Stage 2 changes for RFC 0008 - threat indicator fields (#1471) (#1485)

* remove experimental threat definitions * add threat intel RFC beta fields * add artifacts * s/expected/recommended * add changelog * spaces anomaly * artifacts
elastic · Jun 29, 2021 · 5c4b688 · 5c4b688
1 parent abb5d5b
commit 5c4b688
Show file tree

Hide file tree

Showing 18 changed files with 1,149 additions and 490 deletions.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -22,6 +22,7 @@ Thanks, you're awesome :-) -->
 * Added `event.agent_id_status` field. #1454
 * `threat.enrichments` added to the experimental schema. #1457
 * `process.target` and `process.target.parent` added to experimental schema. #1467
+* Threat indicator fields progress to beta stage. #1471
 
 #### Improvements
 

diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -7735,6 +7735,280 @@ example: `https://attack.mitre.org/groups/G0037/`
 
 // ===============================================================
 
+|
+[[field-threat-indicator-confidence]]
+<<field-threat-indicator-confidence, threat.indicator.confidence>>
+
+| beta:[ This field is beta and subject to change. ]
+
+Identifies the confidence rating assigned by the provider using STIX confidence scales.
+
+Recommended values:
+
+  * Not Specified, None, Low, Medium, High
+
+  * 0-10
+
+  * Admirality Scale (1-6)
+
+  * DNI Scale (5-95)
+
+  * WEP Scale (Impossible - Certain)
+
+type: keyword
+
+
+
+example: `High`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-threat-indicator-description]]
+<<field-threat-indicator-description, threat.indicator.description>>
+
+| beta:[ This field is beta and subject to change. ]
+
+Describes the type of action conducted by the threat.
+
+type: keyword
+
+
+
+example: `IP x.x.x.x was observed delivering the Angler EK.`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-threat-indicator-email-address]]
+<<field-threat-indicator-email-address, threat.indicator.email.address>>
+
+| beta:[ This field is beta and subject to change. ]
+
+Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+
+
+example: `[email protected]`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-threat-indicator-first-seen]]
+<<field-threat-indicator-first-seen, threat.indicator.first_seen>>
+
+| beta:[ This field is beta and subject to change. ]
+
+The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+
+
+example: `2020-11-05T17:25:47.000Z`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-threat-indicator-ip]]
+<<field-threat-indicator-ip, threat.indicator.ip>>
+
+| beta:[ This field is beta and subject to change. ]
+
+Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+
+
+example: `1.2.3.4`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-threat-indicator-last-seen]]
+<<field-threat-indicator-last-seen, threat.indicator.last_seen>>
+
+| beta:[ This field is beta and subject to change. ]
+
+The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+
+
+example: `2020-11-05T17:25:47.000Z`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-threat-indicator-marking-tlp]]
+<<field-threat-indicator-marking-tlp, threat.indicator.marking.tlp>>
+
+| beta:[ This field is beta and subject to change. ]
+
+Traffic Light Protocol sharing markings.
+
+Recommended values are:
+
+  * WHITE
+
+  * GREEN
+
+  * AMBER
+
+  * RED
+
+type: keyword
+
+
+
+example: `WHITE`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-threat-indicator-modified-at]]
+<<field-threat-indicator-modified-at, threat.indicator.modified_at>>
+
+| beta:[ This field is beta and subject to change. ]
+
+The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+
+
+example: `2020-11-05T17:25:47.000Z`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-threat-indicator-port]]
+<<field-threat-indicator-port, threat.indicator.port>>
+
+| beta:[ This field is beta and subject to change. ]
+
+Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+
+
+example: `443`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-threat-indicator-scanner-stats]]
+<<field-threat-indicator-scanner-stats, threat.indicator.scanner_stats>>
+
+| beta:[ This field is beta and subject to change. ]
+
+Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+
+
+example: `4`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-threat-indicator-sightings]]
+<<field-threat-indicator-sightings, threat.indicator.sightings>>
+
+| beta:[ This field is beta and subject to change. ]
+
+Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+
+
+example: `20`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-threat-indicator-type]]
+<<field-threat-indicator-type, threat.indicator.type>>
+
+| beta:[ This field is beta and subject to change. ]
+
+Type of indicator as represented by Cyber Observable in STIX 2.0.
+
+Recommended values:
+
+  * autonomous-system
+
+  * artifact
+
+  * directory
+
+  * domain-name
+
+  * email-addr
+
+  * file
+
+  * ipv4-addr
+
+  * ipv6-addr
+
+  * mac-addr
+
+  * mutex
+
+  * port
+
+  * process
+
+  * software
+
+  * url
+
+  * user-account
+
+  * windows-registry-key
+
+  * x509-certificate
+
+type: keyword
+
+
+
+example: `ipv4-addr`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-threat-software-id]]
 <<field-threat-software-id, threat.software.id>>