From 5c4b6884c01d8667839100eca27e6225b326c418 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 29 Jun 2021 11:16:14 -0500 Subject: [PATCH] Stage 2 changes for RFC 0008 - threat indicator fields (#1471) (#1485) * remove experimental threat definitions * add threat intel RFC beta fields * add artifacts * s/expected/recommended * add changelog * spaces anomaly * artifacts --- CHANGELOG.next.md | 1 + code/go/ecs/threat.go | 77 +++++ docs/field-details.asciidoc | 274 ++++++++++++++++++ experimental/generated/beats/fields.ecs.yml | 72 +---- experimental/generated/csv/fields.csv | 12 +- experimental/generated/ecs/ecs_flat.yml | 114 ++------ experimental/generated/ecs/ecs_nested.yml | 116 ++------ .../generated/elasticsearch/7/template.json | 32 +- .../elasticsearch/component/threat.json | 32 +- experimental/schemas/threat.yml | 192 ------------ generated/beats/fields.ecs.yml | 92 ++++++ generated/csv/fields.csv | 12 + generated/ecs/ecs_flat.yml | 150 ++++++++++ generated/ecs/ecs_nested.yml | 152 ++++++++++ generated/elasticsearch/6/template.json | 53 ++++ generated/elasticsearch/7/template.json | 53 ++++ generated/elasticsearch/component/threat.json | 53 ++++ schemas/threat.yml | 152 ++++++++++ 18 files changed, 1149 insertions(+), 490 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 8e818d2378..0a3bc617ad 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,7 @@ Thanks, you're awesome :-) --> * Added `event.agent_id_status` field. #1454 * `threat.enrichments` added to the experimental schema. #1457 * `process.target` and `process.target.parent` added to experimental schema. #1467 +* Threat indicator fields progress to beta stage. #1471 #### Improvements diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go index ae3ef6f0b4..ec7d1a4ee8 100644 --- a/code/go/ecs/threat.go +++ b/code/go/ecs/threat.go @@ -19,6 +19,10 @@ package ecs +import ( + "time" +) + // Fields to classify events and alerts according to a threat taxonomy such as // the MITRE ATT&CK® framework. // These fields are for users to classify alerts from all of their sources @@ -54,6 +58,79 @@ type Threat struct { // required, you can use a MITRE ATT&CK® group reference URL. GroupReference string `ecs:"group.reference"` + // The date and time when intelligence source first reported sighting this + // indicator. + IndicatorFirstSeen time.Time `ecs:"indicator.first_seen"` + + // The date and time when intelligence source last reported sighting this + // indicator. + IndicatorLastSeen time.Time `ecs:"indicator.last_seen"` + + // The date and time when intelligence source last modified information for + // this indicator. + IndicatorModifiedAt time.Time `ecs:"indicator.modified_at"` + + // Number of times this indicator was observed conducting threat activity. + IndicatorSightings int64 `ecs:"indicator.sightings"` + + // Type of indicator as represented by Cyber Observable in STIX 2.0. + // Recommended values: + // * autonomous-system + // * artifact + // * directory + // * domain-name + // * email-addr + // * file + // * ipv4-addr + // * ipv6-addr + // * mac-addr + // * mutex + // * port + // * process + // * software + // * url + // * user-account + // * windows-registry-key + // * x509-certificate + IndicatorType string `ecs:"indicator.type"` + + // Describes the type of action conducted by the threat. + IndicatorDescription string `ecs:"indicator.description"` + + // Count of AV/EDR vendors that successfully detected malicious file or + // URL. + IndicatorScannerStats int64 `ecs:"indicator.scanner_stats"` + + // Identifies the confidence rating assigned by the provider using STIX + // confidence scales. + // Recommended values: + // * Not Specified, None, Low, Medium, High + // * 0-10 + // * Admirality Scale (1-6) + // * DNI Scale (5-95) + // * WEP Scale (Impossible - Certain) + IndicatorConfidence string `ecs:"indicator.confidence"` + + // Identifies a threat indicator as an IP address (irrespective of + // direction). + IndicatorIP string `ecs:"indicator.ip"` + + // Identifies a threat indicator as a port number (irrespective of + // direction). + IndicatorPort int64 `ecs:"indicator.port"` + + // Identifies a threat indicator as an email address (irrespective of + // direction). + IndicatorEmailAddress string `ecs:"indicator.email.address"` + + // Traffic Light Protocol sharing markings. + // Recommended values are: + // * WHITE + // * GREEN + // * AMBER + // * RED + IndicatorMarkingTlp string `ecs:"indicator.marking.tlp"` + // The id of the software used by this threat to conduct behavior commonly // modeled using MITRE ATT&CK®. While not required, you can use a MITRE // ATT&CK® software id. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 1c5495e485..25a3eec317 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7735,6 +7735,280 @@ example: `https://attack.mitre.org/groups/G0037/` // =============================================================== +| +[[field-threat-indicator-confidence]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies the confidence rating assigned by the provider using STIX confidence scales. + +Recommended values: + + * Not Specified, None, Low, Medium, High + + * 0-10 + + * Admirality Scale (1-6) + + * DNI Scale (5-95) + + * WEP Scale (Impossible - Certain) + +type: keyword + + + +example: `High` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-description]] +<> + +| beta:[ This field is beta and subject to change. ] + +Describes the type of action conducted by the threat. + +type: keyword + + + +example: `IP x.x.x.x was observed delivering the Angler EK.` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-email-address]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as an email address (irrespective of direction). + +type: keyword + + + +example: `phish@example.com` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-first-seen]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source first reported sighting this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-ip]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as an IP address (irrespective of direction). + +type: ip + + + +example: `1.2.3.4` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-last-seen]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source last reported sighting this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-marking-tlp]] +<> + +| beta:[ This field is beta and subject to change. ] + +Traffic Light Protocol sharing markings. + +Recommended values are: + + * WHITE + + * GREEN + + * AMBER + + * RED + +type: keyword + + + +example: `WHITE` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-modified-at]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source last modified information for this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-port]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as a port number (irrespective of direction). + +type: long + + + +example: `443` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-scanner-stats]] +<> + +| beta:[ This field is beta and subject to change. ] + +Count of AV/EDR vendors that successfully detected malicious file or URL. + +type: long + + + +example: `4` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-sightings]] +<> + +| beta:[ This field is beta and subject to change. ] + +Number of times this indicator was observed conducting threat activity. + +type: long + + + +example: `20` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-type]] +<> + +| beta:[ This field is beta and subject to change. ] + +Type of indicator as represented by Cyber Observable in STIX 2.0. + +Recommended values: + + * autonomous-system + + * artifact + + * directory + + * domain-name + + * email-addr + + * file + + * ipv4-addr + + * ipv6-addr + + * mac-addr + + * mutex + + * port + + * process + + * software + + * url + + * user-account + + * windows-registry-key + + * x509-certificate + +type: keyword + + + +example: `ipv4-addr` + +| extended + +// =============================================================== + | [[field-threat-software-id]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 67d57d2aff..91cc45d7ea 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -9841,31 +9841,18 @@ type: keyword ignore_above: 1024 description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High default_field: false - - name: indicator.dataset + - name: indicator.description level: extended type: keyword ignore_above: 1024 - description: Identifies the name of specific dataset from the intelligence source. - example: threatintel.abusemalware - default_field: false - - name: indicator.description - level: extended - type: wildcard description: Describes the type of action conducted by the threat. example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - - name: indicator.domain - level: extended - type: keyword - ignore_above: 1024 - description: Identifies a threat indicator as a domain (irrespective of direction). - example: example.com - default_field: false - name: indicator.email.address level: extended type: keyword @@ -9899,40 +9886,16 @@ level: extended type: keyword ignore_above: 1024 - description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ - \ * White\n * Green\n * Amber\n * Red" - example: White - default_field: false - - name: indicator.matched.atomic - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the atomic indicator that matched a local environment - endpoint or network event. - example: example.com - default_field: false - - name: indicator.matched.field - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - default_field: false - - name: indicator.matched.type - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the type of the atomic indicator that matched a local - environment endpoint or network event. - example: domain-name + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE default_field: false - - name: indicator.module + - name: indicator.modified_at level: extended - type: keyword - ignore_above: 1024 - description: Identifies the name of specific module this data is coming from. - example: threatintel + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' default_field: false - name: indicator.port level: extended @@ -9941,13 +9904,6 @@ direction). example: 443 default_field: false - - name: indicator.provider - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the name of the intelligence provider. - example: VirusTotal - default_field: false - name: indicator.scanner_stats level: extended type: long @@ -9966,10 +9922,10 @@ type: keyword ignore_above: 1024 description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n *\ - \ mutex\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x-509-certificate" + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" example: ipv4-addr default_field: false - name: software.id diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 183b1a2129..a2f91ca84d 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1203,20 +1203,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.11.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. 1.11.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. 1.11.