diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 89411df67a..296df595cc 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -25,9 +25,9 @@ Thanks, you're awesome :-) --> * Remove `beta` from `orchestrator` field set. #1417 * Extend `threat.*` field set beta. #1438 * Added `event.agent_id_status` field. #1454 -* `threat.enrichments` added to the experimental schema. #1457 * `process.target` and `process.target.parent` added to experimental schema. #1467 * Threat indicator fields progress to beta stage. #1471 +* `threat.enrichments` beta fields. #1478 #### Improvements diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go index ec7d1a4ee8..becd75adad 100644 --- a/code/go/ecs/threat.go +++ b/code/go/ecs/threat.go @@ -32,6 +32,10 @@ import ( // used by this detected threat, to accomplish the goal (e.g. "endpoint denial // of service"). type Threat struct { + // A list of associated indicators enriching the event, and the context of + // that association/enrichment. + Enrichments []Enrichments `ecs:"enrichments"` + // Name of the threat framework used to further categorize and classify the // tactic and technique of the reported threat. Framework classification // can be provided by detecting systems, evaluated at ingest time, or @@ -212,3 +216,23 @@ type Threat struct { // https://attack.mitre.org/techniques/T1059/001/) TechniqueSubtechniqueReference string `ecs:"technique.subtechnique.reference"` } + +type Enrichments struct { + // Identifies the atomic indicator value that matched a local environment + // endpoint or network event. + MatchedAtomic string `ecs:"matched.atomic"` + + // Identifies the field of the atomic indicator that matched a local + // environment endpoint or network event. + MatchedField string `ecs:"matched.field"` + + // Identifies the _id of the indicator document enriching the event. + MatchedID string `ecs:"matched.id"` + + // Identifies the _index of the indicator document enriching the event. + MatchedIndex string `ecs:"matched.index"` + + // Identifies the type of match that caused the event to be enriched with + // the given indicator + MatchedType string `ecs:"matched.type"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 43db0fe025..0b4eaf9bbc 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -289,6 +289,8 @@ The `as` fields are expected to be nested at: * `source.as` +* `threat.enrichments.as` + Note also that the `as` fields are not expected to be used directly at the root of the events. @@ -3032,6 +3034,20 @@ example: `https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38f |===== +[discrete] +==== Field Reuse + +The `event` fields are expected to be nested at: + + +* `threat.enrichments.event` + + +Note also that the `event` fields may be used directly at the root of the events. + + + + [[ecs-file]] === File Fields @@ -3418,6 +3434,14 @@ example: `1001` [discrete] ==== Field Reuse +The `file` fields are expected to be nested at: + + +* `threat.enrichments.file` + + +Note also that the `file` fields may be used directly at the root of the events. + @@ -3688,6 +3712,8 @@ The `geo` fields are expected to be nested at: * `source.geo` +* `threat.enrichments.geo` + Note also that the `geo` fields are not expected to be used directly at the root of the events. @@ -3886,6 +3912,8 @@ The `hash` fields are expected to be nested at: * `process.hash` +* `threat.enrichments.hash` + Note also that the `hash` fields are not expected to be used directly at the root of the events. @@ -7635,6 +7663,114 @@ These fields are for users to classify alerts from all of their sources (e.g. ID // =============================================================== +| +[[field-threat-enrichments]] +<> + +| beta:[ This field is beta and subject to change. ] + +A list of associated indicators enriching the event, and the context of that association/enrichment. + +type: nested + + + + + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-matched-atomic]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies the atomic indicator value that matched a local environment endpoint or network event. + +type: keyword + + + +example: `bad-domain.com` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-matched-field]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies the field of the atomic indicator that matched a local environment endpoint or network event. + +type: keyword + + + +example: `file.hash.sha256` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-matched-id]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies the _id of the indicator document enriching the event. + +type: keyword + + + +example: `ff93aee5-86a1-4a61-b0e6-0cdc313d01b5` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-matched-index]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies the _index of the indicator document enriching the event. + +type: keyword + + + +example: `filebeat-8.0.0-2021.05.23-000011` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-matched-type]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies the type of match that caused the event to be enriched with the given indicator + +type: keyword + + + +example: `indicator_match_rule` + +| extended + +// =============================================================== + | [[field-threat-framework]] <> @@ -8304,6 +8440,81 @@ example: `https://attack.mitre.org/techniques/T1059/001/` // =============================================================== +|===== + +[discrete] +==== Field Reuse + + + + +[[ecs-threat-nestings]] +[discrete] +===== Field sets that can be nested under Threat + +[options="header"] +|===== +| Location | Field Set | Description + +// =============================================================== + + +| `threat.enrichments.as.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] + +Fields describing an Autonomous System (Internet routing prefix). + +// =============================================================== + + +| `threat.enrichments.event.*` +| <>| beta:[ Reusing the `event` fields in this location is currently considered beta.] + +Fields breaking down the event details. + +// =============================================================== + + +| `threat.enrichments.file.*` +| <>| beta:[ Reusing the `file` fields in this location is currently considered beta.] + +Fields describing files. + +// =============================================================== + + +| `threat.enrichments.geo.*` +| <>| beta:[ Reusing the `geo` fields in this location is currently considered beta.] + +Fields describing a location. + +// =============================================================== + + +| `threat.enrichments.hash.*` +| <>| beta:[ Reusing the `hash` fields in this location is currently considered beta.] + +Hashes, usually file hashes. + +// =============================================================== + + +| `threat.enrichments.url.*` +| <>| beta:[ Reusing the `url` fields in this location is currently considered beta.] + +Fields that let you store URLs in various forms. + +// =============================================================== + + +| `threat.enrichments.x509.*` +| <>| beta:[ Reusing the `x509` fields in this location is currently considered beta.] + +These fields contain x509 certificate metadata. + +// =============================================================== + + |===== [[ecs-tls]] @@ -9180,6 +9391,20 @@ type: keyword |===== +[discrete] +==== Field Reuse + +The `url` fields are expected to be nested at: + + +* `threat.enrichments.url` + + +Note also that the `url` fields may be used directly at the root of the events. + + + + [[ecs-user]] === User Fields @@ -10287,6 +10512,8 @@ The `x509` fields are expected to be nested at: * `file.x509` +* `threat.enrichments.x509` + * `tls.client.x509` * `tls.server.x509` diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 3e5c6c0ac5..ad48dae723 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -12290,6 +12290,7 @@ tags: short: List of keywords used to tag each event. type: keyword threat.enrichments: + beta: This field is beta and subject to change. dashed_name: threat-enrichments description: A list of associated indicators enriching the event, and the context of that association/enrichment. @@ -14032,6 +14033,7 @@ threat.enrichments.hash.ssdeep: short: SSDEEP hash. type: keyword threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-atomic description: Identifies the atomic indicator value that matched a local environment endpoint or network event. @@ -14044,6 +14046,7 @@ threat.enrichments.matched.atomic: short: Matched indicator value type: keyword threat.enrichments.matched.field: + beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-field description: Identifies the field of the atomic indicator that matched a local environment endpoint or network event. @@ -14056,6 +14059,7 @@ threat.enrichments.matched.field: short: Matched indicator field type: keyword threat.enrichments.matched.id: + beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-id description: Identifies the _id of the indicator document enriching the event. example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 @@ -14067,6 +14071,7 @@ threat.enrichments.matched.id: short: Matched indicator identifier type: keyword threat.enrichments.matched.index: + beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-index description: Identifies the _index of the indicator document enriching the event. example: filebeat-8.0.0-2021.05.23-000011 @@ -14078,6 +14083,7 @@ threat.enrichments.matched.index: short: Matched indicator index type: keyword threat.enrichments.matched.type: + beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-type description: Identifies the type of match that caused the event to be enriched with the given indicator diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 35b756ff22..1607e9ad7a 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -151,6 +151,7 @@ as: full: source.as - as: as at: threat.enrichments + beta: Reusing the `as` fields in this location is currently considered beta. full: threat.enrichments.as top_level: false short: Fields describing an Autonomous System (Internet routing prefix). @@ -3777,6 +3778,7 @@ event: expected: - as: event at: threat.enrichments + beta: Reusing the `event` fields in this location is currently considered beta. full: threat.enrichments.event top_level: true short: Fields breaking down the event details. @@ -5301,6 +5303,7 @@ file: expected: - as: file at: threat.enrichments + beta: Reusing the `file` fields in this location is currently considered beta. full: threat.enrichments.file top_level: true reused_here: @@ -5483,6 +5486,7 @@ geo: full: source.geo - as: geo at: threat.enrichments + beta: Reusing the `geo` fields in this location is currently considered beta. full: threat.enrichments.geo top_level: false short: Fields describing a location. @@ -5614,6 +5618,7 @@ hash: full: dll.hash - as: hash at: threat.enrichments + beta: Reusing the `hash` fields in this location is currently considered beta. full: threat.enrichments.hash top_level: false short: Hashes, usually file hashes. @@ -14329,6 +14334,7 @@ threat: \ \"endpoint denial of service\")." fields: threat.enrichments: + beta: This field is beta and subject to change. dashed_name: threat-enrichments description: A list of associated indicators enriching the event, and the context of that association/enrichment. @@ -16087,6 +16093,7 @@ threat: short: SSDEEP hash. type: keyword threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-atomic description: Identifies the atomic indicator value that matched a local environment endpoint or network event. @@ -16099,6 +16106,7 @@ threat: short: Matched indicator value type: keyword threat.enrichments.matched.field: + beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-field description: Identifies the field of the atomic indicator that matched a local environment endpoint or network event. @@ -16111,6 +16119,7 @@ threat: short: Matched indicator field type: keyword threat.enrichments.matched.id: + beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-id description: Identifies the _id of the indicator document enriching the event. example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 @@ -16122,6 +16131,7 @@ threat: short: Matched indicator identifier type: keyword threat.enrichments.matched.index: + beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-index description: Identifies the _index of the indicator document enriching the event. example: filebeat-8.0.0-2021.05.23-000011 @@ -16133,6 +16143,7 @@ threat: short: Matched indicator index type: keyword threat.enrichments.matched.type: + beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-type description: Identifies the type of match that caused the event to be enriched with the given indicator @@ -17658,19 +17669,24 @@ threat: - threat.enrichments.x509 prefix: threat. reused_here: - - full: threat.enrichments.as + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.as schema_name: as short: Fields describing an Autonomous System (Internet routing prefix). - - full: threat.enrichments.event + - beta: Reusing the `event` fields in this location is currently considered beta. + full: threat.enrichments.event schema_name: event short: Fields breaking down the event details. - - full: threat.enrichments.file + - beta: Reusing the `file` fields in this location is currently considered beta. + full: threat.enrichments.file schema_name: file short: Fields describing files. - - full: threat.enrichments.geo + - beta: Reusing the `geo` fields in this location is currently considered beta. + full: threat.enrichments.geo schema_name: geo short: Fields describing a location. - - full: threat.enrichments.hash + - beta: Reusing the `hash` fields in this location is currently considered beta. + full: threat.enrichments.hash schema_name: hash short: Hashes, usually file hashes. - full: threat.enrichments.pe @@ -17679,10 +17695,12 @@ threat: - full: threat.enrichments.registry schema_name: registry short: Fields related to Windows Registry operations. - - full: threat.enrichments.url + - beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.enrichments.url schema_name: url short: Fields that let you store URLs in various forms. - - full: threat.enrichments.x509 + - beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.enrichments.x509 schema_name: x509 short: These fields contain x509 certificate metadata. short: Fields to classify events and alerts according to a threat taxonomy. @@ -18953,6 +18971,7 @@ url: expected: - as: url at: threat.enrichments + beta: Reusing the `url` fields in this location is currently considered beta. full: threat.enrichments.url top_level: true short: Fields that let you store URLs in various forms. @@ -20238,15 +20257,16 @@ x509: - as: x509 at: file full: file.x509 + - as: x509 + at: threat.enrichments + beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.enrichments.x509 - as: x509 at: tls.client full: tls.client.x509 - as: x509 at: tls.server full: tls.server.x509 - - as: x509 - at: threat.enrichments - full: threat.enrichments.x509 top_level: false short: These fields contain x509 certificate metadata. title: x509 Certificate diff --git a/experimental/schemas/as.yml b/experimental/schemas/as.yml index 550b5d3d6f..41dd9c8631 100644 --- a/experimental/schemas/as.yml +++ b/experimental/schemas/as.yml @@ -1,8 +1,5 @@ --- - name: as - reusable: - expected: - - threat.enrichments fields: - name: organization.name diff --git a/experimental/schemas/event.yml b/experimental/schemas/event.yml deleted file mode 100644 index 7157d5e7d4..0000000000 --- a/experimental/schemas/event.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: event - reusable: - expected: - - threat.enrichments diff --git a/experimental/schemas/file.yml b/experimental/schemas/file.yml index 779fbc948a..b85c91684f 100644 --- a/experimental/schemas/file.yml +++ b/experimental/schemas/file.yml @@ -1,8 +1,5 @@ --- - name: file - reusable: - expected: - - threat.enrichments fields: - name: directory diff --git a/experimental/schemas/geo.yml b/experimental/schemas/geo.yml index 9bc1393b25..65945dc9dc 100644 --- a/experimental/schemas/geo.yml +++ b/experimental/schemas/geo.yml @@ -1,8 +1,5 @@ --- - name: geo - reusable: - expected: - - threat.enrichments fields: - name: name diff --git a/experimental/schemas/hash.yml b/experimental/schemas/hash.yml deleted file mode 100644 index 51394d118d..0000000000 --- a/experimental/schemas/hash.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: hash - reusable: - expected: - - threat.enrichments diff --git a/experimental/schemas/threat.yml b/experimental/schemas/threat.yml deleted file mode 100644 index 5f90586e8e..0000000000 --- a/experimental/schemas/threat.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -- name: threat - - fields: - - - name: enrichments - level: extended - type: nested - short: List of indicators enriching the event. - description: > - A list of associated indicators enriching the event, and the context of that association/enrichment. - - - name: enrichments.matched.atomic - level: extended - type: keyword - short: Matched indicator value - description: > - Identifies the atomic indicator value that matched a local environment endpoint or network event. - example: bad-domain.com - - - name: enrichments.matched.field - level: extended - type: keyword - short: Matched indicator field - description: > - Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - example: file.hash.sha256 - - - name: enrichments.matched.id - level: extended - type: keyword - short: Matched indicator identifier - description: > - Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - - - name: enrichments.matched.index - level: extended - type: keyword - short: Matched indicator index - description: > - Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - - - name: enrichments.matched.type - level: extended - type: keyword - short: Type of indicator match - description: > - Identifies the type of match that caused the event to be enriched with the given indicator - example: indicator_match_rule diff --git a/experimental/schemas/url.yml b/experimental/schemas/url.yml index 90a6162c7d..3ab858a698 100644 --- a/experimental/schemas/url.yml +++ b/experimental/schemas/url.yml @@ -1,8 +1,5 @@ --- - name: url - reusable: - expected: - - threat.enrichments fields: - name: original diff --git a/experimental/schemas/x509.yml b/experimental/schemas/x509.yml index 2184c74271..ab903bd0ed 100644 --- a/experimental/schemas/x509.yml +++ b/experimental/schemas/x509.yml @@ -1,8 +1,5 @@ --- - name: x509 - reusable: - expected: - - threat.enrichments fields: - name: issuer.distinguished_name diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 026554ac85..c02f77d4c1 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5844,6 +5844,1247 @@ \ \"endpoint denial of service\")." type: group fields: + - name: enrichments + level: extended + type: nested + description: A list of associated indicators enriching the event, and the context + of that association/enrichment. + default_field: false + - name: enrichments.as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + default_field: false + - name: enrichments.as.organization.