Analytics Story Schema Schema

http://example.com/example.json

schema analytics story

Abstract Extensible Status Identifiable Custom Properties Additional Properties Access Restrictions Defined In
Can be instantiated No Unknown status No Forbidden Allowed none stories.spec.json

Analytics Story Schema Type

object (Analytics Story Schema)

Analytics Story Schema Default Value

The default value is:

{}

Analytics Story Schema Properties

Property Type Required Nullable Defined by
author string Required cannot be null Analytics Story Schema
date string Required cannot be null Analytics Story Schema
description string Required cannot be null Analytics Story Schema
id string Required cannot be null Analytics Story Schema
name string Required cannot be null Analytics Story Schema
narrative string Required cannot be null Analytics Story Schema
search string Optional cannot be null Analytics Story Schema
tags object Required cannot be null Analytics Story Schema
version integer Required cannot be null Analytics Story Schema
Additional Properties Any Optional can be null  

author

Author of the analytics story

author

author Type

string

author Examples

Rico Valdez, Patrick Bareiß, Splunk

date

date of creation or modification, format yyyy-mm-dd

date

date Type

string

date Examples

'2019-12-06'

description

description of the analytics story

description

description Type

string

description Examples

>-
  Uncover activity consistent with credential dumping, a technique where
  attackers compromise systems and attempt to obtain and exfiltrate passwords.

id

UUID as unique identifier

id

id Type

string

id Examples

fb4c31b0-13e8-4155-8aa5-24de4b8d6717

name

Name of the Analytics Story

name

name Type

string

name Examples

Credential Dumping

narrative

narrative of the analytics story

narrative

narrative Type

string

narrative Examples

>-
  gathering credentials from a target system, often hashed or encrypted, is a
  common attack technique. Even though the credentials may not be in plain text,
  an attacker can still exfiltrate the data and set to cracking it offline, on
  their own systems.

An additional Splunk search, which uses the result of the detections

search

search Type

string

search Examples

>-
  index=asx mitre_id=t1003 | stats values(source) as detections values(process)
  as processes values(user) as users values(_time) as time count by dest

tags

An explanation about the purpose of this instance.

tags

tags Type

object (Details)

tags Constraints

minimum number of items: the minimum number of items for this array is: 1

tags Default Value

The default value is:

{}

tags Examples

analytic_story: credential_dumping

version

version of analytics story, e.g. 1 or 2 …

version

version Type

integer

version Examples

1

Additional Properties

Additional properties are allowed and do not have to follow a specific schema