Skip to content

Detection Object #464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Detection Object #464

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bb6574c
Object for Detection Template - Replace ADS
th3r3d Aug 13, 2025
e5d8180
Object for Detection Template - Replace ADS - Final
th3r3d Aug 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
300 changes: 300 additions & 0 deletions objects/detection/definition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,300 @@
{
"name": "detection",
"description": "A comprehensive object to document a detection analytic, its logic, robustness, validation, and associated response playbooks. It is based on an advanced detection engineering template that integrates concepts like 'Summiting the Pyramid' for robustness scoring and a 'Funnel of Fidelity' for validation, along with structured SOAR automation steps.",
"meta-category": "detection",
"uuid": "7a6a7c8e-4a44-4b0a-8d2a-9e7f8a9b0c1d",
"version": 1,
"required": [
"analytic-title",
"id",
"status",
"hypothesis"
],
"attributes": {
"analytic-title": {
"misp-attribute": "text",
"description": "(Section 1) A clear, descriptive title of the detection rule (e.g., 'LSASS Memory Access via OpenProcess').",
"ui-priority": 1,
"disable_correlation": true
},
"id": {
"misp-attribute": "text",
"description": "(Section 1) A unique identifier for tracking the analytic (e.g., DE-TA0006-T1003.001-001).",
"ui-priority": 2,
"disable_correlation": true
},
"version": {
"misp-attribute": "text",
"description": "(Section 1) The semantic version of the analytic (e.g., 1.0, 1.1, 2.0).",
"ui-priority": 3,
"disable_correlation": true
},
"status": {
"misp-attribute": "text",
"description": "(Section 1) The current maturity status of the analytic.",
"ui-priority": 4,
"disable_correlation": true,
"values_list": [
"Experimental",
"Test",
"Production",
"Deprecated"
]
},
"author": {
"misp-attribute": "text",
"description": "(Section 1) The name or team responsible for creating/maintaining the analytic.",
"ui-priority": 5,
"disable_correlation": true
},
"date-created": {
"misp-attribute": "datetime",
"description": "(Section 1) The date the analytic was initially created.",
"ui-priority": 6,
"disable_correlation": true
},
"date-modified": {
"misp-attribute": "datetime",
"description": "(Section 1) The date the analytic was last modified.",
"ui-priority": 7,
"disable_correlation": true
},
"description": {
"misp-attribute": "text",
"description": "(Section 2) A brief, high-level summary of the detection's purpose. What threat or behavior is this designed to catch? Why is it important?",
"ui-priority": 8
},
"hypothesis": {
"misp-attribute": "text",
"description": "(Section 2) The scientific hypothesis for the detection. E.g., 'We hypothesize that an adversary performing will execute [Procedure]. This can be observed through [Observables]...'",
"ui-priority": 9
},
"mitre-attack-tactic": {
"misp-attribute": "text",
"description": "(Section 2) The MITRE ATT&CK Tactic(s) this analytic addresses (e.g., 'Credential Access (TA0006)'). Use the attack-pattern object for full mapping.",
"ui-priority": 10,
"multiple": true
},
"mitre-attack-technique": {
"misp-attribute": "text",
"description": "(Section 2) The MITRE ATT&CK Technique(s) this analytic addresses (e.g., 'OS Credential Dumping (T1003)'). Use the attack-pattern object for full mapping.",
"ui-priority": 11,
"multiple": true
},
"mitre-attack-subtechnique": {
"misp-attribute": "text",
"description": "(Section 2) The MITRE ATT&CK Sub-technique(s) this analytic addresses (e.g., 'LSASS Memory (T1003.001)'). Use the attack-pattern object for full mapping.",
"ui-priority": 12,
"multiple": true
},
"analytic-robustness-level": {
"misp-attribute": "text",
"description": "(Section 3) The robustness level of the analytic based on the 'Summiting the Pyramid' model.",
"ui-priority": 13,
"disable_correlation": true,
"values_list": [
"Level 1: Ephemeral",
"Level 2: Core to Adversary-Brought Tool",
"Level 3: Core to Pre-Existing Tool",
"Level 4: Core to Some Implementations of a (Sub-)Technique",
"Level 5: Core to a (Sub-)Technique (Invariant Behavior)"
]
},
"analytic-robustness-justification": {
"misp-attribute": "text",
"description": "(Section 3) Justification for the chosen robustness level.",
"ui-priority": 14
},
"data-platform": {
"misp-attribute": "text",
"description": "(Section 3) The platform where the data is sourced (e.g., Windows, Linux, Network).",
"ui-priority": 15,
"disable_correlation": true
},
"data-source": {
"misp-attribute": "text",
"description": "(Section 3) The specific data source (e.g., EDR, Sysmon, Zeek).",
"ui-priority": 16,
"disable_correlation": true
},
"data-event": {
"misp-attribute": "text",
"description": "(Section 3) The specific event(s) required (e.g., Sysmon Event ID 10).",
"ui-priority": 17,
"disable_correlation": true
},
"event-robustness-column": {
"misp-attribute": "text",
"description": "(Section 3) The robustness of the event source telemetry.",
"ui-priority": 18,
"disable_correlation": true,
"values_list": [
"Host-Based: Application (A)",
"Host-Based: User-Mode (U)",
"Host-Based: Kernel-Mode (K)",