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC + default_field: false + - name: enrichments.event.action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + default_field: false + - name: enrichments.event.agent_id_status + level: extended + type: keyword + ignore_above: 1024 + description: 'Agents are normally responsible for populating the `agent.id` + field value. If the system receiving events is capable of validating the value + based on authentication information for the client then this field can be + used to reflect the outcome of that validation. + + For example if the agent''s connection is authenticated with mTLS and the + client cert contains the ID of the agent to which the cert was issued then + the `agent.id` value in events can be checked against the certificate. If + the values match then `event.agent_id_status: verified` is added to the event, + otherwise one of the other allowed values should be used. + + If no validation is performed then the field should be omitted. + + The allowed values are: + + `verified` - The `agent.id` field value matches expected value obtained from + auth metadata. + + `mismatch` - The `agent.id` field value does not match the expected value + obtained from auth metadata. + + `missing` - There was no `agent.id` field in the event to validate. + + `auth_metadata_missing` - There was no auth metadata or it was missing information + about the agent ID.' + example: verified + default_field: false + - name: enrichments.event.category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + default_field: false + - name: enrichments.event.code + level: extended + type: keyword + ignore_above: 1024 + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is + the Windows Event ID.' + example: 4648 + default_field: false + - name: enrichments.event.created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + default_field: false + - name: enrichments.event.dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + default_field: false + - name: enrichments.event.duration + level: core + type: long + format: duration + input_format: nanoseconds + output_format: asMilliseconds + output_precision: 1 + description: 'Duration of the event in nanoseconds. + + If event.start and event.end are known this value should be the difference + between the end and start time.' + default_field: false + - name: enrichments.event.end + level: extended + type: date + description: event.end contains the date when the event ended or when the activity + was last observed. + default_field: false + - name: enrichments.event.hash + level: extended + type: keyword + ignore_above: 1024 + description: Hash (perhaps logstash fingerprint) of raw field to be able to + demonstrate log integrity. + example: 123456789012345678901234567890ABCD + default_field: false + - name: enrichments.event.id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + default_field: false + - name: enrichments.event.ingested + level: core + type: date + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false + - name: enrichments.event.kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + default_field: false + - name: enrichments.event.module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + default_field: false + - name: enrichments.event.original + level: core + type: keyword + ignore_above: 1024 + description: 'Raw text message of entire event. Used to demonstrate log integrity or + where the full log message (before splitting it up in multiple parts) may + be required, e.g. for reindex. + + This field is not indexed and doc_values are disabled. It cannot be searched, + but it can be retrieved from `_source`. If users wish to override this and + index this field, please see `Field data types` in the `Elasticsearch Reference`.' + example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| + worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + index: false + default_field: false + - name: enrichments.event.outcome + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + lowest level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represents a success or a + failure from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each + event may populate different values of `event.outcome`, according to their + perspective. + + Also note that in the case of a compound event (a single event that contains + multiple logical events), this field should be populated with the value that + best captures the overall success or failure from the perspective of the event + producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' + example: success + default_field: false + - name: enrichments.event.provider + level: extended + type: keyword + ignore_above: 1024 + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically mention + the source of an event. It can be the name of the software that generated + the event (e.g. Sysmon, httpd), or of a subsystem of the operating system + (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel + default_field: false + - name: enrichments.event.reason + level: extended + type: keyword + ignore_above: 1024 + description: 'Reason why this event happened, according to the source. + + This describes the why of a particular action or outcome captured in the event. + Where `event.action` captures the action from the event, `event.reason` describes + why that action was taken. For example, a web proxy with an `event.action` + which denied the request may also populate `event.reason` with the reason + why (e.g. `blocked site`).' + example: Terminated an unexpected process + default_field: false + - name: enrichments.event.reference + level: extended + type: keyword + ignore_above: 1024 + description: 'Reference URL linking to additional information about this event. + + This URL links to a static definition of this event. Alert events, indicated + by `event.kind:alert`, are a common use case for this field.' + example: https://system.example.com/event/#0001234 + default_field: false + - name: enrichments.event.risk_score + level: core + type: float + description: Risk score or priority of the event (e.g. security solutions). + Use your system's original value here. + default_field: false + - name: enrichments.event.risk_score_norm + level: extended + type: float + description: 'Normalized risk score or priority of the event, on a scale of + 0 to 100. + + This is mainly useful if you use more than one system that assigns risk scores, + and you want to see a normalized value across all systems.' + default_field: false + - name: enrichments.event.sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + default_field: false + - name: enrichments.event.severity + level: core + type: long + format: string + description: 'The numeric severity of the event according to your event source. + + What the different severity values mean can be different between sources and + use cases. It''s up to the implementer to make sure severities are consistent + across events from the same source. + + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` + is meant to represent the severity according to the event source (e.g. firewall, + IDS). If the event source does not publish its own severity, you may optionally + copy the `log.syslog.severity.code` to `event.severity`.' + example: 7 + default_field: false + - name: enrichments.event.start + level: extended + type: date + description: event.start contains the date when the event started or when the + activity was first observed. + default_field: false + - name: enrichments.event.timezone + level: extended + type: keyword + ignore_above: 1024 + description: 'This field should be populated when the event''s timestamp does + not include timezone information already (e.g. default Syslog timestamps). + It''s optional otherwise. + + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), + abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + default_field: false + - name: enrichments.event.type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' + default_field: false + - name: enrichments.event.url + level: extended + type: keyword + ignore_above: 1024 + description: 'URL linking to an external system to continue investigation of + this event. + + This URL links to another system where in-depth investigation of the specific + occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, + are a common use case for this field.' + example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + default_field: false + - name: enrichments.file.accessed + level: extended + type: date + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + default_field: false + - name: enrichments.file.attributes + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + default_field: false + - name: enrichments.file.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: enrichments.file.code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false + - name: enrichments.file.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: enrichments.file.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: enrichments.file.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false + - name: enrichments.file.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: enrichments.file.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: enrichments.file.created + level: extended + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' + default_field: false + - name: enrichments.file.ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + default_field: false + - name: enrichments.file.device + level: extended + type: keyword + ignore_above: 1024 + description: Device that is the source of the file. + example: sda + default_field: false + - name: enrichments.file.directory + level: extended + type: keyword + ignore_above: 1024 + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + default_field: false + - name: enrichments.file.drive_letter + level: extended + type: keyword + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + default_field: false + - name: enrichments.file.elf.architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: enrichments.file.elf.byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian + default_field: false + - name: enrichments.file.elf.cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: enrichments.file.elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: enrichments.file.elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: enrichments.file.elf.header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: enrichments.file.elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: enrichments.file.elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: enrichments.file.elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: enrichments.file.elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: enrichments.file.elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: enrichments.file.elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: enrichments.file.elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: enrichments.file.elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: enrichments.file.elf.sections + level: extended + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + default_field: false + - name: enrichments.file.elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: enrichments.file.elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: enrichments.file.elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: enrichments.file.elf.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: enrichments.file.elf.sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: enrichments.file.elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: enrichments.file.elf.sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: enrichments.file.elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: enrichments.file.elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: enrichments.file.elf.segments + level: extended + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + default_field: false + - name: enrichments.file.elf.segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: enrichments.file.elf.segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: enrichments.file.elf.shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object. + default_field: false + - name: enrichments.file.elf.telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash symbol hash for ELF file. + default_field: false + - name: enrichments.file.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: enrichments.file.gid + level: extended + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + default_field: false + - name: enrichments.file.group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + default_field: false + - name: enrichments.file.inode + level: extended + type: keyword + ignore_above: 1024 + description: Inode representing the file in the filesystem. + example: '256383' + default_field: false + - name: enrichments.file.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + default_field: false + - name: enrichments.file.mode + level: extended + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' + default_field: false + - name: enrichments.file.mtime + level: extended + type: date + description: Last time the file content was modified. + default_field: false + - name: enrichments.file.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + default_field: false + - name: enrichments.file.owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + default_field: false + - name: enrichments.file.path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + default_field: false + - name: enrichments.file.size + level: extended + type: long + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + default_field: false + - name: enrichments.file.target_path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. + default_field: false + - name: enrichments.file.type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + default_field: false + - name: enrichments.file.uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + default_field: false + - name: enrichments.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: enrichments.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: enrichments.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: enrichments.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: enrichments.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: enrichments.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: enrichments.geo.name + level: extended + type: keyword + ignore_above: 1024 + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: enrichments.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: enrichments.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: enrichments.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: enrichments.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: enrichments.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: enrichments.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: enrichments.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: enrichments.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: enrichments.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false + - name: enrichments.matched.atomic + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + default_field: false + - name: enrichments.matched.field + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + default_field: false + - name: enrichments.matched.id + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + default_field: false + - name: enrichments.matched.index + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + default_field: false + - name: enrichments.matched.type + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + default_field: false + - name: enrichments.url.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + default_field: false + - name: enrichments.url.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: enrichments.url.fragment + level: extended + type: keyword + ignore_above: 1024 + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + default_field: false + - name: enrichments.url.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + default_field: false + - name: enrichments.url.original + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + default_field: false + - name: enrichments.url.password + level: extended + type: keyword + ignore_above: 1024 + description: Password of the request. + default_field: false + - name: enrichments.url.path + level: extended + type: keyword + ignore_above: 1024 + description: Path of the request, such as "/search". + default_field: false + - name: enrichments.url.port + level: extended + type: long + format: string + description: Port of the request, such as 443. + example: 443 + default_field: false + - name: enrichments.url.query + level: extended + type: keyword + ignore_above: 1024 + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + default_field: false + - name: enrichments.url.registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + default_field: false + - name: enrichments.url.scheme + level: extended + type: keyword + ignore_above: 1024 + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + default_field: false + - name: enrichments.url.subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false + - name: enrichments.url.top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + default_field: false + - name: enrichments.url.username + level: extended + type: keyword + ignore_above: 1024 + description: Username of the request. + default_field: false + - name: enrichments.x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: enrichments.x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: enrichments.x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: enrichments.x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: enrichments.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: enrichments.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: enrichments.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: enrichments.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: enrichments.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: enrichments.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: enrichments.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: enrichments.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: enrichments.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: enrichments.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: enrichments.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: enrichments.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: enrichments.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: enrichments.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: enrichments.x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: enrichments.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: enrichments.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: enrichments.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: enrichments.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: enrichments.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false - name: framework level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index c09e623f97..d6cde32c00 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -666,6 +666,156 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. 2.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 2.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +2.0.0-dev,true,threat,threat.enrichments,nested,extended,,,List of indicators enriching the event. +2.0.0-dev,true,threat,threat.enrichments.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev,true,threat,threat.enrichments.as.organization.name,keyword,extended,,Google LLC,Organization name. +2.0.0-dev,true,threat,threat.enrichments.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev,true,threat,threat.enrichments.event.action,keyword,core,,user-password-change,The action captured by the event. +2.0.0-dev,true,threat,threat.enrichments.event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. +2.0.0-dev,true,threat,threat.enrichments.event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +2.0.0-dev,true,threat,threat.enrichments.event.code,keyword,extended,,4648,Identification code for this event. +2.0.0-dev,true,threat,threat.enrichments.event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +2.0.0-dev,true,threat,threat.enrichments.event.dataset,keyword,core,,apache.access,Name of the dataset. +2.0.0-dev,true,threat,threat.enrichments.event.duration,long,core,,,Duration of the event in nanoseconds. +2.0.0-dev,true,threat,threat.enrichments.event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +2.0.0-dev,true,threat,threat.enrichments.event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +2.0.0-dev,true,threat,threat.enrichments.event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +2.0.0-dev,true,threat,threat.enrichments.event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +2.0.0-dev,true,threat,threat.enrichments.event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +2.0.0-dev,true,threat,threat.enrichments.event.module,keyword,core,,apache,Name of the module this data is coming from. +2.0.0-dev,false,threat,threat.enrichments.event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +2.0.0-dev,true,threat,threat.enrichments.event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +2.0.0-dev,true,threat,threat.enrichments.event.provider,keyword,extended,,kernel,Source of the event. +2.0.0-dev,true,threat,threat.enrichments.event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +2.0.0-dev,true,threat,threat.enrichments.event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +2.0.0-dev,true,threat,threat.enrichments.event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +2.0.0-dev,true,threat,threat.enrichments.event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +2.0.0-dev,true,threat,threat.enrichments.event.sequence,long,extended,,,Sequence number of the event. +2.0.0-dev,true,threat,threat.enrichments.event.severity,long,core,,7,Numeric severity of the event. +2.0.0-dev,true,threat,threat.enrichments.event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +2.0.0-dev,true,threat,threat.enrichments.event.timezone,keyword,extended,,,Event time zone. +2.0.0-dev,true,threat,threat.enrichments.event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +2.0.0-dev,true,threat,threat.enrichments.event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +2.0.0-dev,true,threat,threat.enrichments.file.accessed,date,extended,,,Last time the file was accessed. +2.0.0-dev,true,threat,threat.enrichments.