Signature¶
A signature that was raised during the analysis of the task
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| objectid | ObjectID | The object ID of the signature object | Yes |
None |
| name | Keyword | The name of the signature | Yes |
None |
| type | Enum | Type of signature Values: "CUCKOO", "SIGMA", "SURICATA", "YARA" |
Yes |
None |
| classification | ClassificationString | Classification of signature | Yes |
None |
| attributes | List [Attribute] | Attributes about the signature | Optional |
None |
| attacks | List [Attack] | A list of ATT&CK patterns and categories of the signature | Optional |
None |
| actors | List [Text] | List of actors of the signature | Optional |
None |
| malware_families | List [Text] | List of malware families of the signature | Optional |
None |
| signature_id | Text | ID of signature | Optional |
None |
Attribute¶
Attribute relating to the signature that was raised during the analysis of the task
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| source | ObjectID | Object that the rule triggered on | Yes |
None |
| target | ObjectID | Object targetted by source object | Optional |
None |
| action | Enum | None Values: "clipboard_capture", "create_remote_thread", "create_stream_hash", "dns_query", "driver_loaded", "file_change", "file_creation", "file_delete", "image_loaded", "network_connection", "network_connection_linux", "pipe_created", "process_access", "process_creation", "process_creation_linux", "process_tampering", "process_terminated", "raw_access_thread", "registry_add", "registry_delete", "registry_event", "registry_rename", "registry_set", "sysmon_error", "sysmon_status", "wmi_event" |
Optional |
None |
| meta | Text | Metadata about the detection | Optional |
None |
| event_record_id | Text | Event Record ID (Event Logs) | Optional |
None |
| domain | Domain | Domain | Optional |
None |
| uri | URI | URI | Optional |
None |
| file_hash | SHA256 | SHA256 of file | Optional |
None |