"Network-Based: Protocol Payload (P)",
"Network-Based: Protocol Header (H)"
]
},
"event-robustness-justification": {
"misp-attribute": "text",
"description": "(Section 3) Justification for the chosen event robustness column.",
"ui-priority": 19
},
"final-summiting-score": {
"misp-attribute": "text",
"description": "(Section 3) The combined robustness score (e.g., 4K, 3U).",
"ui-priority": 20,
"disable_correlation": true
},
"detection-logic": {
"misp-attribute": "sigma",
"description": "(Section 4) The detection logic, preferably in the vendor-agnostic SIGMA format. Include heavy commenting to explain the logic.",
"ui-priority": 21
},
"known-false-positives": {
"misp-attribute": "text",
"description": "(Section 4) A list of any legitimate activities or tools that may trigger this alert.",
"ui-priority": 22
},
"exclusion-strategy": {
"misp-attribute": "text",
"description": "(Section 4) The strategy for filtering out false positives. Focus on robust, context-rich attributes.",
"ui-priority": 23
},
"test-case-type": {
"misp-attribute": "text",
"description": "(Section 5) The type of validation test performed (e.g., Functional Synonym). Add one set of test-case attributes per test.",
"ui-priority": 24,
"multiple": true,
"disable_correlation": true,
"values_list": [
"Functional Synonym",
"Procedural Synonym",
"Sub-Technical Synonym"
]
},
"test-case-tool": {
"misp-attribute": "text",
"description": "(Section 5) The tool or procedure used for the validation test.",
"ui-priority": 25,
"multiple": true,
"disable_correlation": true
},
"test-case-result": {
"misp-attribute": "text",
"description": "(Section 5) The result of the validation test.",
"ui-priority": 26,
"multiple": true,
"disable_correlation": true,
"values_list": [
"Detected",
"Not Detected"
]
},
"triage-steps": {
"misp-attribute": "text",
"description": "(Section 5) A clear, step-by-step checklist for initial triage by a responding analyst.",
"ui-priority": 27
},
"investigation-steps": {
"misp-attribute": "text",
"description": "(Section 5) A clear, step-by-step checklist for deeper investigation by a responding analyst.",
"ui-priority": 28
},
"response-remediation-steps": {
"misp-attribute": "text",
"description": "(Section 5) Immediate, standard response and remediation actions if the activity is confirmed malicious.",
"ui-priority": 29
},
"alert-trigger-condition": {
"misp-attribute": "text",
"description": "(Section 6) The condition that triggers the automated playbook (e.g., IF 'detection-logic' RETURNS 'true').",
"ui-priority": 30
},
"alert-severity-default": {
"misp-attribute": "text",
"description": "(Section 6) The default severity level of the alert.",
"ui-priority": 31,
"disable_correlation": true,
"values_list": [
"Low",
"Medium",
"High",
"Critical"
]
},
"soar-step-type": {
"misp-attribute": "text",
"description": "(Section 6) The type of SOAR step (Enrichment, Triage, Containment, Notification). Add one full set of 'soar-step-*' attributes for each logical step.",
"ui-priority": 32,
"multiple": true,
"disable_correlation": true,
"values_list": [
"Enrichment",
"Triage Logic",
"Containment",
"Notification"
]
},
"soar-step-action": {
"misp-attribute": "text",
"description": "(Section 6) The automated action to perform (e.g., Get-UserDetails, Isolate-Host, Create-Ticket).",
"ui-priority": 33,
"multiple": true,
"disable_correlation": true
},
"soar-step-input": {
"misp-attribute": "text",
"description": "(Section 6) The entity from the alert used as input for the action (e.g., event.AccountName).",
"ui-priority": 34,
"multiple": true,
"disable_correlation": true
},
"soar-step-output": {
"misp-attribute": "text",
"description": "(Section 6) The new information to be added or the expected result (e.g., user.title, host.os).",
"ui-priority": 35,
"multiple": true,
"disable_correlation": true
},
"soar-step-source-system": {
"misp-attribute": "text",
"description": "(Section 6) The source or destination system for the action (e.g., VirusTotal, Jira, ServiceNow).",
"ui-priority": 36,
"multiple": true,
"disable_correlation": true
},
"soar-step-execute-flag": {
"misp-attribute": "boolean",
"description": "(Section 6) For containment actions, specifies if execution is automatic (true) or requires manual approval (false). Default should be false.",
"ui-priority": 37,
"multiple": true,
"disable_correlation": true
},
"mitre-engage-goal": {
"misp-attribute": "text",
"description": "(Section 7) The MITRE Engage Goal this analytic supports (e.g., Disrupt (G0009)).",
"ui-priority": 38,
"disable_correlation": true
},
"mitre-engage-approach": {
"misp-attribute": "text",
"description": "(Section 7) The MITRE Engage Approach this analytic uses (e.g., Detect (A0001)).",
"ui-priority": 39,
"disable_correlation": true
},
"d3fend-tactic": {
"misp-attribute": "text",
"description": "(Section 7) The D3FEND Tactic this analytic maps to (e.g., Detect (D3-DET)).",
"ui-priority": 40,
"disable_correlation": true
},
"d3fend-technique": {
"misp-attribute": "text",
"description": "(Section 7) The D3FEND Technique this analytic maps to (e.g., Process Spawn Analysis (D3-PSA)).",
"ui-priority": 41,
"disable_correlation": true
}
}
}
Loading