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +2.0.0-dev,true,threat,threat.enrichments.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev,true,threat,threat.enrichments.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +2.0.0-dev,true,threat,threat.enrichments.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev,true,threat,threat.enrichments.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev,true,threat,threat.enrichments.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +2.0.0-dev,true,threat,threat.enrichments.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev,true,threat,threat.enrichments.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev,true,threat,threat.enrichments.file.created,date,extended,,,File creation time. +2.0.0-dev,true,threat,threat.enrichments.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +2.0.0-dev,true,threat,threat.enrichments.file.device,keyword,extended,,sda,Device that is the source of the file. +2.0.0-dev,true,threat,threat.enrichments.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +2.0.0-dev,true,threat,threat.enrichments.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev,true,threat,threat.enrichments.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +2.0.0-dev,true,threat,threat.enrichments.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.file.elf.creation_date,date,extended,,,Build or compile date. +2.0.0-dev,true,threat,threat.enrichments.file.elf.exports,flattened,extended,array,,List of exported element names and types. +2.0.0-dev,true,threat,threat.enrichments.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +2.0.0-dev,true,threat,threat.enrichments.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +2.0.0-dev,true,threat,threat.enrichments.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +2.0.0-dev,true,threat,threat.enrichments.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +2.0.0-dev,true,threat,threat.enrichments.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.file.elf.header.version,keyword,extended,,,Version of the ELF header. +2.0.0-dev,true,threat,threat.enrichments.file.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev,true,threat,threat.enrichments.file.elf.sections,nested,extended,array,,Section information of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.name,keyword,extended,,,ELF Section List name. +2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.type,keyword,extended,,,ELF Section List type. +2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +2.0.0-dev,true,threat,threat.enrichments.file.elf.segments,nested,extended,array,,ELF object segment list. +2.0.0-dev,true,threat,threat.enrichments.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +2.0.0-dev,true,threat,threat.enrichments.file.elf.segments.type,keyword,extended,,,ELF object segment type. +2.0.0-dev,true,threat,threat.enrichments.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev,true,threat,threat.enrichments.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +2.0.0-dev,true,threat,threat.enrichments.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +2.0.0-dev,true,threat,threat.enrichments.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +2.0.0-dev,true,threat,threat.enrichments.file.group,keyword,extended,,alice,Primary group name of the file. +2.0.0-dev,true,threat,threat.enrichments.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +2.0.0-dev,true,threat,threat.enrichments.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +2.0.0-dev,true,threat,threat.enrichments.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +2.0.0-dev,true,threat,threat.enrichments.file.mtime,date,extended,,,Last time the file content was modified. +2.0.0-dev,true,threat,threat.enrichments.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +2.0.0-dev,true,threat,threat.enrichments.file.owner,keyword,extended,,alice,File owner's username. +2.0.0-dev,true,threat,threat.enrichments.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev,true,threat,threat.enrichments.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev,true,threat,threat.enrichments.file.size,long,extended,,16384,File size in bytes. +2.0.0-dev,true,threat,threat.enrichments.file.target_path,keyword,extended,,,Target path for symlinks. +2.0.0-dev,true,threat,threat.enrichments.file.target_path.text,text,extended,,,Target path for symlinks. +2.0.0-dev,true,threat,threat.enrichments.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +2.0.0-dev,true,threat,threat.enrichments.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +2.0.0-dev,true,threat,threat.enrichments.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev,true,threat,threat.enrichments.geo.continent_code,keyword,core,,NA,Continent code. +2.0.0-dev,true,threat,threat.enrichments.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev,true,threat,threat.enrichments.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev,true,threat,threat.enrichments.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev,true,threat,threat.enrichments.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev,true,threat,threat.enrichments.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +2.0.0-dev,true,threat,threat.enrichments.geo.postal_code,keyword,core,,94040,Postal code. +2.0.0-dev,true,threat,threat.enrichments.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev,true,threat,threat.enrichments.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev,true,threat,threat.enrichments.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +2.0.0-dev,true,threat,threat.enrichments.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev,true,threat,threat.enrichments.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev,true,threat,threat.enrichments.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev,true,threat,threat.enrichments.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev,true,threat,threat.enrichments.hash.ssdeep,keyword,extended,,,SSDEEP hash. +2.0.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value +2.0.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field +2.0.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier +2.0.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index +2.0.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match +2.0.0-dev,true,threat,threat.enrichments.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +2.0.0-dev,true,threat,threat.enrichments.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +2.0.0-dev,true,threat,threat.enrichments.url.fragment,keyword,extended,,,Portion of the url after the `#`. +2.0.0-dev,true,threat,threat.enrichments.url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev,true,threat,threat.enrichments.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev,true,threat,threat.enrichments.url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev,true,threat,threat.enrichments.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev,true,threat,threat.enrichments.url.password,keyword,extended,,,Password of the request. +2.0.0-dev,true,threat,threat.enrichments.url.path,keyword,extended,,,"Path of the request, such as ""/search""." +2.0.0-dev,true,threat,threat.enrichments.url.port,long,extended,,443,"Port of the request, such as 443." +2.0.0-dev,true,threat,threat.enrichments.url.query,keyword,extended,,,Query string of the request. +2.0.0-dev,true,threat,threat.enrichments.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +2.0.0-dev,true,threat,threat.enrichments.url.scheme,keyword,extended,,https,Scheme of the url. +2.0.0-dev,true,threat,threat.enrichments.url.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev,true,threat,threat.enrichments.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev,true,threat,threat.enrichments.url.username,keyword,extended,,,Username of the request. +2.0.0-dev,true,threat,threat.enrichments.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev,true,threat,threat.enrichments.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev,true,threat,threat.enrichments.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev,true,threat,threat.enrichments.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev,true,threat,threat.enrichments.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev,true,threat,threat.enrichments.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev,true,threat,threat.enrichments.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev,true,threat,threat.enrichments.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev,true,threat,threat.enrichments.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev,true,threat,threat.enrichments.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev,true,threat,threat.enrichments.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev,true,threat,threat.enrichments.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev,false,threat,threat.enrichments.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev,true,threat,threat.enrichments.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev,true,threat,threat.enrichments.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev,true,threat,threat.enrichments.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev,true,threat,threat.enrichments.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev,true,threat,threat.enrichments.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev,true,threat,threat.enrichments.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev,true,threat,threat.enrichments.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev,true,threat,threat.enrichments.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev,true,threat,threat.enrichments.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev,true,threat,threat.enrichments.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev,true,threat,threat.enrichments.x509.version_number,keyword,extended,,3,Version of x509 format. 2.0.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. 2.0.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. 2.0.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index c17fda8fa0..5a75f71ae0 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8533,6 +8533,2346 @@ tags: - array short: List of keywords used to tag each event. type: keyword +threat.enrichments: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments + description: A list of associated indicators enriching the event, and the context + of that association/enrichment. + flat_name: threat.enrichments + level: extended + name: enrichments + normalize: [] + short: List of indicators enriching the event. + type: nested +threat.enrichments.as.number: + dashed_name: threat-enrichments-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.enrichments.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +threat.enrichments.as.organization.name: + dashed_name: threat-enrichments-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.enrichments.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +threat.enrichments.event.action: + dashed_name: threat-enrichments-event-action + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is normally + defined by the implementer.' + example: user-password-change + flat_name: threat.enrichments.event.action + ignore_above: 1024 + level: core + name: action + normalize: [] + original_fieldset: event + short: The action captured by the event. + type: keyword +threat.enrichments.event.agent_id_status: + dashed_name: threat-enrichments-event-agent-id-status + description: 'Agents are normally responsible for populating the `agent.id` field + value. If the system receiving events is capable of validating the value based + on authentication information for the client then this field can be used to reflect + the outcome of that validation. + + For example if the agent''s connection is authenticated with mTLS and the client + cert contains the ID of the agent to which the cert was issued then the `agent.id` + value in events can be checked against the certificate. If the values match then + `event.agent_id_status: verified` is added to the event, otherwise one of the + other allowed values should be used. + + If no validation is performed then the field should be omitted. + + The allowed values are: + + `verified` - The `agent.id` field value matches expected value obtained from auth + metadata. + + `mismatch` - The `agent.id` field value does not match the expected value obtained + from auth metadata. + + `missing` - There was no `agent.id` field in the event to validate. + + `auth_metadata_missing` - There was no auth metadata or it was missing information + about the agent ID.' + example: verified + flat_name: threat.enrichments.event.agent_id_status + ignore_above: 1024 + level: extended + name: agent_id_status + normalize: [] + original_fieldset: event + short: Validation status of the event's agent.id field. + type: keyword +threat.enrichments.event.category: + allowed_values: + - description: Events in this category are related to the challenge and response + process in which credentials are supplied and verified to allow the creation + of a session. Common sources for these logs are Windows event logs and ssh logs. + Visualize and analyze events in this category to look for failed logins, and + other authentication-related activity. + expected_event_types: + - start + - end + - info + name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. + + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration + - description: The database category denotes events and metrics relating to a data + storage and retrieval system. Note that use of this category is not limited + to relational database systems. Examples include event logs from MS SQL, MySQL, + Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database + activity such as accesses and changes. + expected_event_types: + - access + - change + - info + - error + name: database + - description: 'Events in the driver category have to do with operating system device + drivers and similar software entities such as Windows drivers, kernel extensions, + kernel modules, etc. + + Use events and metrics in this category to visualize and analyze driver-related + activity and status on hosts.' + expected_event_types: + - change + - end + - info + - start + name: driver + - description: Relating to a set of information that has been created on, or has + existed on a filesystem. Use this category of events to visualize and analyze + the creation, access, and deletions of files. Events in this category can come + from both host-based and network-based sources. An example source of a network-based + detection of a file transfer would be the Zeek file.log. + expected_event_types: + - change + - creation + - deletion + - info + name: file + - description: 'Use this category to visualize and analyze information such as host + inventory or host lifecycle events. + + Most of the events in this category can usually be observed from the outside, + such as from a hypervisor or a control plane''s point of view. Some can also + be seen from within, such as "start" or "end". + + Note that this category is for information about hosts themselves; it is not + meant to capture activity "happening on a host".' + expected_event_types: + - access + - change + - end + - info + - start + name: host + - description: Identity and access management (IAM) events relating to users, groups, + and administration. Use this category to visualize and analyze IAM-related logs + and data from active directory, LDAP, Okta, Duo, and other IAM systems. + expected_event_types: + - admin + - change + - creation + - deletion + - group + - info + - user + name: iam + - description: Relating to intrusion detections from IDS/IPS systems and functions, + both network and host-based. Use this category to visualize and analyze intrusion + detection alerts from systems such as Snort, Suricata, and Palo Alto threat + detections. + expected_event_types: + - allowed + - denied + - info + name: intrusion_detection + - description: Malware detection events and alerts. Use this category to visualize + and analyze malware detections from EDR/EPP systems such as Elastic Endpoint + Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems + such as Suricata, or other sources of malware-related events such as Palo Alto + Networks threat logs and Wildfire logs. + expected_event_types: + - info + name: malware + - description: Relating to all network activity, including network connection lifecycle, + network traffic, and essentially any event that includes an IP address. Many + events containing decoded network protocol transactions fit into this category. + Use events in this category to visualize or analyze counts of network ports, + protocols, addresses, geolocation information, etc. + expected_event_types: + - access + - allowed + - connection + - denied + - end + - info + - protocol + - start + name: network + - description: Relating to software packages installed on hosts. Use this category + to visualize and analyze inventory of software installed on various hosts, or + to determine host vulnerability in the absence of vulnerability scan data. + expected_event_types: + - access + - change + - deletion + - info + - installation + - start + name: package + - description: Use this category of events to visualize and analyze process-specific + information such as lifecycle events or process ancestry. + expected_event_types: + - access + - change + - end + - info + - start + name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry + - description: The session category is applied to events and metrics regarding logical + persistent connections to hosts and services. Use this category to visualize + and analyze interactive or automated persistent connections between assets. + Data for this category may come from Windows Event logs, SSH logs, or stateless + sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session + - description: 'Relating to web server access. Use this category to create a dashboard + of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: + events from network observers such as Zeek http log may also be included in + this category.' + expected_event_types: + - access + - error + - info + name: web + dashed_name: threat-enrichments-event-category + description: 'This is one of four ECS Categorization Fields, and indicates the second + level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process activity. + This field is closely related to `event.type`, which is used as a subcategory. + + This field is an array. This will allow proper categorization of some events that + fall in multiple categories.' + example: authentication + flat_name: threat.enrichments.event.category + ignore_above: 1024 + level: core + name: category + normalize: + - array + original_fieldset: event + short: Event category. The second categorization field in the hierarchy. + type: keyword +threat.enrichments.event.code: + dashed_name: threat-enrichments-event-code + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is the + Windows Event ID.' + example: 4648 + flat_name: threat.enrichments.event.code + ignore_above: 1024 + level: extended + name: code + normalize: [] + original_fieldset: event + short: Identification code for this event. + type: keyword +threat.enrichments.event.created: + dashed_name: threat-enrichments-event-created + description: 'event.created contains the date/time when the event was first read + by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain the + time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, and + the time when your agent first processed it. This can be used to monitor your + agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + flat_name: threat.enrichments.event.created + level: core + name: created + normalize: [] + original_fieldset: event + short: Time when the event was first read by an agent or by your pipeline. + type: date +threat.enrichments.event.dataset: + dashed_name: threat-enrichments-event-dataset + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes from. + + It''s recommended but not required to start the dataset name with the module name, + followed by a dot, then the dataset name.' + example: apache.access + flat_name: threat.enrichments.event.dataset + ignore_above: 1024 + level: core + name: dataset + normalize: [] + original_fieldset: event + short: Name of the dataset. + type: keyword +threat.enrichments.event.duration: + dashed_name: threat-enrichments-event-duration + description: 'Duration of the event in nanoseconds. + + If event.start and event.end are known this value should be the difference between + the end and start time.' + flat_name: threat.enrichments.event.duration + format: duration + input_format: nanoseconds + level: core + name: duration + normalize: [] + original_fieldset: event + output_format: asMilliseconds + output_precision: 1 + short: Duration of the event in nanoseconds. + type: long +threat.enrichments.event.end: + dashed_name: threat-enrichments-event-end + description: event.end contains the date when the event ended or when the activity + was last observed. + flat_name: threat.enrichments.event.end + level: extended + name: end + normalize: [] + original_fieldset: event + short: event.end contains the date when the event ended or when the activity was + last observed. + type: date +threat.enrichments.event.hash: + dashed_name: threat-enrichments-event-hash + description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate + log integrity. + example: 123456789012345678901234567890ABCD + flat_name: threat.enrichments.event.