There are no mandatory fields, but it is highly recommended to follow the naming convention and fill in all the properties that can help to identify the alert and ease its investigation. Focus is given on simplifying integration between alert generating device and incident response tool/platform.
Schema with color distinction
{
"title": "CSAF",
"type": "object",
"properties": {
"Device": {
"type": "object",
"properties": {
"vendor": {
"type": "string"
},
"product": {
"type": "string"
},
"version": {
"type": "string"
},
"OS": {
"type": "string"
},
"module": {
"type": "string"
},
"feature": {
"type": "string"
},
"device_name": {
"type": "string"
},
"device_IP": {
"type": "string"
},
"policy": {
"type": "string"
},
"rule": {
"type": "string"
},
"action": {
"type": "string"
},
},
},
"Priority": {
"type": "object",
"properties": {
"severity": {
"type": "string"
},
"credibility": {
"type": "string"
},
"relevance": {
"type": "string"
},
},
},
"Alert": {
"type": "object",
"properties": {
"time": {
"type": "string"
},
"category": {
"type": "array",
"items": {
"type": "string"
},
},
"name": {
"type": "string"
},
"id": {
"type": "string"
},
"link": {
"type": "string"
},
"domain": {
"type": "string"
},
"region": {
"type": "string"
},
"target": {
"type": "array",
"items": {
"type": "string"
},
},
"artifacts": {
"type": "object",
"properties": {
"username": {
"type": "string"
},
"src_IP": {
"type": "string"
},
"src_port": {
"type": "string"
},
"dst_IP": {
"type": "string"
},
"dst_port": {
"type": "string"
},
"domain": {
"type": "string"
},
"url": {
"type": "string"
},
"hash": {
"type": "string"
},
"process": {
"type": "string"
},
"filename": {
"type": "string"
},
"registry_key": {
"type": "string"
},
"sender": {
"type": "string"
},
},
},
"status": {
"type": "string"
},
"tactics": {
"type": "array",
"items": {
"type": "string"
},
},
"technique": {
"type": "string"
},
"rawData": {
"type": "string"
},
"associated_events": {
"type": "array",
"items": {
"type": "object",
"properties": {
"time": {
"type": "string"
},
"name": {
"type": "string"
},
"target": {
"type": "array",
"items": {
"type": "string"
},
},
"artifacts": {
"type": "object",
"properties": {
"username": {
"type": "string"
},
"src_IP": {
"type": "string"
},
"src_port": {
"type": "string"
},
"dst_IP": {
"type": "string"
},
"dst_port": {
"type": "string"
},
"domain": {
"type": "string"
},
"url": {
"type": "string"
},
"hash": {
"type": "string"
},
"process": {
"type": "string"
},
"filename": {
"type": "string"
},
"registry_key": {
"type": "string"
},
"sender": {
"type": "string"
},
},
},
"count": {
"type": "number"
},
"rawData": {
"type": "string"
}
}
}
}
}
}
}
}
Clean schema
{
"title": "CSAF",
"type": "object",
"properties": {
"Device": {
"type": "object",
"properties": {
"vendor": {
"type": "string"
},
"product": {
"type": "string"
},
"version": {
"type": "string"
},
"OS": {
"type": "string"
},
"module": {
"type": "string"
},
"feature": {
"type": "string"
},
"device_name": {
"type": "string"
},
"device_IP": {
"type": "string"
},
"policy": {
"type": "string"
},
"rule": {
"type": "string"
},
"action": {
"type": "string"
},
},
},
"Priority": {
"type": "object",
"properties": {
"severity": {
"type": "string"
},
"credibility": {
"type": "string"
},
"relevance": {
"type": "string"
},
},
},
"Alert": {
"type": "object",
"properties": {
"time": {
"type": "string"
},
"category": {
"type": "array",
"items": {
"type":
"string"
},
},
"name": {
"type": "string"
},
"id": {
"type": "string"
},
"link": {
"type": "string"
},
"domain": {
"type": "string"
},
"region": {
"type": "string"
},
"target": {
"type": "array",
"items": {
"type":
"string"
},
},
"artifacts": {
"type": "object",
"properties": {
"username": {
"type":
"string"
},
"src_IP": {
"type":
"string"
},
"src_port": {
"type":
"string"
},
"dst_IP": {
"type":
"string"
},
"dst_port": {
"type":
"string"
},
"domain": {
"type":
"string"
},
"url": {
"type": "string"
},
"hash": {
"type":
"string"
},
"process": {
"type":
"string"
},
"filename": {
"type":
"string"
},
"registry_key": {
"type":
"string"
},
"sender": {
"type":
"string"
},
},
},
"status": {
"type": "string"
},
"tactics":
{
"type": "array",
"items": {
"type": "string"
},
},
"technique":
{
"type": "string"
},
"rawData": {
"type": "string"
},
"associated_events": {
"type": "array",
"items": {
"type":
"object",
"properties": {
"time": {
"type":
"string"
},
"name": {
"type":
"string"
},
"target": {
"type":
"array",
"items": {
"type":
"string"
},
},
"artifacts": {
"type":
"object",
"properties": {
"username": {
"type":
"string"
},
"src_IP": {
"type":
"string"
},
"src_port": {
"type":
"string"
},
"dst_IP": {
"type":
"string"
},
"dst_port": {
"type":
"string"
},
"domain": {
"type":
"string"
},
"url": {
"type":
"string"
},
"hash": {
"type":
"string"
},
"process": {
"type":
"string"
},
"filename": {
"type":
"string"
},
"registry_key": {
"type":
"string"
},
"sender": {
"type":
"string"
},
},
},
"count": {
"type":
"number"
},
"rawData": {
"type":
"string"
}
}
}
}
}
}
}
}
Žádné komentáře:
Okomentovat
Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.