Stanza_type Parameters

The following parameters are used per stanza_type.

analytic_story parameters description
name Defines an analytic story of title name, such as analytic_story://<name>. Cannot be an empty string.
category A string that best describes this type of analytic story, such as "Abuse" or "Compliance" or "Malware." If unset, it will be displayed as "Uncategorized". Optional.
description A string explanation of why the story is useful or what the story includes.
last_updated Update time of the analytic story in the format of ISO 8601 date format YYYY-MM-DD. Optional.
maintainers A JSON array of the current maintainers of the analytic story. Defaults to an empty array. Optional.

Format of each item:

JSON 
{
   "company": "<string>",
   "email": "<string>",
   "name": "<string>"
 }

company (optional): Company associated with the person maintaining this analytic story

email (required, valid RFC5322 addr-spec): Email address of the person maintaining this analytic story
name (required, non-empty): Name of the person maintaining this analytic story

narrative Long-form text that describes the analytic story use case and the rationale behind it, an overview of the included searches, and how to enable the story. Optional.
references A JSON array of URLs that give information about the problem the story is addressing. Optional.
searches A JSON array of searches used by the analytic story. Each string in the array refers to a unique savedsearch name. Required.
spec_version Version of analytics spec used by current stanza, in positive integer number format. A larger number means a more recent update. Required.
analytic_story_category parameters description
name Additional info for analytic story category <name>, where <name> is the value of 'category' under analytic_story stanza. Cannot be an empty string.
description A string explanation of the category.
icon An image file for the category. It should be the filename of the icon image located under <app>/appserver/static. Supported format is png. Optional.
spec_version Version of analytics spec used by current stanza, in positive integer number format. A larger number means a more recent update. Required.
savedsearch parameters description
name Defines metadata for savedsearch named <name>. Cannot be an empty string.
annotations A JSON object of metadata on the search, currently used to annotate a search with various industry standards and frameworks. Optional.

The supported format and standards follow:

JSON 
{
   "cis20": ["<string>"],
   "kill_chain_phases": ["<string>"],
   "mitre_attack": ["<string>"],
   "nist": ["<string>"]
}

cis20: Critical security controls this search implements

kill_chain_phases: Kill-chain phases to which the search applies
mitre_attack: Techniques and tactics identified by the search
nist: Controls the search implements

asset_type Type of asset being investigated in string format. For example, AWS Instance. Optional.
confidence Confidence that detected behavior is malicious. For instance, high, medium, or low. Optional.
earliest_time_offset The number of seconds into the past from the event time the search should cover, in the format of a non-negative integer. Optional.
explanation Detailed description of the SPL, written in a style that can be understood without deep technical knowledge. Optional.
how_to_implement A description of how to put this search into effect, from what needs to be ingested, config files modified, and suggested per site modifications. Optional.
known_false_positives Scenarios in which detected behavior is benign, coupled with suggestions on how to verify the behavior. Optional.
latest_time_offset The number of seconds into the future from the event time the search should cover, in the format of a non-negative integer. Optional.
providing_technologies External services, software, or hardware that would provide data this analytic story relies on, in the format of a JSON array of strings. Optional.
status Current status of the search. For example: development, experimental, production. Optional.
type Type of this search. Cannot be an empty string. Required.