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: event + short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate + log integrity. + type: keyword +threat.enrichments.event.id: + dashed_name: threat-enrichments-event-id + description: Unique ID to describe the event. + example: 8a4f500d + flat_name: threat.enrichments.event.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: event + short: Unique ID to describe the event. + type: keyword +threat.enrichments.event.ingested: + dashed_name: threat-enrichments-event-ingested + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + flat_name: threat.enrichments.event.ingested + level: core + name: ingested + normalize: [] + original_fieldset: event + short: Timestamp when an event arrived in the central data store. + type: date +threat.enrichments.event.kind: + allowed_values: + - description: 'This value indicates an event that describes an alert or notable + event, triggered by a detection rule. + + `event.kind:alert` is often populated for events coming from firewalls, intrusion + detection systems, endpoint detection and response systems, and so on.' + name: alert + - description: This value is the most general and most common value for this field. + It is used to represent events that indicate that something happened. + name: event + - description: 'This value is used to indicate that this event describes a numeric + measurement taken at given point in time. + + Examples include CPU utilization, memory usage, or device temperature. + + Metric events are often collected on a predictable frequency, such as once every + few seconds, or once a minute, but can also be used to describe ad-hoc numeric + metric queries.' + name: metric + - description: 'The state value is similar to metric, indicating that this event + describes a measurement taken at given point in time, except that the measurement + does not result in a numeric value, but rather one of a fixed set of categorical + values that represent conditions or states. + + Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), + the state of a TCP connection (open, closed, fin_wait, etc.), the state of a + host with respect to a software vulnerability (vulnerable, not vulnerable), + and the state of a system regarding compliance with a regulatory standard (compliant, + not compliant). + + Note that an event that describes a change of state would not use `event.kind:state`, + but instead would use ''event.kind:event'' since a state change fits the more + general event definition of something that happened. + + State events are often collected on a predictable frequency, such as once every + few seconds, once a minute, once an hour, or once a day, but can also be used + to describe ad-hoc state queries.' + name: state + - description: This value indicates that an error occurred during the ingestion + of this event, and that event data may be missing, inconsistent, or incorrect. + `event.kind:pipeline_error` is often associated with parsing errors. + name: pipeline_error + - description: 'This value is used by the Elastic Security app to denote an Elasticsearch + document that was created by a SIEM detection engine rule. + + A signal will typically trigger a notification that something meaningful happened + and should be investigated. + + Usage of this value is reserved, and pipelines should not populate `event.kind` + with the value "signal".' + name: signal + dashed_name: threat-enrichments-event-kind + description: 'This is one of four ECS Categorization Fields, and indicates the highest + level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the event + contains, without being specific to the contents of the event. For example, values + of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, it + may also help understand whether the data coming in at a regular interval or not.' + example: alert + flat_name: threat.enrichments.event.kind + ignore_above: 1024 + level: core + name: kind + normalize: [] + original_fieldset: event + short: The kind of the event. The highest categorization field in the hierarchy. + type: keyword +threat.enrichments.event.module: + dashed_name: threat-enrichments-event-module + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain the + name of this module.' + example: apache + flat_name: threat.enrichments.event.module + ignore_above: 1024 + level: core + name: module + normalize: [] + original_fieldset: event + short: Name of the module this data is coming from. + type: keyword +threat.enrichments.event.original: + dashed_name: threat-enrichments-event-original + description: 'Raw text message of entire event. Used to demonstrate log integrity or + where the full log message (before splitting it up in multiple parts) may be + required, e.g. for reindex. + + This field is not indexed and doc_values are disabled. It cannot be searched, + but it can be retrieved from `_source`. If users wish to override this and index + this field, please see `Field data types` in the `Elasticsearch Reference`.' + doc_values: false + example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| + worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + flat_name: threat.enrichments.event.original + ignore_above: 1024 + index: false + level: core + name: original + normalize: [] + original_fieldset: event + short: Raw text message of entire event. + type: keyword +threat.enrichments.event.outcome: + allowed_values: + - description: Indicates that this event describes a failed result. A common example + is `event.category:file AND event.type:access AND event.outcome:failure` to + indicate that a file access was attempted, but was not successful. + name: failure + - description: Indicates that this event describes a successful result. A common + example is `event.category:file AND event.type:create AND event.outcome:success` + to indicate that a file was successfully created. + name: success + - description: Indicates that this event describes only an attempt for which the + result is unknown from the perspective of the event producer. For example, if + the event contains information only about the request side of a transaction + that results in a response, populating `event.outcome:unknown` in the request + event is appropriate. The unknown value should not be used when an outcome doesn't + make logical sense for the event. In such cases `event.outcome` should not be + populated. + name: unknown + dashed_name: threat-enrichments-event-outcome + description: 'This is one of four ECS Categorization Fields, and indicates the lowest + level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represents a success or a failure + from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each event + may populate different values of `event.outcome`, according to their perspective. + + Also note that in the case of a compound event (a single event that contains multiple + logical events), this field should be populated with the value that best captures + the overall success or failure from the perspective of the event producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' + example: success + flat_name: threat.enrichments.event.outcome + ignore_above: 1024 + level: core + name: outcome + normalize: [] + original_fieldset: event + short: The outcome of the event. The lowest level categorization field in the hierarchy. + type: keyword +threat.enrichments.event.provider: + dashed_name: threat-enrichments-event-provider + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically mention the + source of an event. It can be the name of the software that generated the event + (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel + flat_name: threat.enrichments.event.provider + ignore_above: 1024 + level: extended + name: provider + normalize: [] + original_fieldset: event + short: Source of the event. + type: keyword +threat.enrichments.event.reason: + dashed_name: threat-enrichments-event-reason + description: 'Reason why this event happened, according to the source. + + This describes the why of a particular action or outcome captured in the event. + Where `event.action` captures the action from the event, `event.reason` describes + why that action was taken. For example, a web proxy with an `event.action` which + denied the request may also populate `event.reason` with the reason why (e.g. + `blocked site`).' + example: Terminated an unexpected process + flat_name: threat.enrichments.event.reason + ignore_above: 1024 + level: extended + name: reason + normalize: [] + original_fieldset: event + short: Reason why this event happened, according to the source + type: keyword +threat.enrichments.event.reference: + dashed_name: threat-enrichments-event-reference + description: 'Reference URL linking to additional information about this event. + + This URL links to a static definition of this event. Alert events, indicated by + `event.kind:alert`, are a common use case for this field.' + example: https://system.example.com/event/#0001234 + flat_name: threat.enrichments.event.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: event + short: Event reference URL + type: keyword +threat.enrichments.event.risk_score: + dashed_name: threat-enrichments-event-risk-score + description: Risk score or priority of the event (e.g. security solutions). Use + your system's original value here. + flat_name: threat.enrichments.event.risk_score + level: core + name: risk_score + normalize: [] + original_fieldset: event + short: Risk score or priority of the event (e.g. security solutions). Use your system's + original value here. + type: float +threat.enrichments.event.risk_score_norm: + dashed_name: threat-enrichments-event-risk-score-norm + description: 'Normalized risk score or priority of the event, on a scale of 0 to + 100. + + This is mainly useful if you use more than one system that assigns risk scores, + and you want to see a normalized value across all systems.' + flat_name: threat.enrichments.event.risk_score_norm + level: extended + name: risk_score_norm + normalize: [] + original_fieldset: event + short: Normalized risk score or priority of the event (0-100). + type: float +threat.enrichments.event.sequence: + dashed_name: threat-enrichments-event-sequence + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the exact + ordering of events unambiguous, regardless of the timestamp precision.' + flat_name: threat.enrichments.event.sequence + format: string + level: extended + name: sequence + normalize: [] + original_fieldset: event + short: Sequence number of the event. + type: long +threat.enrichments.event.severity: + dashed_name: threat-enrichments-event-severity + description: 'The numeric severity of the event according to your event source. + + What the different severity values mean can be different between sources and use + cases. It''s up to the implementer to make sure severities are consistent across + events from the same source. + + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is + meant to represent the severity according to the event source (e.g. firewall, + IDS). If the event source does not publish its own severity, you may optionally + copy the `log.syslog.severity.code` to `event.severity`.' + example: 7 + flat_name: threat.enrichments.event.severity + format: string + level: core + name: severity + normalize: [] + original_fieldset: event + short: Numeric severity of the event. + type: long +threat.enrichments.event.start: + dashed_name: threat-enrichments-event-start + description: event.start contains the date when the event started or when the activity + was first observed. + flat_name: threat.enrichments.event.start + level: extended + name: start + normalize: [] + original_fieldset: event + short: event.start contains the date when the event started or when the activity + was first observed. + type: date +threat.enrichments.event.timezone: + dashed_name: threat-enrichments-event-timezone + description: 'This field should be populated when the event''s timestamp does not + include timezone information already (e.g. default Syslog timestamps). It''s optional + otherwise. + + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated + (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + flat_name: threat.enrichments.event.timezone + ignore_above: 1024 + level: extended + name: timezone + normalize: [] + original_fieldset: event + short: Event time zone. + type: keyword +threat.enrichments.event.type: + allowed_values: + - description: The access event type is used for the subset of events within a category + that indicate that something was accessed. Common examples include `event.category:database + AND event.type:access`, or `event.category:file AND event.type:access`. Note + for file access, both directory listings and file opens should be included in + this subcategory. You can further distinguish access operations using the ECS + `event.action` field. + name: access + - description: 'The admin event type is used for the subset of events within a category + that are related to admin objects. For example, administrative changes within + an IAM framework that do not specifically affect a user or group (e.g., adding + new applications to a federation solution or connecting discrete forests in + Active Directory) would fall into this subcategory. Common example: `event.category:iam + AND event.type:change AND event.type:admin`. You can further distinguish admin + operations using the ECS `event.action` field.' + name: admin + - description: The allowed event type is used for the subset of events within a + category that indicate that something was allowed. Common examples include `event.category:network + AND event.type:connection AND event.type:allowed` (to indicate a network firewall + event for which the firewall disposition was to allow the connection to complete) + and `event.category:intrusion_detection AND event.type:allowed` (to indicate + a network intrusion prevention system event for which the IPS disposition was + to allow the connection to complete). You can further distinguish allowed operations + using the ECS `event.action` field, populating with values of your choosing, + such as "allow", "detect", or "pass". + name: allowed + - description: The change event type is used for the subset of events within a category + that indicate that something has changed. If semantics best describe an event + as modified, then include them in this subcategory. Common examples include + `event.category:process AND event.type:change`, and `event.category:file AND + event.type:change`. You can further distinguish change operations using the + ECS `event.action` field. + name: change + - description: Used primarily with `event.category:network` this value is used for + the subset of network traffic that includes sufficient information for the event + to be included in flow or connection analysis. Events in this subcategory will + contain at least source and destination IP addresses, source and destination + TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. + Events in this subcategory may contain unidirectional or bidirectional information, + including summary information. Use this subcategory to visualize and analyze + network connections. Flow analysis, including Netflow, IPFIX, and other flow-related + events fit in this subcategory. Note that firewall events from many Next-Generation + Firewall (NGFW) devices will also fit into this subcategory. A common filter + for flow/connection information would be `event.category:network AND event.type:connection + AND event.type:end` (to view or analyze all completed network connections, ignoring + mid-flow reports). You can further distinguish connection events using the ECS + `event.action` field, populating with values of your choosing, such as "timeout", + or "reset". + name: connection + - description: The "creation" event type is used for the subset of events within + a category that indicate that something was created. A common example is `event.category:file + AND event.type:creation`. + name: creation + - description: The deletion event type is used for the subset of events within a + category that indicate that something was deleted. A common example is `event.category:file + AND event.type:deletion` to indicate that a file has been deleted. + name: deletion + - description: The denied event type is used for the subset of events within a category + that indicate that something was denied. Common examples include `event.category:network + AND event.type:denied` (to indicate a network firewall event for which the firewall + disposition was to deny the connection) and `event.category:intrusion_detection + AND event.type:denied` (to indicate a network intrusion prevention system event + for which the IPS disposition was to deny the connection to complete). You can + further distinguish denied operations using the ECS `event.action` field, populating + with values of your choosing, such as "blocked", "dropped", or "quarantined". + name: denied + - description: The end event type is used for the subset of events within a category + that indicate something has ended. A common example is `event.category:process + AND event.type:end`. + name: end + - description: The error event type is used for the subset of events within a category + that indicate or describe an error. A common example is `event.category:database + AND event.type:error`. Note that pipeline errors that occur during the event + ingestion process should not use this `event.type` value. Instead, they should + use `event.kind:pipeline_error`. + name: error + - description: 'The group event type is used for the subset of events within a category + that are related to group objects. Common example: `event.category:iam AND event.type:creation + AND event.type:group`. You can further distinguish group operations using the + ECS `event.action` field.' + name: group + - description: The info event type is used for the subset of events within a category + that indicate that they are purely informational, and don't report a state change, + or any type of action. For example, an initial run of a file integrity monitoring + system (FIM), where an agent reports all files under management, would fall + into the "info" subcategory. Similarly, an event containing a dump of all currently + running processes (as opposed to reporting that a process started/ended) would + fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection + AND event.type:info`. + name: info + - description: The installation event type is used for the subset of events within + a category that indicate that something was installed. A common example is `event.category:package` + AND `event.type:installation`. + name: installation + - description: The protocol event type is used for the subset of events within a + category that indicate that they contain protocol details or analysis, beyond + simply identifying the protocol. Generally, network events that contain specific + protocol details will fall into this subcategory. A common example is `event.category:network + AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate + that the event is a network connection event sent at the end of a connection + that also includes a protocol detail breakdown). Note that events that only + indicate the name or id of the protocol should not use the protocol value. Further + note that when the protocol subcategory is used, the identified protocol is + populated in the ECS `network.protocol` field. + name: protocol + - description: The start event type is used for the subset of events within a category + that indicate something has started. A common example is `event.category:process + AND event.type:start`. + name: start + - description: 'The user event type is used for the subset of events within a category + that are related to user objects. Common example: `event.category:iam AND event.type:deletion + AND event.type:user`. You can further distinguish user operations using the + ECS `event.action` field.' + name: user + dashed_name: threat-enrichments-event-type + description: 'This is one of four ECS Categorization Fields, and indicates the third + level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along with + the `event.category` field values, enables filtering events down to a level appropriate + for single visualization. + + This field is an array. This will allow proper categorization of some events that + fall in multiple event types.' + flat_name: threat.enrichments.event.