Detection Schema Schema

http://example.com/example.json

schema for detections

Abstract Extensible Status Identifiable Custom Properties Additional Properties Access Restrictions Defined In
Can be instantiated No Unknown status No Forbidden Allowed none detections.spec.json

Detection Schema Type

object (Detection Schema)

Detection Schema Properties

Property Type Required Nullable Defined by
author string Required cannot be null Detection Schema
date string Required cannot be null Detection Schema
description string Required cannot be null Detection Schema
how_to_implement string Optional cannot be null Detection Schema
id string Required cannot be null Detection Schema
known_false_positives string Required cannot be null Detection Schema
name string Required cannot be null Detection Schema
references array Optional cannot be null Detection Schema
search string Required cannot be null Detection Schema
tags object Required cannot be null Detection Schema
type string Required cannot be null Detection Schema
datamodel array Optional cannot be null Detection Schema
version integer Required cannot be null Detection Schema
Additional Properties Any Optional can be null  

author

Author of the detection

author

author Type

string

author Examples

Patrick Bareiss, Splunk

date

date of creation or modification, format yyyy-mm-dd

date

date Type

string

date Examples

'2019-12-06'

description

A detailed description of the detection

description

description Type

string

description Examples

>-
  dbgcore.dll is a specifc DLL for Windows core debugging. It is used to obtain
  a memory dump of a process. This search detects the usage of this DLL for
  creating a memory dump of LSASS process. Memory dumps of the LSASS process can
  be created with tools such as Windows Task Manager or procdump.

how_to_implement

information about how to implement. Only needed for non standard implementations.

how_to_implement

how_to_implement Type

string

how_to_implement Examples

>-
  This search requires Sysmon Logs and a Sysmon configuration, which includes
  EventCode 10 for lsass.exe.

id

UUID as unique identifier

id

id Type

string

id Examples

fb4c31b0-13e8-4155-8aa5-24de4b8d6717

known_false_positives

known false postives

known_false_positives

known_false_positives Type

string

known_false_positives Examples

>-
  Administrators can create memory dumps for debugging purposes, but memory
  dumps of the LSASS process would be unusual.

name

name

name Type

string (Name of detection)

name Examples

Access LSASS Memory for Dump Creation

references

A list of references for this detection

references

references Type

string[] (The Items Schema)

references Default Value

The default value is:

[]

references Examples

- >-
  https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf

The Splunk search for the detection

search

search Type

string

search Examples

>-
  `sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR
  CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as
  lastTime by Computer, TargetImage, TargetProcessId, SourceImage,
  SourceProcessId | rename Computer as dest |
  `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |
  `access_lsass_memory_for_dump_creation_filter`

tags

An array of key value pairs for tagging

tags

tags Type

object (Details)

tags Constraints

minimum number of items: the minimum number of items for this array is: 1

unique items: all items in this array must be unique. Duplicates are not allowed.

tags Default Value

The default value is:

{}

tags Examples

analytic_story: credential_dumping
kill_chain_phases: Action on Objectives
mitre_attack_id: T1078.004
cis20: CIS 13
nist: DE.DP
security domain: network
asset_type: AWS Instance
risk_object: user
risk_object_type: network_artifacts
risk score: '60'
custom_key: custom_value

type

type of detection

type

type Type

string

type Examples

streaming

datamodel

datamodel used in the search

datamodel

datamodel Type

string[]

datamodel Examples

Endpoint

version

version of detection, e.g. 1 or 2 …

version

version Type

integer

version Examples

2

Additional Properties

Additional properties are allowed and do not have to follow a specific schema