{ "attributes": { "alert-severity-default": { "description": "(Section 6) The default severity level of the alert.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 31, "values_list": [ "Low", "Medium", "High", "Critical" ] }, "alert-trigger-condition": { "description": "(Section 6) The condition that triggers the automated playbook (e.g., IF 'detection-logic' RETURNS 'true').", "misp-attribute": "text", "ui-priority": 30 }, "analytic-robustness-justification": { "description": "(Section 3) Justification for the chosen robustness level.", "misp-attribute": "text", "ui-priority": 14 }, "analytic-robustness-level": { "description": "(Section 3) The robustness level of the analytic based on the 'Summiting the Pyramid' model.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 13, "values_list": [ "Level 1: Ephemeral", "Level 2: Core to Adversary-Brought Tool", "Level 3: Core to Pre-Existing Tool", "Level 4: Core to Some Implementations of a (Sub-)Technique", "Level 5: Core to a (Sub-)Technique (Invariant Behavior)" ] }, "analytic-title": { "description": "(Section 1) A clear, descriptive title of the detection rule (e.g., 'LSASS Memory Access via OpenProcess').", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, "author": { "description": "(Section 1) The name or team responsible for creating/maintaining the analytic.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 5 }, "d3fend-tactic": { "description": "(Section 7) The D3FEND Tactic this analytic maps to (e.g., Detect (D3-DET)).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 40 }, "d3fend-technique": { "description": "(Section 7) The D3FEND Technique this analytic maps to (e.g., Process Spawn Analysis (D3-PSA)).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 41 }, "data-event": { "description": "(Section 3) The specific event(s) required (e.g., Sysmon Event ID 10).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 17 }, "data-platform": { "description": "(Section 3) The platform where the data is sourced (e.g., Windows, Linux, Network).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 15 }, "data-source": { "description": "(Section 3) The specific data source (e.g., EDR, Sysmon, Zeek).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 16 }, "date-created": { "description": "(Section 1) The date the analytic was initially created.", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 6 }, "date-modified": { "description": "(Section 1) The date the analytic was last modified.", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 7 }, "description": { "description": "(Section 2) A brief, high-level summary of the detection's purpose. What threat or behavior is this designed to catch? Why is it important?", "misp-attribute": "text", "ui-priority": 8 }, "detection-logic": { "description": "(Section 4) The detection logic, preferably in the vendor-agnostic SIGMA format. Include heavy commenting to explain the logic.", "misp-attribute": "sigma", "ui-priority": 21 }, "event-robustness-column": { "description": "(Section 3) The robustness of the event source telemetry.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 18, "values_list": [ "Host-Based: Application (A)", "Host-Based: User-Mode (U)", "Host-Based: Kernel-Mode (K)", "Network-Based: Protocol Payload (P)", "Network-Based: Protocol Header (H)" ] }, "event-robustness-justification": { "description": "(Section 3) Justification for the chosen event robustness column.", "misp-attribute": "text", "ui-priority": 19 }, "exclusion-strategy": { "description": "(Section 4) The strategy for filtering out false positives. Focus on robust, context-rich attributes.", "misp-attribute": "text", "ui-priority": 23 }, "final-summiting-score": { "description": "(Section 3) The combined robustness score (e.g., 4K, 3U).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 20 }, "hypothesis": { "description": "(Section 2) The scientific hypothesis for the detection. E.g., 'We hypothesize that an adversary performing will execute [Procedure]. This can be observed through [Observables]...'", "misp-attribute": "text", "ui-priority": 9 }, "id": { "description": "(Section 1) A unique identifier for tracking the analytic (e.g., DE-TA0006-T1003.001-001).