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: event + short: Event type. The third categorization field in the hierarchy. + type: keyword +threat.enrichments.event.url: + dashed_name: threat-enrichments-event-url + description: 'URL linking to an external system to continue investigation of this + event. + + This URL links to another system where in-depth investigation of the specific + occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, + are a common use case for this field.' + example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + flat_name: threat.enrichments.event.url + ignore_above: 1024 + level: extended + name: url + normalize: [] + original_fieldset: event + short: Event investigation URL + type: keyword +threat.enrichments.file.accessed: + dashed_name: threat-enrichments-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date +threat.enrichments.file.attributes: + dashed_name: threat-enrichments-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.enrichments.file.code_signature.exists: + dashed_name: threat-enrichments-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.enrichments.file.code_signature.signing_id: + dashed_name: threat-enrichments-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +threat.enrichments.file.code_signature.status: + dashed_name: threat-enrichments-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +threat.enrichments.file.code_signature.subject_name: + dashed_name: threat-enrichments-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.enrichments.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +threat.enrichments.file.code_signature.team_id: + dashed_name: threat-enrichments-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +threat.enrichments.file.code_signature.trusted: + dashed_name: threat-enrichments-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.enrichments.file.code_signature.valid: + dashed_name: threat-enrichments-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.enrichments.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.enrichments.file.created: + dashed_name: threat-enrichments-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date +threat.enrichments.file.ctime: + dashed_name: threat-enrichments-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.enrichments.file.device: + dashed_name: threat-enrichments-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword +threat.enrichments.file.directory: + dashed_name: threat-enrichments-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.enrichments.file.directory + ignore_above: 1024 + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: keyword +threat.enrichments.file.drive_letter: + dashed_name: threat-enrichments-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword +threat.enrichments.file.elf.architecture: + dashed_name: threat-enrichments-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +threat.enrichments.file.elf.byte_order: + dashed_name: threat-enrichments-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +threat.enrichments.file.elf.cpu_type: + dashed_name: threat-enrichments-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +threat.enrichments.file.elf.creation_date: + dashed_name: threat-enrichments-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +threat.enrichments.file.elf.exports: + dashed_name: threat-enrichments-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.enrichments.file.elf.header.abi_version: + dashed_name: threat-enrichments-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +threat.enrichments.file.elf.header.class: + dashed_name: threat-enrichments-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +threat.enrichments.file.elf.header.data: + dashed_name: threat-enrichments-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +threat.enrichments.file.elf.header.entrypoint: + dashed_name: threat-enrichments-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +threat.enrichments.file.elf.header.object_version: + dashed_name: threat-enrichments-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +threat.enrichments.file.elf.header.os_abi: + dashed_name: threat-enrichments-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +threat.enrichments.file.elf.header.type: + dashed_name: threat-enrichments-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +threat.enrichments.file.elf.header.version: + dashed_name: threat-enrichments-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +threat.enrichments.file.elf.imports: + dashed_name: threat-enrichments-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.enrichments.file.elf.sections: + dashed_name: threat-enrichments-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.enrichments.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +threat.enrichments.file.elf.sections.chi2: + dashed_name: threat-enrichments-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +threat.enrichments.file.elf.sections.entropy: + dashed_name: threat-enrichments-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +threat.enrichments.file.elf.sections.flags: + dashed_name: threat-enrichments-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +threat.enrichments.file.elf.sections.name: + dashed_name: threat-enrichments-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +threat.enrichments.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +threat.enrichments.file.elf.sections.physical_size: + dashed_name: threat-enrichments-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.enrichments.file.elf.sections.type: + dashed_name: threat-enrichments-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +threat.enrichments.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +threat.enrichments.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +threat.enrichments.file.elf.segments: + dashed_name: threat-enrichments-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.enrichments.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.enrichments.file.elf.segments.sections: + dashed_name: threat-enrichments-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +threat.enrichments.file.elf.segments.type: + dashed_name: threat-enrichments-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +threat.enrichments.file.elf.shared_libraries: + dashed_name: threat-enrichments-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +threat.enrichments.file.elf.telfhash: + dashed_name: threat-enrichments-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +threat.enrichments.file.extension: + dashed_name: threat-enrichments-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword +threat.enrichments.file.gid: + dashed_name: threat-enrichments-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword +threat.enrichments.file.group: + dashed_name: threat-enrichments-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword +threat.enrichments.file.inode: + dashed_name: threat-enrichments-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword +threat.enrichments.file.mime_type: + dashed_name: threat-enrichments-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.enrichments.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword +threat.enrichments.file.mode: + dashed_name: threat-enrichments-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.enrichments.file.mtime: + dashed_name: threat-enrichments-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.enrichments.file.name: + dashed_name: threat-enrichments-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword +threat.enrichments.file.owner: + dashed_name: threat-enrichments-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword +threat.enrichments.file.path: + dashed_name: threat-enrichments-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.file.path + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: keyword +threat.enrichments.file.size: + dashed_name: threat-enrichments-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long +threat.enrichments.file.target_path: + dashed_name: threat-enrichments-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.file.target_path + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: keyword +threat.enrichments.file.type: + dashed_name: threat-enrichments-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword +threat.enrichments.file.uid: + dashed_name: threat-enrichments-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +threat.enrichments.geo.city_name: + dashed_name: threat-enrichments-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +threat.enrichments.geo.continent_code: + dashed_name: threat-enrichments-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +threat.enrichments.geo.continent_name: + dashed_name: threat-enrichments-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +threat.enrichments.geo.country_iso_code: + dashed_name: threat-enrichments-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +threat.enrichments.geo.country_name: + dashed_name: threat-enrichments-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +threat.enrichments.geo.location: + dashed_name: threat-enrichments-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.enrichments.geo.name: + dashed_name: threat-enrichments-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +threat.enrichments.geo.postal_code: + dashed_name: threat-enrichments-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +threat.enrichments.geo.region_iso_code: + dashed_name: threat-enrichments-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +threat.enrichments.geo.region_name: + dashed_name: threat-enrichments-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +threat.enrichments.geo.timezone: + dashed_name: threat-enrichments-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +threat.enrichments.hash.md5: + dashed_name: threat-enrichments-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +threat.enrichments.hash.sha1: + dashed_name: threat-enrichments-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +threat.enrichments.hash.sha256: + dashed_name: threat-enrichments-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +threat.enrichments.hash.sha512: + dashed_name: threat-enrichments-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +threat.enrichments.hash.ssdeep: + dashed_name: threat-enrichments-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic + ignore_above: 1024 + level: extended + name: enrichments.matched.atomic + normalize: [] + short: Matched indicator value + type: keyword +threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field + ignore_above: 1024 + level: extended + name: enrichments.matched.field + normalize: [] + short: Matched indicator field + type: keyword +threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id + ignore_above: 1024 + level: extended + name: enrichments.matched.id + normalize: [] + short: Matched indicator identifier + type: keyword +threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index + ignore_above: 1024 + level: extended + name: enrichments.matched.index + normalize: [] + short: Matched indicator index + type: keyword +threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched with + the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type + ignore_above: 1024 + level: extended + name: enrichments.matched.type + normalize: [] + short: Type of indicator match + type: keyword +threat.enrichments.url.domain: + dashed_name: threat-enrichments-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' + example: www.elastic.co + flat_name: threat.enrichments.url.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: url + short: Domain of the url. + type: keyword +threat.enrichments.url.extension: + dashed_name: threat-enrichments-url-extension + description: 'The field contains the file extension from the original request url, + excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.url.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: url + short: File extension from the request url, excluding the leading dot. + type: keyword +threat.enrichments.url.fragment: + dashed_name: threat-enrichments-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.url.fragment + ignore_above: 1024 + level: extended + name: fragment + normalize: [] + original_fieldset: url + short: Portion of the url after the `#`. + type: keyword +threat.enrichments.url.full: + dashed_name: threat-enrichments-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.url.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.url.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: url + short: Full unparsed URL. + type: keyword +threat.enrichments.url.original: + dashed_name: threat-enrichments-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas in + access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.url.original + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: keyword +threat.enrichments.url.password: + dashed_name: threat-enrichments-url-password + description: Password of the request. + flat_name: threat.enrichments.url.password + ignore_above: 1024 + level: extended + name: password + normalize: [] + original_fieldset: url + short: Password of the request. + type: keyword +threat.enrichments.url.path: + dashed_name: threat-enrichments-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.url.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + original_fieldset: url + short: Path of the request, such as "/search". + type: keyword +threat.enrichments.url.port: + dashed_name: threat-enrichments-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.url.port + format: string + level: extended + name: port + normalize: [] + original_fieldset: url + short: Port of the request, such as 443. + type: long +threat.enrichments.url.query: + dashed_name: threat-enrichments-url-query + description: 'The query field describes the query string of the request, such as + "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there is + no query field. If there is a `?` but no query, the query field exists with an + empty string. The `exists` query can be used to differentiate between the two + cases.' + flat_name: threat.enrichments.url.query + ignore_above: 1024 + level: extended + name: query + normalize: [] + original_fieldset: url + short: Query string of the request. + type: keyword +threat.enrichments.url.registered_domain: + dashed_name: threat-enrichments-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.url.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: keyword +threat.enrichments.url.scheme: + dashed_name: threat-enrichments-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.url.scheme + ignore_above: 1024 + level: extended + name: scheme + normalize: [] + original_fieldset: url + short: Scheme of the url. + type: keyword +threat.enrichments.url.subdomain: + dashed_name: threat-enrichments-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: url + short: The subdomain of the domain. + type: keyword +threat.enrichments.url.top_level_domain: + dashed_name: threat-enrichments-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.url.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). + type: keyword +threat.enrichments.url.username: + dashed_name: threat-enrichments-url-username + description: Username of the request. + flat_name: threat.enrichments.url.username + ignore_above: 1024 + level: extended + name: username + normalize: [] + original_fieldset: url + short: Username of the request. + type: keyword +threat.enrichments.x509.alternative_names: + dashed_name: threat-enrichments-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword +threat.enrichments.x509.issuer.common_name: + dashed_name: threat-enrichments-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword +threat.enrichments.x509.issuer.country: + dashed_name: threat-enrichments-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +threat.enrichments.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword +threat.enrichments.x509.issuer.locality: + dashed_name: threat-enrichments-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +threat.enrichments.x509.issuer.organization: + dashed_name: threat-enrichments-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword +threat.enrichments.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +threat.enrichments.x509.issuer.state_or_province: + dashed_name: threat-enrichments-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.x509.not_after: + dashed_name: threat-enrichments-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +threat.enrichments.x509.not_before: + dashed_name: threat-enrichments-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +threat.enrichments.x509.public_key_algorithm: + dashed_name: threat-enrichments-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +threat.enrichments.x509.public_key_curve: + dashed_name: threat-enrichments-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: threat.enrichments.