forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[RFC] Threat Intel - Stage 2 (elastic#1127)
Co-authored-by: Mathieu Martin <[email protected]> Co-authored-by: Andrew Pease <[email protected]> Co-authored-by: Derek Ditch <[email protected]> Co-authored-by: Eric Beahan <[email protected]> Co-authored-by: Ryland Herrick <[email protected]>
- Loading branch information
6 people
authored
Feb 18, 2021
1 parent
f2387b5
commit 3e0c861
Showing
10 changed files
with
568 additions
and
54 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| - name: as | ||
| reusable: | ||
| expected: | ||
| - threat.indicator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| - name: file | ||
| reusable: | ||
| expected: | ||
| - threat.indicator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| - name: geo | ||
| reusable: | ||
| expected: | ||
| - threat.indicator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| - name: hash | ||
| reusable: | ||
| expected: | ||
| - threat.indicator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| - name: pe | ||
| reusable: | ||
| expected: | ||
| - threat.indicator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| - name: registry | ||
| reusable: | ||
| expected: | ||
| - threat.indicator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,196 @@ | ||
| --- | ||
| - name: threat | ||
|
|
||
| fields: | ||
|
|
||
| - name: indicator.first_seen | ||
| level: extended | ||
| type: date | ||
| short: Date/time indicator was first reported. | ||
| description: > | ||
| The date and time when intelligence source first reported sighting this indicator. | ||
| example: "2020-11-05T17:25:47.000Z" | ||
|
|
||
| - name: indicator.last_seen | ||
| level: extended | ||
| type: date | ||
| short: Date/time indicator was last reported. | ||
| description: > | ||
| The date and time when intelligence source last reported sighting this indicator. | ||
| example: "2020-11-05T17:25:47.000Z" | ||
|
|
||
| - name: indicator.sightings | ||
| level: extended | ||
| type: long | ||
| short: Number of times indicator observed | ||
| description: > | ||
| Number of times this indicator was observed conducting threat activity. | ||
| example: 20 | ||
|
|
||
| - name: indicator.type | ||
| level: extended | ||
| type: keyword | ||
| short: Type of indicator | ||
| description: > | ||
| Type of indicator as represented by Cyber Observable in STIX 2.0. | ||
| Expected values | ||
| * autonomous-system | ||
| * artifact | ||
| * directory | ||
| * domain-name | ||
| * email-addr | ||
| * file | ||
| * ipv4-addr | ||
| * ipv6-addr | ||
| * mac-addr | ||
| * mutex | ||
| * process | ||
| * software | ||
| * url | ||
| * user-account | ||
| * windows-registry-key | ||
| * x-509-certificate | ||
| example: ipv4-addr | ||
|
|
||
| - name: indicator.description | ||
| level: extended | ||
| type: wildcard | ||
| short: Indicator description | ||
| description: > | ||
| Describes the type of action conducted by the threat. | ||
| example: IP x.x.x.x was observed delivering the Angler EK. | ||
|
|
||
| - name: indicator.scanner_stats | ||
| level: extended | ||
| type: long | ||
| short: Scanner statistics | ||
| description: > | ||
| Count of AV/EDR vendors that successfully detected malicious file or URL. | ||
| example: 4 | ||
|
|
||
| - name: indicator.provider | ||
| level: extended | ||
| type: keyword | ||
| description: > | ||
| Identifies the name of the intelligence provider. | ||
| example: VirusTotal | ||
|
|
||
| - name: indicator.confidence | ||
| level: extended | ||
| type: keyword | ||
| short: Indicator confidence rating | ||
| description: > | ||
| Identifies the confidence rating assigned by the provider using STIX confidence scales. | ||
| Expected values: | ||
| * Not Specified, None, Low, Medium, High | ||
| * 0-10 | ||
| * Admirality Scale (1-6) | ||
| * DNI Scale (5-95) | ||
| * WEP Scale (Impossible - Certain) | ||
| example: High | ||
|
|
||
| - name: indicator.module | ||
| level: extended | ||
| type: keyword | ||
| short: Indicator module | ||
| description: > | ||
| Identifies the name of specific module this data is coming from. | ||
| example: threatintel | ||
|
|
||
| - name: indicator.dataset | ||
| level: extended | ||
| type: keyword | ||
| short: Indicator dataset | ||
| description: > | ||
| Identifies the name of specific dataset from the intelligence source. | ||
| example: threatintel.abusemalware | ||
|
|
||
| - name: indicator.ip | ||
| level: extended | ||
| type: ip | ||
| short: Indicator IP address | ||
| description: > | ||
| Identifies a threat indicator as an IP address (irrespective of direction). | ||
| example: 1.2.3.4 | ||
|
|
||
| - name: indicator.domain | ||
| level: extended | ||
| type: keyword | ||
| short: Indicator domain name | ||
| description: > | ||
| Identifies a threat indicator as a domain (irrespective of direction). | ||
| example: example.com | ||
|
|
||
| - name: indicator.port | ||
| level: extended | ||
| type: long | ||
| short: Indicator port | ||
| description: > | ||
| Identifies a threat indicator as a port number (irrespective of direction). | ||
| example: 443 | ||
|
|
||
| - name: indicator.email.address | ||
| level: extended | ||
| type: keyword | ||
| short: Indicator email address | ||
| description: > | ||
| Identifies a threat indicator as an email address (irrespective of direction). | ||
| example: [email protected] | ||
|
|
||
| - name: indicator.marking.tlp | ||
| level: extended | ||
| type: keyword | ||
| short: Indicator TLP marking | ||
| description: > | ||
| Traffic Light Protocol sharing markings. | ||
| Expected values are: | ||
| * White | ||
| * Green | ||
| * Amber | ||
| * Red | ||
| example: White | ||
|
|
||
| - name: indicator.matched.atomic | ||
| level: extended | ||
| type: keyword | ||
| short: Indicator atomic match | ||
| description: > | ||
| Identifies the atomic indicator that matched a local environment endpoint or network event. | ||
| example: example.com | ||
|
|
||
| - name: indicator.matched.field | ||
| level: extended | ||
| type: keyword | ||
| short: Indicator field match | ||
| description: > | ||
| Identifies the field of the atomic indicator that matched a local environment endpoint or network event. | ||
| example: file.hash.sha256 | ||
|
|
||
| - name: indicator.matched.type | ||
| level: extended | ||
| type: keyword | ||
| short: Indicator type match | ||
| description: > | ||
| Identifies the type of the atomic indicator that matched a local environment endpoint or network event. | ||
| example: domain-name |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| - name: url | ||
| reusable: | ||
| expected: | ||
| - threat.indicator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| - name: x509 | ||
| reusable: | ||
| expected: | ||
| - threat.indicator |