-
Notifications
You must be signed in to change notification settings - Fork 419
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
152 additions
and
163 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10221,169 +10221,6 @@ threat: | |
| level: extended | ||
| name: enrichments | ||
| normalize: [] | ||
| short: Reference URL of the group. | ||
| type: keyword | ||
| threat.indicator.confidence: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-confidence | ||
| description: "Identifies the confidence rating assigned by the provider using\ | ||
| \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ | ||
| \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ | ||
| \ * WEP Scale (Impossible - Certain)" | ||
| example: High | ||
| flat_name: threat.indicator.confidence | ||
| ignore_above: 1024 | ||
| level: extended | ||
| name: indicator.confidence | ||
| normalize: [] | ||
| short: Indicator confidence rating | ||
| type: keyword | ||
| threat.indicator.description: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-description | ||
| description: Describes the type of action conducted by the threat. | ||
| example: IP x.x.x.x was observed delivering the Angler EK. | ||
| flat_name: threat.indicator.description | ||
| ignore_above: 1024 | ||
| level: extended | ||
| name: indicator.description | ||
| normalize: [] | ||
| short: Indicator description | ||
| type: keyword | ||
| threat.indicator.email.address: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-email-address | ||
| description: Identifies a threat indicator as an email address (irrespective | ||
| of direction). | ||
| example: [email protected] | ||
| flat_name: threat.indicator.email.address | ||
| ignore_above: 1024 | ||
| level: extended | ||
| name: indicator.email.address | ||
| normalize: [] | ||
| short: Indicator email address | ||
| type: keyword | ||
| threat.indicator.first_seen: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-first-seen | ||
| description: The date and time when intelligence source first reported sighting | ||
| this indicator. | ||
| example: '2020-11-05T17:25:47.000Z' | ||
| flat_name: threat.indicator.first_seen | ||
| level: extended | ||
| name: indicator.first_seen | ||
| normalize: [] | ||
| short: Date/time indicator was first reported. | ||
| type: date | ||
| threat.indicator.ip: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-ip | ||
| description: Identifies a threat indicator as an IP address (irrespective of | ||
| direction). | ||
| example: 1.2.3.4 | ||
| flat_name: threat.indicator.ip | ||
| level: extended | ||
| name: indicator.ip | ||
| normalize: [] | ||
| short: Indicator IP address | ||
| type: ip | ||
| threat.indicator.last_seen: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-last-seen | ||
| description: The date and time when intelligence source last reported sighting | ||
| this indicator. | ||
| example: '2020-11-05T17:25:47.000Z' | ||
| flat_name: threat.indicator.last_seen | ||
| level: extended | ||
| name: indicator.last_seen | ||
| normalize: [] | ||
| short: Date/time indicator was last reported. | ||
| type: date | ||
| threat.indicator.marking.tlp: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-marking-tlp | ||
| description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ | ||
| \ * WHITE\n * GREEN\n * AMBER\n * RED" | ||
| example: WHITE | ||
| flat_name: threat.indicator.marking.tlp | ||
| ignore_above: 1024 | ||
| level: extended | ||
| name: indicator.marking.tlp | ||
| normalize: [] | ||
| short: Indicator TLP marking | ||
| type: keyword | ||
| threat.indicator.modified_at: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-modified-at | ||
| description: The date and time when intelligence source last modified information | ||
| for this indicator. | ||
| example: '2020-11-05T17:25:47.000Z' | ||
| flat_name: threat.indicator.modified_at | ||
| level: extended | ||
| name: indicator.modified_at | ||
| normalize: [] | ||
| short: Date/time indicator was last updated. | ||
| type: date | ||
| threat.indicator.port: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-port | ||
| description: Identifies a threat indicator as a port number (irrespective of | ||
| direction). | ||
| example: 443 | ||
| flat_name: threat.indicator.port | ||
| level: extended | ||
| name: indicator.port | ||
| normalize: [] | ||
| short: Indicator port | ||
| type: long | ||
| threat.indicator.scanner_stats: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-scanner-stats | ||
| description: Count of AV/EDR vendors that successfully detected malicious file | ||
| or URL. | ||
| example: 4 | ||