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +threat.enrichments.x509.public_key_exponent: + dashed_name: threat-enrichments-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +threat.enrichments.x509.public_key_size: + dashed_name: threat-enrichments-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +threat.enrichments.x509.serial_number: + dashed_name: threat-enrichments-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +threat.enrichments.x509.signature_algorithm: + dashed_name: threat-enrichments-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword +threat.enrichments.x509.subject.common_name: + dashed_name: threat-enrichments-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword +threat.enrichments.x509.subject.country: + dashed_name: threat-enrichments-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword +threat.enrichments.x509.subject.distinguished_name: + dashed_name: threat-enrichments-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword +threat.enrichments.x509.subject.locality: + dashed_name: threat-enrichments-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +threat.enrichments.x509.subject.organization: + dashed_name: threat-enrichments-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +threat.enrichments.x509.subject.organizational_unit: + dashed_name: threat-enrichments-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +threat.enrichments.x509.subject.state_or_province: + dashed_name: threat-enrichments-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.x509.version_number: + dashed_name: threat-enrichments-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword threat.framework: dashed_name: threat-framework description: Name of the threat framework used to further categorize and classify diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 4edc2d3ceb..ccff0149f5 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -151,6 +151,10 @@ as: - as: as at: source full: source.as + - as: as + at: threat.enrichments + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.as top_level: false short: Fields describing an Autonomous System (Internet routing prefix). title: Autonomous System @@ -3421,6 +3425,13 @@ event: group: 2 name: event prefix: event. + reusable: + expected: + - as: event + at: threat.enrichments + beta: Reusing the `event` fields in this location is currently considered beta. + full: threat.enrichments.event + top_level: true short: Fields breaking down the event details. title: Event type: group @@ -4573,6 +4584,13 @@ file: - file.pe - file.x509 prefix: file. + reusable: + expected: + - as: file + at: threat.enrichments + beta: Reusing the `file` fields in this location is currently considered beta. + full: threat.enrichments.file + top_level: true reused_here: - full: file.code_signature schema_name: code_signature @@ -4752,6 +4770,10 @@ geo: - as: geo at: source full: source.geo + - as: geo + at: threat.enrichments + beta: Reusing the `geo` fields in this location is currently considered beta. + full: threat.enrichments.geo top_level: false short: Fields describing a location. title: Geo @@ -4880,6 +4902,10 @@ hash: - as: hash at: dll full: dll.hash + - as: hash + at: threat.enrichments + beta: Reusing the `hash` fields in this location is currently considered beta. + full: threat.enrichments.hash top_level: false short: Hashes, usually file hashes. title: Hash @@ -10186,215 +10212,2573 @@ threat: \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\ \ \"endpoint denial of service\")." fields: - threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework - ignore_above: 1024 - level: extended - name: framework - normalize: [] - short: Threat classification framework. - type: keyword - threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias - ignore_above: 1024 - level: extended - name: group.alias - normalize: - - array - short: Alias of the group. - type: keyword - threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id - ignore_above: 1024 - level: extended - name: group.id - normalize: [] - short: ID of the group. - type: keyword - threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name - ignore_above: 1024 - level: extended - name: group.name - normalize: [] - short: Name of the group. - type: keyword - threat.group.reference: + threat.enrichments: beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference - ignore_above: 1024 + dashed_name: threat-enrichments + description: A list of associated indicators enriching the event, and the context + of that association/enrichment. + flat_name: threat.enrichments level: extended - name: group.reference + name: enrichments normalize: [] - short: Reference URL of the group. - type: keyword - threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence - ignore_above: 1024 + short: List of indicators enriching the event. + type: nested + threat.enrichments.as.number: + dashed_name: threat-enrichments-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.enrichments.as.number level: extended - name: indicator.confidence + name: number normalize: [] - short: Indicator confidence rating - type: keyword - threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + threat.enrichments.as.organization.name: + dashed_name: threat-enrichments-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.enrichments.as.organization.name ignore_above: 1024 level: extended - name: indicator.description + multi_fields: + - flat_name: threat.enrichments.as.organization.name.text + name: text + norms: false + type: text + name: organization.name normalize: [] - short: Indicator description + original_fieldset: as + short: Organization name. type: keyword - threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - flat_name: threat.indicator.email.address + threat.enrichments.event.action: + dashed_name: threat-enrichments-event-action + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + flat_name: threat.enrichments.event.action ignore_above: 1024 - level: extended - name: indicator.email.address + level: core + name: action normalize: [] - short: Indicator email address + original_fieldset: event + short: The action captured by the event. type: keyword - threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen - level: extended - name: indicator.first_seen - normalize: [] - short: Date/time indicator was first reported. - type: date - threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip - level: extended - name: indicator.ip - normalize: [] - short: Indicator IP address - type: ip - threat.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen - level: extended - name: indicator.last_seen - normalize: [] - short: Date/time indicator was last reported. - type: date - threat.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp + threat.enrichments.event.agent_id_status: + dashed_name: threat-enrichments-event-agent-id-status + description: 'Agents are normally responsible for populating the `agent.id` + field value. If the system receiving events is capable of validating the value + based on authentication information for the client then this field can be + used to reflect the outcome of that validation. + + For example if the agent''s connection is authenticated with mTLS and the + client cert contains the ID of the agent to which the cert was issued then + the `agent.id` value in events can be checked against the certificate. If + the values match then `event.agent_id_status: verified` is added to the event, + otherwise one of the other allowed values should be used. + + If no validation is performed then the field should be omitted. + + The allowed values are: + + `verified` - The `agent.id` field value matches expected value obtained from + auth metadata. + + `mismatch` - The `agent.id` field value does not match the expected value + obtained from auth metadata. + + `missing` - There was no `agent.id` field in the event to validate. + + `auth_metadata_missing` - There was no auth metadata or it was missing information + about the agent ID.' + example: verified + flat_name: threat.enrichments.event.agent_id_status ignore_above: 1024 level: extended - name: indicator.marking.tlp + name: agent_id_status normalize: [] - short: Indicator TLP marking + original_fieldset: event + short: Validation status of the event's agent.id field. type: keyword - threat.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at - level: extended - name: indicator.modified_at - normalize: [] - short: Date/time indicator was last updated. - type: date - threat.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-port - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - flat_name: threat.indicator.port - level: extended - name: indicator.port - normalize: [] - short: Indicator port - type: long - threat.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - flat_name: threat.indicator.scanner_stats - level: extended - name: indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long - threat.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.indicator.sightings - level: extended - name: indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long - threat.indicator.type: - beta: This field is beta and subject to change. + threat.enrichments.event.category: + allowed_values: + - description: Events in this category are related to the challenge and response + process in which credentials are supplied and verified to allow the creation + of a session. Common sources for these logs are Windows event logs and ssh + logs. Visualize and analyze events in this category to look for failed logins, + and other authentication-related activity. + expected_event_types: + - start + - end + - info + name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. + + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration + - description: The database category denotes events and metrics relating to + a data storage and retrieval system. Note that use of this category is not + limited to relational database systems. Examples include event logs from + MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize + and analyze database activity such as accesses and changes. + expected_event_types: + - access + - change + - info + - error + name: database + - description: 'Events in the driver category have to do with operating system + device drivers and similar software entities such as Windows drivers, kernel + extensions, kernel modules, etc. + + Use events and metrics in this category to visualize and analyze driver-related + activity and status on hosts.' + expected_event_types: + - change + - end + - info + - start + name: driver + - description: Relating to a set of information that has been created on, or + has existed on a filesystem. Use this category of events to visualize and + analyze the creation, access, and deletions of files. Events in this category + can come from both host-based and network-based sources. An example source + of a network-based detection of a file transfer would be the Zeek file.log. + expected_event_types: + - change + - creation + - deletion + - info + name: file + - description: 'Use this category to visualize and analyze information such + as host inventory or host lifecycle events. + + Most of the events in this category can usually be observed from the outside, + such as from a hypervisor or a control plane''s point of view. Some can + also be seen from within, such as "start" or "end". + + Note that this category is for information about hosts themselves; it is + not meant to capture activity "happening on a host".' + expected_event_types: + - access + - change + - end + - info + - start + name: host + - description: Identity and access management (IAM) events relating to users, + groups, and administration. Use this category to visualize and analyze IAM-related + logs and data from active directory, LDAP, Okta, Duo, and other IAM systems. + expected_event_types: + - admin + - change + - creation + - deletion + - group + - info + - user + name: iam + - description: Relating to intrusion detections from IDS/IPS systems and functions, + both network and host-based. Use this category to visualize and analyze + intrusion detection alerts from systems such as Snort, Suricata, and Palo + Alto threat detections. + expected_event_types: + - allowed + - denied + - info + name: intrusion_detection + - description: Malware detection events and alerts. Use this category to visualize + and analyze malware detections from EDR/EPP systems such as Elastic Endpoint + Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS + systems such as Suricata, or other sources of malware-related events such + as Palo Alto Networks threat logs and Wildfire logs. + expected_event_types: + - info + name: malware + - description: Relating to all network activity, including network connection + lifecycle, network traffic, and essentially any event that includes an IP + address. Many events containing decoded network protocol transactions fit + into this category. Use events in this category to visualize or analyze + counts of network ports, protocols, addresses, geolocation information, + etc. + expected_event_types: + - access + - allowed + - connection + - denied + - end + - info + - protocol + - start + name: network + - description: Relating to software packages installed on hosts. Use this category + to visualize and analyze inventory of software installed on various hosts, + or to determine host vulnerability in the absence of vulnerability scan + data. + expected_event_types: + - access + - change + - deletion + - info + - installation + - start + name: package + - description: Use this category of events to visualize and analyze process-specific + information such as lifecycle events or process ancestry. + expected_event_types: + - access + - change + - end + - info + - start + name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry + - description: The session category is applied to events and metrics regarding + logical persistent connections to hosts and services. Use this category + to visualize and analyze interactive or automated persistent connections + between assets. Data for this category may come from Windows Event logs, + SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session + - description: 'Relating to web server access. Use this category to create a + dashboard of web server/proxy activity from apache, IIS, nginx web servers, + etc. Note: events from network observers such as Zeek http log may also + be included in this category.' + expected_event_types: + - access + - error + - info + name: web + dashed_name: threat-enrichments-event-category + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + flat_name: threat.enrichments.event.category + ignore_above: 1024 + level: core + name: category + normalize: + - array + original_fieldset: event + short: Event category. The second categorization field in the hierarchy. + type: keyword + threat.enrichments.event.code: + dashed_name: threat-enrichments-event-code + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is + the Windows Event ID.' + example: 4648 + flat_name: threat.enrichments.event.code + ignore_above: 1024 + level: extended + name: code + normalize: [] + original_fieldset: event + short: Identification code for this event. + type: keyword + threat.enrichments.event.created: + dashed_name: threat-enrichments-event-created + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + flat_name: threat.enrichments.event.created + level: core + name: created + normalize: [] + original_fieldset: event + short: Time when the event was first read by an agent or by your pipeline. + type: date + threat.enrichments.event.dataset: + dashed_name: threat-enrichments-event-dataset + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + flat_name: threat.enrichments.event.dataset + ignore_above: 1024 + level: core + name: dataset + normalize: [] + original_fieldset: event + short: Name of the dataset. + type: keyword + threat.enrichments.event.duration: + dashed_name: threat-enrichments-event-duration + description: 'Duration of the event in nanoseconds. + + If event.start and event.end are known this value should be the difference + between the end and start time.' + flat_name: threat.enrichments.event.duration + format: duration + input_format: nanoseconds + level: core + name: duration + normalize: [] + original_fieldset: event + output_format: asMilliseconds + output_precision: 1 + short: Duration of the event in nanoseconds. + type: long + threat.enrichments.event.end: + dashed_name: threat-enrichments-event-end + description: event.end contains the date when the event ended or when the activity + was last observed. + flat_name: threat.enrichments.event.end + level: extended + name: end + normalize: [] + original_fieldset: event + short: event.end contains the date when the event ended or when the activity + was last observed. + type: date + threat.enrichments.event.hash: + dashed_name: threat-enrichments-event-hash + description: Hash (perhaps logstash fingerprint) of raw field to be able to + demonstrate log integrity. + example: 123456789012345678901234567890ABCD + flat_name: threat.enrichments.event.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: event + short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate + log integrity. + type: keyword + threat.enrichments.event.id: + dashed_name: threat-enrichments-event-id + description: Unique ID to describe the event. + example: 8a4f500d + flat_name: threat.enrichments.event.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: event + short: Unique ID to describe the event. + type: keyword + threat.enrichments.event.ingested: + dashed_name: threat-enrichments-event-ingested + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + flat_name: threat.enrichments.event.ingested + level: core + name: ingested + normalize: [] + original_fieldset: event + short: Timestamp when an event arrived in the central data store. + type: date + threat.enrichments.event.kind: + allowed_values: + - description: 'This value indicates an event that describes an alert or notable + event, triggered by a detection rule. + + `event.kind:alert` is often populated for events coming from firewalls, + intrusion detection systems, endpoint detection and response systems, and + so on.' + name: alert + - description: This value is the most general and most common value for this + field. It is used to represent events that indicate that something happened. + name: event + - description: 'This value is used to indicate that this event describes a numeric + measurement taken at given point in time. + + Examples include CPU utilization, memory usage, or device temperature. + + Metric events are often collected on a predictable frequency, such as once + every few seconds, or once a minute, but can also be used to describe ad-hoc + numeric metric queries.' + name: metric + - description: 'The state value is similar to metric, indicating that this event + describes a measurement taken at given point in time, except that the measurement + does not result in a numeric value, but rather one of a fixed set of categorical + values that represent conditions or states. + + Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), + the state of a TCP connection (open, closed, fin_wait, etc.), the state + of a host with respect to a software vulnerability (vulnerable, not vulnerable), + and the state of a system regarding compliance with a regulatory standard + (compliant, not compliant). + + Note that an event that describes a change of state would not use `event.kind:state`, + but instead would use ''event.kind:event'' since a state change fits the + more general event definition of something that happened. + + State events are often collected on a predictable frequency, such as once + every few seconds, once a minute, once an hour, or once a day, but can also + be used to describe ad-hoc state queries.' + name: state + - description: This value indicates that an error occurred during the ingestion + of this event, and that event data may be missing, inconsistent, or incorrect. + `event.kind:pipeline_error` is often associated with parsing errors. + name: pipeline_error + - description: 'This value is used by the Elastic Security app to denote an + Elasticsearch document that was created by a SIEM detection engine rule. + + A signal will typically trigger a notification that something meaningful + happened and should be investigated. + + Usage of this value is reserved, and pipelines should not populate `event.kind` + with the value "signal".' + name: signal + dashed_name: threat-enrichments-event-kind + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + flat_name: threat.enrichments.event.kind + ignore_above: 1024 + level: core + name: kind + normalize: [] + original_fieldset: event + short: The kind of the event. The highest categorization field in the hierarchy. + type: keyword + threat.enrichments.event.module: + dashed_name: threat-enrichments-event-module + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + flat_name: threat.enrichments.event.module + ignore_above: 1024 + level: core + name: module + normalize: [] + original_fieldset: event + short: Name of the module this data is coming from. + type: keyword + threat.enrichments.event.original: + dashed_name: threat-enrichments-event-original + description: 'Raw text message of entire event. Used to demonstrate log integrity or + where the full log message (before splitting it up in multiple parts) may + be required, e.g. for reindex. + + This field is not indexed and doc_values are disabled. It cannot be searched, + but it can be retrieved from `_source`. If users wish to override this and + index this field, please see `Field data types` in the `Elasticsearch Reference`.' + doc_values: false + example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| + worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + flat_name: threat.enrichments.event.original + ignore_above: 1024 + index: false + level: core + name: original + normalize: [] + original_fieldset: event + short: Raw text message of entire event. + type: keyword + threat.enrichments.event.outcome: + allowed_values: + - description: Indicates that this event describes a failed result. A common + example is `event.category:file AND event.type:access AND event.outcome:failure` + to indicate that a file access was attempted, but was not successful. + name: failure + - description: Indicates that this event describes a successful result. A common + example is `event.category:file AND event.type:create AND event.outcome:success` + to indicate that a file was successfully created. + name: success + - description: Indicates that this event describes only an attempt for which + the result is unknown from the perspective of the event producer. For example, + if the event contains information only about the request side of a transaction + that results in a response, populating `event.outcome:unknown` in the request + event is appropriate. The unknown value should not be used when an outcome + doesn't make logical sense for the event. In such cases `event.outcome` + should not be populated. + name: unknown + dashed_name: threat-enrichments-event-outcome + description: 'This is one of four ECS Categorization Fields, and indicates the + lowest level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represents a success or a + failure from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each + event may populate different values of `event.outcome`, according to their + perspective. + + Also note that in the case of a compound event (a single event that contains + multiple logical events), this field should be populated with the value that + best captures the overall success or failure from the perspective of the event + producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' + example: success + flat_name: threat.enrichments.event.outcome + ignore_above: 1024 + level: core + name: outcome + normalize: [] + original_fieldset: event + short: The outcome of the event. The lowest level categorization field in the + hierarchy. + type: keyword + threat.enrichments.event.provider: + dashed_name: threat-enrichments-event-provider + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically mention + the source of an event. It can be the name of the software that generated + the event (e.g. Sysmon, httpd), or of a subsystem of the operating system + (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel + flat_name: threat.enrichments.event.provider + ignore_above: 1024 + level: extended + name: provider + normalize: [] + original_fieldset: event + short: Source of the event. + type: keyword + threat.enrichments.event.reason: + dashed_name: threat-enrichments-event-reason + description: 'Reason why this event happened, according to the source. + + This describes the why of a particular action or outcome captured in the event. + Where `event.action` captures the action from the event, `event.reason` describes + why that action was taken. For example, a web proxy with an `event.action` + which denied the request may also populate `event.reason` with the reason + why (e.g. `blocked site`).' + example: Terminated an unexpected process + flat_name: threat.enrichments.event.reason + ignore_above: 1024 + level: extended + name: reason + normalize: [] + original_fieldset: event + short: Reason why this event happened, according to the source + type: keyword + threat.enrichments.event.reference: + dashed_name: threat-enrichments-event-reference + description: 'Reference URL linking to additional information about this event. + + This URL links to a static definition of this event. Alert events, indicated + by `event.kind:alert`, are a common use case for this field.' + example: https://system.example.com/event/#0001234 + flat_name: threat.enrichments.event.