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating -1.11.0-dev+exp,true,threat,threat.indicator.dataset,keyword,extended,,threatintel.abusemalware,Indicator dataset -1.11.0-dev+exp,true,threat,threat.indicator.description,wildcard,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description -1.11.0-dev+exp,true,threat,threat.indicator.domain,keyword,extended,,example.com,Indicator domain name +1.11.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 1.11.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address 1.11.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. 1.11.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 1.11.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. -1.11.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking -1.11.0-dev+exp,true,threat,threat.indicator.matched.atomic,keyword,extended,,example.com,Indicator atomic match -1.11.0-dev+exp,true,threat,threat.indicator.matched.field,keyword,extended,,file.hash.sha256,Indicator field match -1.11.0-dev+exp,true,threat,threat.indicator.matched.type,keyword,extended,,domain-name,Indicator type match -1.11.0-dev+exp,true,threat,threat.indicator.module,keyword,extended,,threatintel,Indicator module +1.11.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking +1.11.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. 1.11.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port -1.11.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,VirusTotal,Identifies the name of the intelligence provider. 1.11.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics 1.11.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed 1.11.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index b64284c300..5f77988c30 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -15359,9 +15359,10 @@ threat.group.reference: short: Reference URL of the group. type: keyword threat.indicator.confidence: + beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence description: "Identifies the confidence rating assigned by the provider using STIX\ - \ confidence scales.\nExpected values:\n * Not Specified, None, Low, Medium,\ + \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ \ (Impossible - Certain)" example: High @@ -15372,39 +15373,20 @@ threat.indicator.confidence: normalize: [] short: Indicator confidence rating type: keyword -threat.indicator.dataset: - dashed_name: threat-indicator-dataset - description: Identifies the name of specific dataset from the intelligence source. - example: threatintel.abusemalware - flat_name: threat.indicator.dataset - ignore_above: 1024 - level: extended - name: indicator.dataset - normalize: [] - short: Indicator dataset - type: keyword threat.indicator.description: + beta: This field is beta and subject to change. dashed_name: threat-indicator-description description: Describes the type of action conducted by the threat. example: IP x.x.x.x was observed delivering the Angler EK. flat_name: threat.indicator.description + ignore_above: 1024 level: extended name: indicator.description normalize: [] short: Indicator description - type: wildcard -threat.indicator.domain: - dashed_name: threat-indicator-domain - description: Identifies a threat indicator as a domain (irrespective of direction). - example: example.com - flat_name: threat.indicator.domain - ignore_above: 1024 - level: extended - name: indicator.domain - normalize: [] - short: Indicator domain name type: keyword threat.indicator.email.address: + beta: This field is beta and subject to change. dashed_name: threat-indicator-email-address description: Identifies a threat indicator as an email address (irrespective of direction). @@ -15417,6 +15399,7 @@ threat.indicator.email.address: short: Indicator email address type: keyword threat.indicator.first_seen: + beta: This field is beta and subject to change. dashed_name: threat-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. @@ -15428,6 +15411,7 @@ threat.indicator.first_seen: short: Date/time indicator was first reported. type: date threat.indicator.ip: + beta: This field is beta and subject to change. dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 @@ -15438,6 +15422,7 @@ threat.indicator.ip: short: Indicator IP address type: ip threat.indicator.last_seen: + beta: This field is beta and subject to change. dashed_name: threat-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. @@ -15449,10 +15434,11 @@ threat.indicator.last_seen: short: Date/time indicator was last reported. type: date threat.indicator.marking.tlp: + beta: This field is beta and subject to change. dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nExpected values are:\n \ - \ * White\n * Green\n * Amber\n * Red" - example: White + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended @@ -15460,54 +15446,20 @@ threat.indicator.marking.tlp: normalize: [] short: Indicator TLP marking type: keyword -threat.indicator.matched.atomic: - dashed_name: threat-indicator-matched-atomic - description: Identifies the atomic indicator that matched a local environment endpoint - or network event. - example: example.com - flat_name: threat.indicator.matched.atomic - ignore_above: 1024 - level: extended - name: indicator.matched.atomic - normalize: [] - short: Indicator atomic match - type: keyword -threat.indicator.matched.field: - dashed_name: threat-indicator-matched-field - description: Identifies the field of the atomic indicator that matched a local environment - endpoint or network event. - example: file.hash.sha256 - flat_name: threat.indicator.matched.field - ignore_above: 1024 - level: extended - name: indicator.matched.field - normalize: [] - short: Indicator field match - type: keyword -threat.indicator.matched.type: - dashed_name: threat-indicator-matched-type - description: Identifies the type of the atomic indicator that matched a local environment - endpoint