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 2 }, "investigation-steps": { "description": "(Section 5) A clear, step-by-step checklist for deeper investigation by a responding analyst.", "misp-attribute": "text", "ui-priority": 28 }, "known-false-positives": { "description": "(Section 4) A list of any legitimate activities or tools that may trigger this alert.", "misp-attribute": "text", "ui-priority": 22 }, "mitre-attack-subtechnique": { "description": "(Section 2) The MITRE ATT&CK Sub-technique(s) this analytic addresses (e.g., 'LSASS Memory (T1003.001)'). Use the attack-pattern object for full mapping.", "misp-attribute": "text", "multiple": true, "ui-priority": 12 }, "mitre-attack-tactic": { "description": "(Section 2) The MITRE ATT&CK Tactic(s) this analytic addresses (e.g., 'Credential Access (TA0006)'). Use the attack-pattern object for full mapping.", "misp-attribute": "text", "multiple": true, "ui-priority": 10 }, "mitre-attack-technique": { "description": "(Section 2) The MITRE ATT&CK Technique(s) this analytic addresses (e.g., 'OS Credential Dumping (T1003)'). Use the attack-pattern object for full mapping.", "misp-attribute": "text", "multiple": true, "ui-priority": 11 }, "mitre-engage-approach": { "description": "(Section 7) The MITRE Engage Approach this analytic uses (e.g., Detect (A0001)).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 39 }, "mitre-engage-goal": { "description": "(Section 7) The MITRE Engage Goal this analytic supports (e.g., Disrupt (G0009)).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 38 }, "response-remediation-steps": { "description": "(Section 5) Immediate, standard response and remediation actions if the activity is confirmed malicious.", "misp-attribute": "text", "ui-priority": 29 }, "soar-step-action": { "description": "(Section 6) The automated action to perform (e.g., Get-UserDetails, Isolate-Host, Create-Ticket).", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 33 }, "soar-step-execute-flag": { "description": "(Section 6) For containment actions, specifies if execution is automatic (true) or requires manual approval (false). Default should be false.", "disable_correlation": true, "misp-attribute": "boolean", "multiple": true, "ui-priority": 37 }, "soar-step-input": { "description": "(Section 6) The entity from the alert used as input for the action (e.g., event.AccountName).", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 34 }, "soar-step-output": { "description": "(Section 6) The new information to be added or the expected result (e.g., user.title, host.os).", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 35 }, "soar-step-source-system": { "description": "(Section 6) The source or destination system for the action (e.g., VirusTotal, Jira, ServiceNow).", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 36 }, "soar-step-type": { "description": "(Section 6) The type of SOAR step (Enrichment, Triage, Containment, Notification). Add one full set of 'soar-step-*' attributes for each logical step.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 32, "values_list": [ "Enrichment", "Triage Logic", "Containment", "Notification" ] }, "status": { "description": "(Section 1) The current maturity status of the analytic.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 4, "values_list": [ "Experimental", "Test", "Production", "Deprecated" ] }, "test-case-result": { "description": "(Section 5) The result of the validation test.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 26, "values_list": [ "Detected", "Not Detected" ] }, "test-case-tool": { "description": "(Section 5) The tool or procedure used for the validation test.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 25 }, "test-case-type": { "description": "(Section 5) The type of validation test performed (e.g., Functional Synonym). Add one set of test-case attributes per test.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 24, "values_list": [ "Functional Synonym", "Procedural Synonym", "Sub-Technical Synonym" ] }, "triage-steps": { "description": "(Section 5) A clear, step-by-step checklist for initial triage by a responding analyst.", "misp-attribute": "text", "ui-priority": 27 }, "version": { "description": "(Section 1) The semantic version of the analytic (e.g., 1.0, 1.1, 2.0).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 3 } }, "description": "A comprehensive object to document a detection analytic, its logic, robustness, validation, and associated response playbooks. It is based on an advanced detection engineering template that integrates concepts like 'Summiting the Pyramid' for robustness scoring and a 'Funnel of Fidelity' for validation, along with structured SOAR automation steps.", "meta-category": "misc", "name": "detection", "required": [ "analytic-title", "id", "status", "hypothesis" ], "uuid": "7a6a7c8e-4a44-4b0a-8d2a-9e7f8a9b0c1d", "version": 2 }