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: event + short: Event reference URL + type: keyword + threat.enrichments.event.risk_score: + dashed_name: threat-enrichments-event-risk-score + description: Risk score or priority of the event (e.g. security solutions). + Use your system's original value here. + flat_name: threat.enrichments.event.risk_score + level: core + name: risk_score + normalize: [] + original_fieldset: event + short: Risk score or priority of the event (e.g. security solutions). Use your + system's original value here. + type: float + threat.enrichments.event.risk_score_norm: + dashed_name: threat-enrichments-event-risk-score-norm + description: 'Normalized risk score or priority of the event, on a scale of + 0 to 100. + + This is mainly useful if you use more than one system that assigns risk scores, + and you want to see a normalized value across all systems.' + flat_name: threat.enrichments.event.risk_score_norm + level: extended + name: risk_score_norm + normalize: [] + original_fieldset: event + short: Normalized risk score or priority of the event (0-100). + type: float + threat.enrichments.event.sequence: + dashed_name: threat-enrichments-event-sequence + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + flat_name: threat.enrichments.event.sequence + format: string + level: extended + name: sequence + normalize: [] + original_fieldset: event + short: Sequence number of the event. + type: long + threat.enrichments.event.severity: + dashed_name: threat-enrichments-event-severity + description: 'The numeric severity of the event according to your event source. + + What the different severity values mean can be different between sources and + use cases. It''s up to the implementer to make sure severities are consistent + across events from the same source. + + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` + is meant to represent the severity according to the event source (e.g. firewall, + IDS). If the event source does not publish its own severity, you may optionally + copy the `log.syslog.severity.code` to `event.severity`.' + example: 7 + flat_name: threat.enrichments.event.severity + format: string + level: core + name: severity + normalize: [] + original_fieldset: event + short: Numeric severity of the event. + type: long + threat.enrichments.event.start: + dashed_name: threat-enrichments-event-start + description: event.start contains the date when the event started or when the + activity was first observed. + flat_name: threat.enrichments.event.start + level: extended + name: start + normalize: [] + original_fieldset: event + short: event.start contains the date when the event started or when the activity + was first observed. + type: date + threat.enrichments.event.timezone: + dashed_name: threat-enrichments-event-timezone + description: 'This field should be populated when the event''s timestamp does + not include timezone information already (e.g. default Syslog timestamps). + It''s optional otherwise. + + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), + abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + flat_name: threat.enrichments.event.timezone + ignore_above: 1024 + level: extended + name: timezone + normalize: [] + original_fieldset: event + short: Event time zone. + type: keyword + threat.enrichments.event.type: + allowed_values: + - description: The access event type is used for the subset of events within + a category that indicate that something was accessed. Common examples include + `event.category:database AND event.type:access`, or `event.category:file + AND event.type:access`. Note for file access, both directory listings and + file opens should be included in this subcategory. You can further distinguish + access operations using the ECS `event.action` field. + name: access + - description: 'The admin event type is used for the subset of events within + a category that are related to admin objects. For example, administrative + changes within an IAM framework that do not specifically affect a user or + group (e.g., adding new applications to a federation solution or connecting + discrete forests in Active Directory) would fall into this subcategory. + Common example: `event.category:iam AND event.type:change AND event.type:admin`. + You can further distinguish admin operations using the ECS `event.action` + field.' + name: admin + - description: The allowed event type is used for the subset of events within + a category that indicate that something was allowed. Common examples include + `event.category:network AND event.type:connection AND event.type:allowed` + (to indicate a network firewall event for which the firewall disposition + was to allow the connection to complete) and `event.category:intrusion_detection + AND event.type:allowed` (to indicate a network intrusion prevention system + event for which the IPS disposition was to allow the connection to complete). + You can further distinguish allowed operations using the ECS `event.action` + field, populating with values of your choosing, such as "allow", "detect", + or "pass". + name: allowed + - description: The change event type is used for the subset of events within + a category that indicate that something has changed. If semantics best describe + an event as modified, then include them in this subcategory. Common examples + include `event.category:process AND event.type:change`, and `event.category:file + AND event.type:change`. You can further distinguish change operations using + the ECS `event.action` field. + name: change + - description: Used primarily with `event.category:network` this value is used + for the subset of network traffic that includes sufficient information for + the event to be included in flow or connection analysis. Events in this + subcategory will contain at least source and destination IP addresses, source + and destination TCP/UDP ports, and will usually contain counts of bytes + and/or packets transferred. Events in this subcategory may contain unidirectional + or bidirectional information, including summary information. Use this subcategory + to visualize and analyze network connections. Flow analysis, including Netflow, + IPFIX, and other flow-related events fit in this subcategory. Note that + firewall events from many Next-Generation Firewall (NGFW) devices will also + fit into this subcategory. A common filter for flow/connection information + would be `event.category:network AND event.type:connection AND event.type:end` + (to view or analyze all completed network connections, ignoring mid-flow + reports). You can further distinguish connection events using the ECS `event.action` + field, populating with values of your choosing, such as "timeout", or "reset". + name: connection + - description: The "creation" event type is used for the subset of events within + a category that indicate that something was created. A common example is + `event.category:file AND event.type:creation`. + name: creation + - description: The deletion event type is used for the subset of events within + a category that indicate that something was deleted. A common example is + `event.category:file AND event.type:deletion` to indicate that a file has + been deleted. + name: deletion + - description: The denied event type is used for the subset of events within + a category that indicate that something was denied. Common examples include + `event.category:network AND event.type:denied` (to indicate a network firewall + event for which the firewall disposition was to deny the connection) and + `event.category:intrusion_detection AND event.type:denied` (to indicate + a network intrusion prevention system event for which the IPS disposition + was to deny the connection to complete). You can further distinguish denied + operations using the ECS `event.action` field, populating with values of + your choosing, such as "blocked", "dropped", or "quarantined". + name: denied + - description: The end event type is used for the subset of events within a + category that indicate something has ended. A common example is `event.category:process + AND event.type:end`. + name: end + - description: The error event type is used for the subset of events within + a category that indicate or describe an error. A common example is `event.category:database + AND event.type:error`. Note that pipeline errors that occur during the event + ingestion process should not use this `event.type` value. Instead, they + should use `event.kind:pipeline_error`. + name: error + - description: 'The group event type is used for the subset of events within + a category that are related to group objects. Common example: `event.category:iam + AND event.type:creation AND event.type:group`. You can further distinguish + group operations using the ECS `event.action` field.' + name: group + - description: The info event type is used for the subset of events within a + category that indicate that they are purely informational, and don't report + a state change, or any type of action. For example, an initial run of a + file integrity monitoring system (FIM), where an agent reports all files + under management, would fall into the "info" subcategory. Similarly, an + event containing a dump of all currently running processes (as opposed to + reporting that a process started/ended) would fall into the "info" subcategory. + An additional common examples is `event.category:intrusion_detection AND + event.type:info`. + name: info + - description: The installation event type is used for the subset of events + within a category that indicate that something was installed. A common example + is `event.category:package` AND `event.type:installation`. + name: installation + - description: The protocol event type is used for the subset of events within + a category that indicate that they contain protocol details or analysis, + beyond simply identifying the protocol. Generally, network events that contain + specific protocol details will fall into this subcategory. A common example + is `event.category:network AND event.type:protocol AND event.type:connection + AND event.type:end` (to indicate that the event is a network connection + event sent at the end of a connection that also includes a protocol detail + breakdown). Note that events that only indicate the name or id of the protocol + should not use the protocol value. Further note that when the protocol subcategory + is used, the identified protocol is populated in the ECS `network.protocol` + field. + name: protocol + - description: The start event type is used for the subset of events within + a category that indicate something has started. A common example is `event.category:process + AND event.type:start`. + name: start + - description: 'The user event type is used for the subset of events within + a category that are related to user objects. Common example: `event.category:iam + AND event.type:deletion AND event.type:user`. You can further distinguish + user operations using the ECS `event.action` field.' + name: user + dashed_name: threat-enrichments-event-type + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' + flat_name: threat.enrichments.event.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: event + short: Event type. The third categorization field in the hierarchy. + type: keyword + threat.enrichments.event.url: + dashed_name: threat-enrichments-event-url + description: 'URL linking to an external system to continue investigation of + this event. + + This URL links to another system where in-depth investigation of the specific + occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, + are a common use case for this field.' + example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + flat_name: threat.enrichments.event.url + ignore_above: 1024 + level: extended + name: url + normalize: [] + original_fieldset: event + short: Event investigation URL + type: keyword + threat.enrichments.file.accessed: + dashed_name: threat-enrichments-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date + threat.enrichments.file.attributes: + dashed_name: threat-enrichments-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword + threat.enrichments.file.code_signature.exists: + dashed_name: threat-enrichments-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.enrichments.file.code_signature.signing_id: + dashed_name: threat-enrichments-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + threat.enrichments.file.code_signature.status: + dashed_name: threat-enrichments-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + threat.enrichments.file.code_signature.subject_name: + dashed_name: threat-enrichments-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.enrichments.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + threat.enrichments.file.code_signature.team_id: + dashed_name: threat-enrichments-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + threat.enrichments.file.code_signature.trusted: + dashed_name: threat-enrichments-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.enrichments.file.code_signature.valid: + dashed_name: threat-enrichments-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.enrichments.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.enrichments.file.created: + dashed_name: threat-enrichments-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date + threat.enrichments.file.ctime: + dashed_name: threat-enrichments-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.enrichments.file.device: + dashed_name: threat-enrichments-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword + threat.enrichments.file.directory: + dashed_name: threat-enrichments-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.enrichments.file.directory + ignore_above: 1024 + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: keyword + threat.enrichments.file.drive_letter: + dashed_name: threat-enrichments-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword + threat.enrichments.file.elf.architecture: + dashed_name: threat-enrichments-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + threat.enrichments.file.elf.byte_order: + dashed_name: threat-enrichments-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + threat.enrichments.file.elf.cpu_type: + dashed_name: threat-enrichments-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + threat.enrichments.file.elf.creation_date: + dashed_name: threat-enrichments-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + threat.enrichments.file.elf.exports: + dashed_name: threat-enrichments-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.enrichments.file.elf.header.abi_version: + dashed_name: threat-enrichments-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + threat.enrichments.file.elf.header.class: + dashed_name: threat-enrichments-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + threat.enrichments.file.elf.header.data: + dashed_name: threat-enrichments-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + threat.enrichments.file.elf.header.entrypoint: + dashed_name: threat-enrichments-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + threat.enrichments.file.elf.header.object_version: + dashed_name: threat-enrichments-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + threat.enrichments.file.elf.header.os_abi: + dashed_name: threat-enrichments-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + threat.enrichments.file.elf.header.type: + dashed_name: threat-enrichments-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + threat.enrichments.file.elf.header.version: + dashed_name: threat-enrichments-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + threat.enrichments.file.elf.imports: + dashed_name: threat-enrichments-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.enrichments.file.elf.sections: + dashed_name: threat-enrichments-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.enrichments.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + threat.enrichments.file.elf.sections.chi2: + dashed_name: threat-enrichments-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + threat.enrichments.file.elf.sections.entropy: + dashed_name: threat-enrichments-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + threat.enrichments.file.elf.sections.flags: + dashed_name: threat-enrichments-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + threat.enrichments.file.elf.sections.name: + dashed_name: threat-enrichments-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + threat.enrichments.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + threat.enrichments.file.elf.sections.physical_size: + dashed_name: threat-enrichments-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.enrichments.file.elf.sections.type: + dashed_name: threat-enrichments-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + threat.enrichments.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.enrichments.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + threat.enrichments.file.elf.segments: + dashed_name: threat-enrichments-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.enrichments.