect (A0001)).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 39
+    },
+    "mitre-engage-goal": {
+      "description": "(Section 7) The MITRE Engage Goal this analytic supports (e.g., Disrupt (G0009)).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 38
+    },
+    "response-remediation-steps": {
+      "description": "(Section 5) Immediate, standard response and remediation actions if the activity is confirmed malicious.",
+      "misp-attribute": "text",
+      "ui-priority": 29
+    },
+    "soar-step-action": {
+      "description": "(Section 6) The automated action to perform (e.g., Get-UserDetails, Isolate-Host, Create-Ticket).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 33
+    },
+    "soar-step-execute-flag": {
+      "description": "(Section 6) For containment actions, specifies if execution is automatic (true) or requires manual approval (false). Default should be false.",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "multiple": true,
+      "ui-priority": 37
+    },
+    "soar-step-input": {
+      "description": "(Section 6) The entity from the alert used as input for the action (e.g., event.AccountName).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 34
+    },
+    "soar-step-output": {
+      "description": "(Section 6) The new information to be added or the expected result (e.g., user.title, host.os).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 35
+    },
+    "soar-step-source-system": {
+      "description": "(Section 6) The source or destination system for the action (e.g., VirusTotal, Jira, ServiceNow).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 36
+    },
+    "soar-step-type": {
+      "description": "(Section 6) The type of SOAR step (Enrichment, Triage, Containment, Notification). Add one full set of 'soar-step-*' attributes for each logical step.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 32,
+      "values_list": [
+        "Enrichment",
+        "Triage Logic",
+        "Containment",
+        "Notification"
+      ]
+    },
+    "status": {
+      "description": "(Section 1) The current maturity status of the analytic.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 4,
+      "values_list": [
+        "Experimental",
+        "Test",
+        "Production",
+        "Deprecated"
+      ]
+    },
+    "test-case-result": {
+      "description": "(Section 5) The result of the validation test.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 26,
+      "values_list": [
+        "Detected",
+        "Not Detected"
+      ]
+    },
+    "test-case-tool": {
+      "description": "(Section 5) The tool or procedure used for the validation test.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 25
+    },
+    "test-case-type": {
+      "description": "(Section 5) The type of validation test performed (e.g., Functional Synonym). Add one set of test-case attributes per test.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 24,
+      "values_list": [
+        "Functional Synonym",
+        "Procedural Synonym",
+        "Sub-Technical Synonym"
+      ]
+    },
+    "triage-steps": {
+      "description": "(Section 5) A clear, step-by-step checklist for initial triage by a responding analyst.",
+      "misp-attribute": "text",
+      "ui-priority": 27
+    },
+    "version": {
+      "description": "(Section 1) The semantic version of the analytic (e.g., 1.0, 1.1, 2.0).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 3
+    }
+  },
+  "description": "A comprehensive object to document a detection analytic, its logic, robustness, validation, and associated response playbooks. It is based on an advanced detection engineering template that integrates concepts like 'Summiting the Pyramid' for robustness scoring and a 'Funnel of Fidelity' for validation, along with structured SOAR automation steps.",
+  "meta-category": "misc",
+  "name": "detection",
+  "required": [
+    "analytic-title",
+    "id",
+    "status",
+    "hypothesis"
+  ],
+  "uuid": "7a6a7c8e-4a44-4b0a-8d2a-9e7f8a9b0c1d",
+  "version": 2
+}
