Skip to content

Added mfa-auth/definition.json for creating mfa-auth objects. #496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ry-bar wants to merge 1 commit into
base: main
Choose a base branch
from
+78 −0
Open

Added mfa-auth/definition.json for creating mfa-auth objects. #496

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 78 additions & 0 deletions objects/mfa-auth/definition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
{
"attributes": {
"user": {
"description": "Anonymized user identifier associated with the MFA event.",
"misp-attribute": "anonymised",
"ui-priority": 0
},
"incident-datetime": {
"description": "UTC timestamp indicating when the MFA authentication event occurred.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"outcome": {
"description": "Final classification of the MFA event (e.g., benign, suspicious, confirmed compromise, MFA fatigue).",
"misp-attribute": "text",
"ui-priority": 0
},
"reason": {
"description": "Explanation or justification for the assigned outcome, based on observed activity or analyst investigation.",
"misp-attribute": "text",
"ui-priority": 0
},
"integration": {
"description": "Application, service, or system being accessed during the MFA event (e.g., VPN, SSO, cloud service).",
"misp-attribute": "text",
"ui-priority": 0
},
"factor": {
"description": "Authentication factor or method used for MFA (e.g., push notification, SMS, phone call, hardware token).",
"misp-attribute": "text",
"ui-priority": 0
},
"access-device-ip": {
"description": "IP address of the device initiating the authentication request.",
"misp-attribute": "ip-src",
"ui-priority": 0
},
"2fa-device-ip": {
"description": "IP address of the device used to respond to or complete the MFA challenge.",
"misp-attribute": "ip-src",
"ui-priority": 0
},
"access-device-os": {
"description": "Operating system of the device initiating the authentication request.",
"misp-attribute": "text",
"ui-priority": 0
},
"access-device-browser": {
"description": "Web browser or client application used on the access device.",
"misp-attribute": "text",
"ui-priority": 0
},
"access-device-location": {
"description": "Geographic location associated with the access device IP (e.g., city, region, country).",
"misp-attribute": "text",
"ui-priority": 0
},
"2fa-device-location": {
"description": "Geographic location associated with the MFA device IP (e.g., city, region, country).",
"misp-attribute": "text",
"ui-priority": 0
},
"analysis-note": {
"description": "Additional contextual notes or summary of the investigation and findings.",
"misp-attribute": "comment",
"ui-priority": 0
}
},
"description": "Object describing a multi-factor authentication (MFA) event, including anonymized user identifiers, authentication method, network source information, device context, and analyst-derived outcome and reasoning.",
"meta-category": "misc",
"name": "mfa-auth",
"requiredOneOf": [
"user",
"access-device-ip"
],
"uuid": "1045C92C-0B87-4C39-B838-CCA16B25C26C",
"version": 1
}