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.enrichments.file.elf.segments.sections: + dashed_name: threat-enrichments-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + threat.enrichments.file.elf.segments.type: + dashed_name: threat-enrichments-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + threat.enrichments.file.elf.shared_libraries: + dashed_name: threat-enrichments-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + threat.enrichments.file.elf.telfhash: + dashed_name: threat-enrichments-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + threat.enrichments.file.extension: + dashed_name: threat-enrichments-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword + threat.enrichments.file.gid: + dashed_name: threat-enrichments-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword + threat.enrichments.file.group: + dashed_name: threat-enrichments-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword + threat.enrichments.file.inode: + dashed_name: threat-enrichments-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword + threat.enrichments.file.mime_type: + dashed_name: threat-enrichments-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.enrichments.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword + threat.enrichments.file.mode: + dashed_name: threat-enrichments-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword + threat.enrichments.file.mtime: + dashed_name: threat-enrichments-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date + threat.enrichments.file.name: + dashed_name: threat-enrichments-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword + threat.enrichments.file.owner: + dashed_name: threat-enrichments-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword + threat.enrichments.file.path: + dashed_name: threat-enrichments-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.file.path + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: keyword + threat.enrichments.file.size: + dashed_name: threat-enrichments-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long + threat.enrichments.file.target_path: + dashed_name: threat-enrichments-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.file.target_path + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: keyword + threat.enrichments.file.type: + dashed_name: threat-enrichments-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword + threat.enrichments.file.uid: + dashed_name: threat-enrichments-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword + threat.enrichments.geo.city_name: + dashed_name: threat-enrichments-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + threat.enrichments.geo.continent_code: + dashed_name: threat-enrichments-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + threat.enrichments.geo.continent_name: + dashed_name: threat-enrichments-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + threat.enrichments.geo.country_iso_code: + dashed_name: threat-enrichments-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + threat.enrichments.geo.country_name: + dashed_name: threat-enrichments-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + threat.enrichments.geo.location: + dashed_name: threat-enrichments-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.enrichments.geo.name: + dashed_name: threat-enrichments-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + threat.enrichments.geo.postal_code: + dashed_name: threat-enrichments-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + threat.enrichments.geo.region_iso_code: + dashed_name: threat-enrichments-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + threat.enrichments.geo.region_name: + dashed_name: threat-enrichments-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + threat.enrichments.geo.timezone: + dashed_name: threat-enrichments-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + threat.enrichments.hash.md5: + dashed_name: threat-enrichments-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + threat.enrichments.hash.sha1: + dashed_name: threat-enrichments-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + threat.enrichments.hash.sha256: + dashed_name: threat-enrichments-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + threat.enrichments.hash.sha512: + dashed_name: threat-enrichments-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + threat.enrichments.hash.ssdeep: + dashed_name: threat-enrichments-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic + ignore_above: 1024 + level: extended + name: enrichments.matched.atomic + normalize: [] + short: Matched indicator value + type: keyword + threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field + ignore_above: 1024 + level: extended + name: enrichments.matched.field + normalize: [] + short: Matched indicator field + type: keyword + threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id + ignore_above: 1024 + level: extended + name: enrichments.matched.id + normalize: [] + short: Matched indicator identifier + type: keyword + threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index + ignore_above: 1024 + level: extended + name: enrichments.matched.index + normalize: [] + short: Matched indicator index + type: keyword + threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type + ignore_above: 1024 + level: extended + name: enrichments.matched.type + normalize: [] + short: Type of indicator match + type: keyword + threat.enrichments.url.domain: + dashed_name: threat-enrichments-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + flat_name: threat.enrichments.url.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: url + short: Domain of the url. + type: keyword + threat.enrichments.url.extension: + dashed_name: threat-enrichments-url-extension + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.url.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: url + short: File extension from the request url, excluding the leading dot. + type: keyword + threat.enrichments.url.fragment: + dashed_name: threat-enrichments-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.url.fragment + ignore_above: 1024 + level: extended + name: fragment + normalize: [] + original_fieldset: url + short: Portion of the url after the `#`. + type: keyword + threat.enrichments.url.full: + dashed_name: threat-enrichments-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.url.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.url.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: url + short: Full unparsed URL. + type: keyword + threat.enrichments.url.original: + dashed_name: threat-enrichments-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.url.original + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: keyword + threat.enrichments.url.password: + dashed_name: threat-enrichments-url-password + description: Password of the request. + flat_name: threat.enrichments.url.password + ignore_above: 1024 + level: extended + name: password + normalize: [] + original_fieldset: url + short: Password of the request. + type: keyword + threat.enrichments.url.path: + dashed_name: threat-enrichments-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.url.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + original_fieldset: url + short: Path of the request, such as "/search". + type: keyword + threat.enrichments.url.port: + dashed_name: threat-enrichments-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.url.port + format: string + level: extended + name: port + normalize: [] + original_fieldset: url + short: Port of the request, such as 443. + type: long + threat.enrichments.url.query: + dashed_name: threat-enrichments-url-query + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + flat_name: threat.enrichments.url.query + ignore_above: 1024 + level: extended + name: query + normalize: [] + original_fieldset: url + short: Query string of the request. + type: keyword + threat.enrichments.url.registered_domain: + dashed_name: threat-enrichments-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.url.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: keyword + threat.enrichments.url.scheme: + dashed_name: threat-enrichments-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.url.scheme + ignore_above: 1024 + level: extended + name: scheme + normalize: [] + original_fieldset: url + short: Scheme of the url. + type: keyword + threat.enrichments.url.subdomain: + dashed_name: threat-enrichments-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: url + short: The subdomain of the domain. + type: keyword + threat.enrichments.url.top_level_domain: + dashed_name: threat-enrichments-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.url.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). + type: keyword + threat.enrichments.url.username: + dashed_name: threat-enrichments-url-username + description: Username of the request. + flat_name: threat.enrichments.url.username + ignore_above: 1024 + level: extended + name: username + normalize: [] + original_fieldset: url + short: Username of the request. + type: keyword + threat.enrichments.x509.alternative_names: + dashed_name: threat-enrichments-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword + threat.enrichments.x509.issuer.common_name: + dashed_name: threat-enrichments-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword + threat.enrichments.x509.issuer.country: + dashed_name: threat-enrichments-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + threat.enrichments.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + threat.enrichments.x509.issuer.locality: + dashed_name: threat-enrichments-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + threat.enrichments.x509.issuer.organization: + dashed_name: threat-enrichments-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword + threat.enrichments.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + threat.enrichments.x509.issuer.state_or_province: + dashed_name: threat-enrichments-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.enrichments.x509.not_after: + dashed_name: threat-enrichments-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + threat.enrichments.x509.not_before: + dashed_name: threat-enrichments-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + threat.enrichments.x509.public_key_algorithm: + dashed_name: threat-enrichments-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + threat.enrichments.x509.public_key_curve: + dashed_name: threat-enrichments-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: threat.enrichments.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + threat.enrichments.x509.public_key_exponent: + dashed_name: threat-enrichments-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + threat.enrichments.x509.public_key_size: + dashed_name: threat-enrichments-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + threat.enrichments.x509.serial_number: + dashed_name: threat-enrichments-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword + threat.enrichments.x509.signature_algorithm: + dashed_name: threat-enrichments-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword + threat.enrichments.x509.subject.common_name: + dashed_name: threat-enrichments-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword + threat.enrichments.x509.subject.country: + dashed_name: threat-enrichments-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword + threat.enrichments.x509.subject.distinguished_name: + dashed_name: threat-enrichments-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword + threat.enrichments.x509.subject.locality: + dashed_name: threat-enrichments-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + threat.enrichments.x509.subject.organization: + dashed_name: threat-enrichments-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + threat.enrichments.x509.subject.organizational_unit: + dashed_name: threat-enrichments-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + threat.enrichments.x509.subject.state_or_province: + dashed_name: threat-enrichments-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.enrichments.x509.version_number: + dashed_name: threat-enrichments-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword + threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 + level: extended + name: framework + normalize: [] + short: Threat classification framework. + type: keyword + threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias + ignore_above: 1024 + level: extended + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword + threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id + normalize: [] + short: ID of the group. + type: keyword + threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 + level: extended + name: group.name + normalize: [] + short: Name of the group. + type: keyword + threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 + level: extended + name: group.reference + normalize: [] + short: Reference URL of the group. + type: keyword + threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword + threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword + threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword + threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword + threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at + level: extended + name: indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date + threat.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long + threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.indicator.type: + beta: This field is beta and subject to change. dashed_name: threat-indicator-type description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ @@ -10612,7 +12996,44 @@ threat: type: keyword group: 2 name: threat + nestings: + - threat.enrichments.as + - threat.enrichments.event + - threat.enrichments.file + - threat.enrichments.geo + - threat.enrichments.hash + - threat.enrichments.url + - threat.enrichments.x509 prefix: threat. + reused_here: + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.as + schema_name: as + short: Fields describing an Autonomous System (Internet routing prefix). + - beta: Reusing the `event` fields in this location is currently considered beta. + full: threat.enrichments.event + schema_name: event + short: Fields breaking down the event details. + - beta: Reusing the `file` fields in this location is currently considered beta. + full: threat.enrichments.file + schema_name: file + short: Fields describing files. + - beta: Reusing the `geo` fields in this location is currently considered beta. + full: threat.enrichments.geo + schema_name: geo + short: Fields describing a location. + - beta: Reusing the `hash` fields in this location is currently considered beta. + full: threat.enrichments.hash + schema_name: hash + short: Hashes, usually file hashes. + - beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.enrichments.url + schema_name: url + short: Fields that let you store URLs in various forms. + - beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.enrichments.x509 + schema_name: x509 + short: These fields contain x509 certificate metadata. short: Fields to classify events and alerts according to a threat taxonomy. title: Threat type: group @@ -11890,6 +14311,13 @@ url: group: 2 name: url prefix: url. + reusable: + expected: + - as: url + at: threat.enrichments + beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.enrichments.url + top_level: true short: Fields that let you store URLs in various forms. title: URL type: group @@ -13190,6 +15618,10 @@ x509: - as: x509 at: file full: file.x509 + - as: x509 + at: threat.enrichments + beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.enrichments.x509 - as: x509 at: tls.client full: tls.client.x509 diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 88a7df924d..a2825c9c03 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -3097,6 +3097,646 @@ }, "threat": { "properties": { + "enrichments": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, "framework": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index fce5155323..229880cfcd 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -3093,6 +3093,646 @@ }, "threat": { "properties": { + "enrichments": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, "framework": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json index 299b73c8bc..124daac2e0 100644 --- a/generated/elasticsearch/component/threat.json +++ b/generated/elasticsearch/component/threat.json @@ -8,6 +8,646 @@ "properties": { "threat": { "properties": { + "enrichments": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, "framework": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/as.yml b/schemas/as.yml index 952d7febeb..d75d4edaee 100644 --- a/schemas/as.yml +++ b/schemas/as.yml @@ -15,6 +15,9 @@ - destination - server - source + - at: threat.enrichments + as: as + beta: Reusing the `as` fields in this location is currently considered beta. type: group fields: diff --git a/schemas/event.yml b/schemas/event.yml index aa9263a3df..7d4033398c 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -17,6 +17,12 @@ See the `event.kind` definition in this section for additional details about metric and state events. type: group + reusable: + top_level: true + expected: + - at: threat.enrichments + as: event + beta: Reusing the `event` fields in this location is currently considered beta. fields: - name: id diff --git a/schemas/file.yml b/schemas/file.yml index 545b4661fa..c42559d156 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -10,6 +10,12 @@ and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. type: group + reusable: + top_level: true + expected: + - at: threat.enrichments + as: file + beta: Reusing the `file` fields in this location is currently considered beta. fields: - name: name level: extended diff --git a/schemas/geo.yml b/schemas/geo.yml index fef496097b..ddc6b0bccb 100644 --- a/schemas/geo.yml +++ b/schemas/geo.yml @@ -17,6 +17,9 @@ - host - server - source + - at: threat.enrichments + as: geo + beta: Reusing the `geo` fields in this location is currently considered beta. type: group fields: diff --git a/schemas/hash.yml b/schemas/hash.yml index 77aeb29a5d..17b0d008c2 100644 --- a/schemas/hash.yml +++ b/schemas/hash.yml @@ -21,6 +21,9 @@ - file - process - dll + - at: threat.enrichments + as: hash + beta: Reusing the `hash` fields in this location is currently considered beta. fields: diff --git a/schemas/threat.yml b/schemas/threat.yml index 8b55fc49a8..0e20fe332a 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -14,6 +14,59 @@ type: group fields: + - name: enrichments + level: extended + type: nested + short: List of indicators enriching the event. + beta: This field is beta and subject to change. + description: > + A list of associated indicators enriching the event, and the context of that association/enrichment. + + - name: enrichments.matched.atomic + level: extended + type: keyword + short: Matched indicator value + beta: This field is beta and subject to change. + description: > + Identifies the atomic indicator value that matched a local environment endpoint or network event. + example: bad-domain.com + + - name: enrichments.matched.field + level: extended + type: keyword + short: Matched indicator field + beta: This field is beta and subject to change. + description: > + Identifies the field of the atomic indicator that matched a local environment endpoint or network event. + example: file.hash.sha256 + + - name: enrichments.matched.id + level: extended + type: keyword + short: Matched indicator identifier + beta: This field is beta and subject to change. + description: > + Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + + - name: enrichments.matched.index + level: extended + type: keyword + short: Matched indicator index + beta: This field is beta and subject to change. + description: > + Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + + - name: enrichments.matched.type + level: extended + type: keyword + short: Type of indicator match + beta: This field is beta and subject to change. + description: > + Identifies the type of match that caused the event to be enriched with the given indicator + example: indicator_match_rule + - name: framework level: extended type: keyword diff --git a/schemas/url.yml b/schemas/url.yml index 88a0278891..1d68bc55e8 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -6,6 +6,12 @@ URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. type: group + reusable: + top_level: true + expected: + - at: threat.enrichments + as: url + beta: Reusing the `url` fields in this location is currently considered beta. fields: - name: original diff --git a/schemas/x509.yml b/schemas/x509.yml index 124551c96c..d37db9807a 100644 --- a/schemas/x509.yml +++ b/schemas/x509.yml @@ -17,6 +17,9 @@ top_level: false expected: - file + - at: threat.enrichments + as: x509 + beta: Reusing the `x509` fields in this location is currently considered beta. - tls.client - tls.server fields: