Event attributes Clause Samples

Event attributes. While the above list presents the fields that are core in the event, the model is kept flexible for further information details. Thus, an event entity may add attributes to extend the information and details. These attributes might be related to Indicators of Compromise (IoC’s) such as hashes, filenames, IP’s or domain names, but also with vulnerabilities or TTP’s of attackers. Each attribute will have its own data model based in the following fields: Represents the human-readable identifier associated to the event for a specific MISP instance.
View Source
Event attributes. While the above list presents the fields that are core in the event, the model is kept flexible for further information details. Thus, an event entity may add attributes to extend the information and details. These attributes might be related to Indicators of Compromise (IoC’s) such as hashes, filenames, IP’s or domain names, but also with vulnerabilities or TTP’s of attackers. Each attribute will have its own data model based in the following fields: This field describes the category of the attribute. The list of categories is based on the MISP format: • Antivirus detection: all the info about how the malware is detected by the antivirus products • Artifacts dropped: any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system • Attribution: identification of the group, organisation, or country behind the attack • External analysis: any other result from additional analysis of the malware like tools output • Internal reference: reference used by the publishing party (e.g. ticket number)
View Source