or network event. - example: domain-name - flat_name: threat.indicator.matched.type - ignore_above: 1024 - level: extended - name: indicator.matched.type - normalize: [] - short: Indicator type match - type: keyword -threat.indicator.module: - dashed_name: threat-indicator-module - description: Identifies the name of specific module this data is coming from. - example: threatintel - flat_name: threat.indicator.module - ignore_above: 1024 +threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at level: extended - name: indicator.module + name: indicator.modified_at normalize: [] - short: Indicator module - type: keyword + short: Date/time indicator was last updated. + type: date threat.indicator.port: + beta: This field is beta and subject to change. dashed_name: threat-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 @@ -15517,18 +15469,8 @@ threat.indicator.port: normalize: [] short: Indicator port type: long -threat.indicator.provider: - dashed_name: threat-indicator-provider - description: Identifies the name of the intelligence provider. - example: VirusTotal - flat_name: threat.indicator.provider - ignore_above: 1024 - level: extended - name: indicator.provider - normalize: [] - short: Identifies the name of the intelligence provider. - type: keyword threat.indicator.scanner_stats: + beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. @@ -15540,6 +15482,7 @@ threat.indicator.scanner_stats: short: Scanner statistics type: long threat.indicator.sightings: + beta: This field is beta and subject to change. dashed_name: threat-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 @@ -15550,12 +15493,13 @@ threat.indicator.sightings: short: Number of times indicator observed type: long threat.indicator.type: + beta: This field is beta and subject to change. dashed_name: threat-indicator-type description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ - \ * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x-509-certificate" + \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x509-certificate" example: ipv4-addr flat_name: threat.indicator.type ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 12ce205a8c..ede1de788e 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -17422,9 +17422,10 @@ threat: short: Reference URL of the group. type: keyword threat.indicator.confidence: + beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High @@ -17435,39 +17436,20 @@ threat: normalize: [] short: Indicator confidence rating type: keyword - threat.indicator.dataset: - dashed_name: threat-indicator-dataset - description: Identifies the name of specific dataset from the intelligence source. - example: threatintel.abusemalware - flat_name: threat.indicator.dataset - ignore_above: 1024 - level: extended - name: indicator.dataset - normalize: [] - short: Indicator dataset - type: keyword threat.indicator.description: + beta: This field is beta and subject to change. dashed_name: threat-indicator-description description: Describes the type of action conducted by the threat. example: IP x.x.x.x was observed delivering the Angler EK. flat_name: threat.indicator.description + ignore_above: 1024 level: extended name: indicator.description normalize: [] short: Indicator description - type: wildcard - threat.indicator.domain: - dashed_name: threat-indicator-domain - description: Identifies a threat indicator as a domain (irrespective of direction). - example: example.com - flat_name: threat.indicator.domain - ignore_above: 1024 - level: extended - name: indicator.domain - normalize: [] - short: Indicator domain name type: keyword threat.indicator.email.address: + beta: This field is beta and subject to change. dashed_name: threat-indicator-email-address description: Identifies a threat indicator as an email address (irrespective of direction). @@ -17480,6 +17462,7 @@ threat: short: Indicator email address type: keyword threat.indicator.first_seen: + beta: This field is beta and subject to change. dashed_name: threat-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. @@ -17491,6 +17474,7 @@ threat: short: Date/time indicator was first reported. type: date threat.indicator.ip: + beta: This field is beta and subject to change. dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). @@ -17502,6 +17486,7 @@ threat: short: Indicator IP address type: ip threat.indicator.last_seen: + beta: This field is beta and subject to change. dashed_name: threat-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. @@ -17513,10 +17498,11 @@ threat: short: Date/time indicator was last reported. type: date threat.indicator.marking.tlp: + beta: This field is beta and subject to change. dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ - \ * White\n * Green\n * Amber\n * Red" - example: White + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended @@ -17524,54 +17510,20 @@ threat: normalize: [] short: Indicator TLP marking type: keyword - threat.indicator.matched.atomic: - dashed_name: threat-indicator-matched-atomic - description: Identifies the atomic indicator that matched a local environment - endpoint or network event. - example: example.com - flat_name: threat.indicator.matched.atomic - ignore_above: 1024 - level: extended - name: indicator.matched.atomic - normalize: [] - short: Indicator atomic match - type: keyword - threat.indicator.matched.field: - dashed_name: threat-indicator-matched-field - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - flat_name: threat.indicator.matched.field - ignore_above: 1024 - level: extended - name: indicator.matched.field - normalize: [] - short: Indicator field match - type: keyword - threat.indicator.matched.type: - dashed_name: threat-indicator-matched-type - description: Identifies the type of the atomic indicator that matched a local - environment endpoint or network event. - example: domain-name - flat_name: threat.indicator.matched.type - ignore_above: 1024 - level: extended - name: indicator.matched.type - normalize: [] - short: Indicator type match - type: keyword - threat.indicator.module: - dashed_name: threat-indicator-module - description: Identifies the name of specific module this data is coming from. - example: threatintel - flat_name: threat.indicator.module - ignore_above: 1024 + threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at level: extended - name: indicator.module + name: indicator.modified_at normalize: [] - short: Indicator module - type: keyword + short: Date/time indicator was last updated. + type: date threat.indicator.port: + beta: This field is beta and subject to change. dashed_name: threat-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). @@ -17582,18 +17534,8 @@ threat: normalize: [] short: Indicator port type: long - threat.indicator.provider: - dashed_name: threat-indicator-provider - description: Identifies the name of the intelligence provider. - example: VirusTotal - flat_name: threat.indicator.provider - ignore_above: 1024 - level: extended - name: indicator.provider - normalize: [] - short: Identifies the name of the intelligence provider. - type: keyword threat.indicator.scanner_stats: + beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. @@ -17605,6 +17547,7 @@ threat: short: Scanner statistics type: long threat.indicator.sightings: + beta: This field is beta and subject to change. dashed_name: threat-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 @@ -17615,12 +17558,13 @@ threat: short: Number of times indicator observed type: long threat.indicator.type: + beta: This field is beta and subject to change. dashed_name: threat-indicator-type description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n *\ - \ mutex\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x-509-certificate" + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" example: ipv4-addr flat_name: threat.indicator.type ignore_above: 1024 diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 561f8b11fb..4d52950ecf 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -5330,14 +5330,7 @@ "ignore_above": 1024, "type": "keyword" }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, "description": { - "type": "wildcard" - }, - "domain": { "ignore_above": 1024, "type": "keyword" }, @@ -5366,33 +5359,12 @@ } } }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "module": { - "ignore_above": 1024, - "type": "keyword" + "modified_at": { + "type": "date" }, "port": { "type": "long" }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, "scanner_stats": { "type": "long" }, diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index a203ce0ea7..ddb1429ebd 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -866,14 +866,7 @@ "ignore_above": 1024, "type": "keyword" }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, "description": { - "type": "wildcard" - }, - "domain": { "ignore_above": 1024, "type": "keyword" }, @@ -902,33 +895,12 @@ } } }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "module": { - "ignore_above": 1024, - "type": "keyword" + "modified_at": { + "type": "date" }, "port": { "type": "long" }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, "scanner_stats": { "type": "long" }, diff --git a/experimental/schemas/threat.yml b/experimental/schemas/threat.yml index ab47291ecf..5f90586e8e 100644 --- a/experimental/schemas/threat.yml +++ b/experimental/schemas/threat.yml @@ -49,195 +49,3 @@ description: > Identifies the type of match that caused the event to be enriched with the given indicator example: indicator_match_rule - - - name: indicator.first_seen - level: extended - type: date - short: Date/time indicator was first reported. - description: > - The date and time when intelligence source first reported sighting this indicator. - - example: "2020-11-05T17:25:47.000Z" - - - name: indicator.last_seen - level: extended - type: date - short: Date/time indicator was last reported. - description: > - The date and time when intelligence source last reported sighting this indicator. - - example: "2020-11-05T17:25:47.000Z" - - - name: indicator.sightings - level: extended - type: long - short: Number of times indicator observed - description: > - Number of times this indicator was observed conducting threat activity. - - example: 20 - - - name: indicator.type - level: extended - type: keyword - short: Type of indicator - description: > - Type of indicator as represented by Cyber Observable in STIX 2.0. - - Expected values - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * process - * software - * url - * user-account - * windows-registry-key - * x-509-certificate - - example: ipv4-addr - - - name: indicator.description - level: extended - type: wildcard - short: Indicator description - description: > - Describes the type of action conducted by the threat. - - example: IP x.x.x.x was observed delivering the Angler EK. - - - name: indicator.scanner_stats - level: extended - type: long - short: Scanner statistics - description: > - Count of AV/EDR vendors that successfully detected malicious file or URL. - - example: 4 - - - name: indicator.provider - level: extended - type: keyword - description: > - Identifies the name of the intelligence provider. - - example: VirusTotal - - - name: indicator.confidence - level: extended - type: keyword - short: Indicator confidence rating - description: > - Identifies the confidence rating assigned by the provider using STIX confidence scales. - - Expected values: - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - - example: High - - - name: indicator.module - level: extended - type: keyword - short: Indicator module - description: > - Identifies the name of specific module this data is coming from. - - example: threatintel - - - name: indicator.dataset - level: extended - type: keyword - short: Indicator dataset - description: > - Identifies the name of specific dataset from the intelligence source. - - example: threatintel.abusemalware - - - name: indicator.ip - level: extended - type: ip - short: Indicator IP address - description: > - Identifies a threat indicator as an IP address (irrespective of direction). - - example: 1.2.3.4 - - - name: indicator.domain - level: extended - type: keyword - short: Indicator domain name - description: > - Identifies a threat indicator as a domain (irrespective of direction). - - example: example.com - - - name: indicator.port - level: extended - type: long - short: Indicator port - description: > - Identifies a threat indicator as a port number (irrespective of direction). - - example: 443 - - - name: indicator.email.address - level: extended - type: keyword - short: Indicator email address - description: > - Identifies a threat indicator as an email address (irrespective of direction). - - example: phish@example.com - - - name: indicator.marking.tlp - level: extended - type: keyword - short: Indicator TLP marking - description: > - Traffic Light Protocol sharing markings. - - Expected values are: - * White - * Green - * Amber - * Red - - example: White - - - name: indicator.matched.atomic - level: extended - type: keyword - short: Indicator atomic match - description: > - Identifies the atomic indicator that matched a local environment endpoint or network event. - - example: example.com - - - name: indicator.matched.field - level: extended - type: keyword - short: Indicator field match - description: > - Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - - example: file.hash.sha256 - - - name: indicator.matched.type - level: extended - type: keyword - short: Indicator type match - description: > - Identifies the type of the atomic indicator that matched a local environment endpoint or network event. - - example: domain-name diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 660f3ba797..f32ee6316f 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5961,6 +5961,98 @@ \ not required, you can use a MITRE ATT&CK\xAE group reference URL." example: https://attack.mitre.org/groups/G0037/ default_field: false + - name: indicator.confidence + level: extended + type: keyword + ignore_above: 1024 + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + default_field: false + - name: indicator.description + level: extended + type: keyword + ignore_above: 1024 + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + default_field: false + - name: indicator.email.address + level: extended + type: keyword + ignore_above: 1024 + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + default_field: false + - name: indicator.first_seen + level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.marking.tlp + level: extended + type: keyword + ignore_above: 1024 + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + default_field: false + - name: indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: indicator.type + level: extended + type: keyword + ignore_above: 1024 + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + default_field: false - name: software.id level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 2c115388ac..d385d51ccb 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -683,6 +683,18 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.11.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. 1.11.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. 1.11.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +1.11.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating +1.11.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +1.11.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +1.11.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +1.11.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +1.11.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +1.11.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking +1.11.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +1.11.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port +1.11.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics +1.11.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed +1.11.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator 1.11.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software 1.11.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. 1.11.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 2c407fd205..edfb920366 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8734,6 +8734,156 @@ threat.group.reference: normalize: [] short: Reference URL of the group. type: keyword +threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword +threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword +threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword +threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip +threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date +threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword +threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at + level: extended + name: indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date +threat.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long +threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long +threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ + \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type + ignore_above: 1024 + level: extended + name: indicator.type + normalize: [] + short: Type of indicator + type: keyword threat.software.id: beta: This field is beta and subject to change. dashed_name: threat-software-id diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 26d8ed3313..8bf64099eb 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10392,6 +10392,158 @@ threat: normalize: [] short: Reference URL of the group. type: keyword + threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword + threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword + threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword + threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword + threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at + level: extended + name: indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date + threat.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long + threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type + ignore_above: 1024 + level: extended + name: indicator.type + normalize: [] + short: Type of indicator + type: keyword threat.software.id: beta: This field is beta and subject to change. dashed_name: threat-software-id diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 8e755b6a7b..4ca7bee1be 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -3181,6 +3181,59 @@ } } }, + "indicator": { + "properties": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "software": { "properties": { "id": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 1943976f14..9b2c1212bc 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -3177,6 +3177,59 @@ } } }, + "indicator": { + "properties": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "software": { "properties": { "id": { diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json index 3a00f1d6cb..ad8a613d60 100644 --- a/generated/elasticsearch/component/threat.json +++ b/generated/elasticsearch/component/threat.json @@ -32,6 +32,59 @@ } } }, + "indicator": { + "properties": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "software": { "properties": { "id": { diff --git a/schemas/threat.yml b/schemas/threat.yml index acb36a2115..8b55fc49a8 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -66,6 +66,158 @@ example: "https://attack.mitre.org/groups/G0037/" + - name: indicator.first_seen + level: extended + type: date + short: Date/time indicator was first reported. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source first reported sighting this indicator. + + example: "2020-11-05T17:25:47.000Z" + + - name: indicator.last_seen + level: extended + type: date + short: Date/time indicator was last reported. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source last reported sighting this indicator. + + example: "2020-11-05T17:25:47.000Z" + + - name: indicator.modified_at + level: extended + type: date + short: Date/time indicator was last updated. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source last modified information for this indicator. + + example: "2020-11-05T17:25:47.000Z" + + - name: indicator.sightings + level: extended + type: long + short: Number of times indicator observed + beta: This field is beta and subject to change. + description: > + Number of times this indicator was observed conducting threat activity. + + example: 20 + + - name: indicator.type + level: extended + type: keyword + short: Type of indicator + beta: This field is beta and subject to change. + description: > + Type of indicator as represented by Cyber Observable in STIX 2.0. + + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + + example: ipv4-addr + + - name: indicator.description + level: extended + type: keyword + short: Indicator description + beta: This field is beta and subject to change. + description: > + Describes the type of action conducted by the threat. + + example: IP x.x.x.x was observed delivering the Angler EK. + + - name: indicator.scanner_stats + level: extended + type: long + short: Scanner statistics + beta: This field is beta and subject to change. + description: > + Count of AV/EDR vendors that successfully detected malicious file or URL. + + example: 4 + + - name: indicator.confidence + level: extended + type: keyword + short: Indicator confidence rating + beta: This field is beta and subject to change. + description: > + Identifies the confidence rating assigned by the provider using STIX confidence scales. + + Recommended values: + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) + + example: High + + - name: indicator.ip + level: extended + type: ip + short: Indicator IP address + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as an IP address (irrespective of direction). + + example: 1.2.3.4 + + - name: indicator.port + level: extended + type: long + short: Indicator port + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as a port number (irrespective of direction). + + example: 443 + + - name: indicator.email.address + level: extended + type: keyword + short: Indicator email address + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as an email address (irrespective of direction). + + example: phish@example.com + + - name: indicator.marking.tlp + level: extended + type: keyword + short: Indicator TLP marking + beta: This field is beta and subject to change. + description: > + Traffic Light Protocol sharing markings. + + Recommended values are: + * WHITE + * GREEN + * AMBER + * RED + + example: WHITE + - name: software.id level: extended type: keyword