[RFC] Create Threat Fieldset - Stage 2 Proposal (#1293)

* initial stage 2 commit

* added stage 2 PR number

* Update rfcs/text/0008-threat-intel.md

Co-authored-by: Eric Beahan <[email protected]>

* changed indicator.description to keyword

* typo for t.i.dataset

* updated tlp examples to match

* updated people

* changed .type to have 1 example

* Update rfcs/text/0008/threat.yml

Co-authored-by: Eric Beahan <[email protected]>

* Add event fieldset under threat.indicator fieldset

This is used to preserve the event fields of the original indicator
event in the case of said indicator enriching another event.

* Remove threat enrichment proposal/documentation

This is going to become a separate RFC that proposes this use case under
a slightly different schema: a nested list of objects conforming to the
indicator fieldset.

* removed matched in prep for future RFC

* removed fieldsets that are not to be nested under threat.indicator.*

* removed as.yml

* removed threat.indicator from reused fields from readme

* Update rfcs/text/0008-threat-intel.md

Co-authored-by: Eric Beahan <[email protected]>

* Update rfcs/text/0008-threat-intel.md

Co-authored-by: Eric Beahan <[email protected]>

* Update rfcs/text/0008-threat-intel.md

Co-authored-by: Eric Beahan <[email protected]>

* updated example documents

* fix example formatting

* another formatting fix

* moved proposed fields to existing event and url fieldsets

* Update threat.yml

fixed a formatting issue for indicatory.type

* added modified_at field

* typo

* Correct expected indicator.type value for X509 Certificates

The documentation for the `indicator.type` field lists
`x-509-certificate` as an expected value. However, the correct STIX 2.0
Cyber Observable type name for X509 Certificates is `x509-certificate`.

* missing colon

* set advance date

Co-authored-by: Eric Beahan <[email protected]>
Co-authored-by: Ryland Herrick <[email protected]>
Co-authored-by: Dominic Page <[email protected]>
Co-authored-by: Adrian Serrano <[email protected]>

rfcs/text/0008/threat.yml

@@ -21,6 +21,15 @@
 
     example: "2020-11-05T17:25:47.000Z"
 
+  - name: indicator.modified_at
+    level: extended
+    type: date
+    short: Date/time indicator was last updated.
+    description: >
+      The date and time when intelligence source last modified information for this indicator.
+
+    example: "2020-11-05T17:25:47.000Z"
+
   - name: indicator.sightings
     level: extended
     type: long
@@ -37,7 +46,7 @@
     description: >
       Type of indicator as represented by Cyber Observable in STIX 2.0.
 
-      Expected values
+      Recommended values:
         * autonomous-system
         * artifact
         * directory
@@ -48,18 +57,19 @@
         * ipv6-addr
         * mac-addr
         * mutex
+        * port
         * process
         * software
         * url
         * user-account
         * windows-registry-key
-        * x-509-certificate
+        * x509-certificate
 
     example: ipv4-addr
 
   - name: indicator.description
     level: extended
-    type: wildcard
+    type: keyword
     short: Indicator description
     description: >
       Describes the type of action conducted by the threat.
@@ -75,14 +85,6 @@
 
     example: 4
 
-  - name: indicator.provider
-    level: extended
-    type: keyword
-    description: >
-      Identifies the name of the intelligence provider.
-
-    example: VirusTotal
-
   - name: indicator.confidence
     level: extended
     type: keyword
@@ -99,24 +101,6 @@
 
     example: High
 
-  - name: indicator.module
-    level: extended
-    type: keyword
-    short: Indicator module
-    description: >
-      Identifies the name of specific module this data is coming from.
-
-    example: threatintel
-
-  - name: indicator.dataset
-    level: extended
-    type: keyword
-    short: Indicator dataset
-    description: >
-      Identifies the name of specific dataset from the intelligence source.
-
-    example: threatintel.abusemalware
-
   - name: indicator.ip
     level: extended
     type: ip
@@ -126,15 +110,6 @@
 
     example: 1.2.3.4
 
-  - name: indicator.domain
-    level: extended
-    type: keyword
-    short: Indicator domain name
-    description: >
-      Identifies a threat indicator as a domain (irrespective of direction).
-
-    example: example.com
-
   - name: indicator.port
     level: extended
     type: long
@@ -160,37 +135,10 @@
     description: >
       Traffic Light Protocol sharing markings.
 
-      Expected values are:
-        * White
-        * Green
-        * Amber
-        * Red
+      Recommended values are:
+        * WHITE
+        * GREEN
+        * AMBER
+        * RED
 
     example: White
-
-  - name: indicator.matched.atomic
-    level: extended
-    type: keyword
-    short: Indicator atomic match
-    description: >
-      Identifies the atomic indicator that matched a local environment endpoint or network event.
-
-    example: example.com
-
-  - name: indicator.matched.field
-    level: extended
-    type: keyword
-    short: Indicator field match
-    description: >
-      Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
-
-    example: file.hash.sha256
-
-  - name: indicator.matched.type
-    level: extended
-    type: keyword
-    short: Indicator type match
-    description: >
-      Identifies the type of the atomic indicator that matched a local environment endpoint or network event.
-
-    example: domain-name