| flat_name: threat.indicator.scanner_stats | ||
| level: extended | ||
| name: indicator.scanner_stats | ||
| normalize: [] | ||
| short: Scanner statistics | ||
| type: long | ||
| threat.indicator.sightings: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-sightings | ||
| description: Number of times this indicator was observed conducting threat activity. | ||
| example: 20 | ||
| flat_name: threat.indicator.sightings | ||
| level: extended | ||
| name: indicator.sightings | ||
| normalize: [] | ||
| short: Number of times indicator observed | ||
| type: long | ||
| threat.indicator.type: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-type | ||
| description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ | ||
| Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ | ||
| \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ | ||
| \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ | ||
| \ * user-account\n * windows-registry-key\n * x509-certificate" | ||
| example: ipv4-addr | ||
| flat_name: threat.indicator.type | ||
| ignore_above: 1024 | ||
| level: extended | ||
| name: indicator.type | ||
| normalize: [] | ||
| short: Type of indicator | ||
| type: keyword | ||
| threat.software.id: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-software-id | ||
| description: "The id of the software used by this threat to conduct behavior\ | ||
| \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ | ||
| \ a MITRE ATT&CK\xAE software id." | ||
| example: S0552 | ||
| flat_name: threat.software.id | ||
| ignore_above: 1024 | ||
| short: List of indicators enriching the event. | ||
| type: nested | ||
| threat.enrichments.as.number: | ||
|
|
@@ -12804,6 +12641,158 @@ threat: | |
| normalize: [] | ||
| short: Reference URL of the group. | ||
| type: keyword | ||
| threat.indicator.confidence: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-confidence | ||
| description: "Identifies the confidence rating assigned by the provider using\ | ||
| \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ | ||
| \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ | ||
| \ * WEP Scale (Impossible - Certain)" | ||
| example: High | ||
| flat_name: threat.indicator.confidence | ||
| ignore_above: 1024 | ||
| level: extended | ||
| name: indicator.confidence | ||
| normalize: [] | ||
| short: Indicator confidence rating | ||
| type: keyword | ||
| threat.indicator.description: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-description | ||
| description: Describes the type of action conducted by the threat. | ||
| example: IP x.x.x.x was observed delivering the Angler EK. | ||
| flat_name: threat.indicator.description | ||
| ignore_above: 1024 | ||
| level: extended | ||
| name: indicator.description | ||
| normalize: [] | ||
| short: Indicator description | ||
| type: keyword | ||
| threat.indicator.email.address: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-email-address | ||
| description: Identifies a threat indicator as an email address (irrespective | ||
| of direction). | ||
| example: [email protected] | ||
| flat_name: threat.indicator.email.address | ||
| ignore_above: 1024 | ||
| level: extended | ||
| name: indicator.email.address | ||
| normalize: [] | ||
| short: Indicator email address | ||
| type: keyword | ||
| threat.indicator.first_seen: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-first-seen | ||
| description: The date and time when intelligence source first reported sighting | ||
| this indicator. | ||
| example: '2020-11-05T17:25:47.000Z' | ||
| flat_name: threat.indicator.first_seen | ||
| level: extended | ||
| name: indicator.first_seen | ||
| normalize: [] | ||
| short: Date/time indicator was first reported. | ||
| type: date | ||
| threat.indicator.ip: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-ip | ||
| description: Identifies a threat indicator as an IP address (irrespective of | ||
| direction). | ||
| example: 1.2.3.4 | ||
| flat_name: threat.indicator.ip | ||
| level: extended | ||
| name: indicator.ip | ||
| normalize: [] | ||
| short: Indicator IP address | ||
| type: ip | ||
| threat.indicator.last_seen: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-last-seen | ||
| description: The date and time when intelligence source last reported sighting | ||
| this indicator. | ||
| example: '2020-11-05T17:25:47.000Z' | ||
| flat_name: threat.indicator.last_seen | ||
| level: extended | ||
| name: indicator.last_seen | ||
| normalize: [] | ||
| short: Date/time indicator was last reported. | ||
| type: date | ||
| threat.indicator.marking.tlp: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-marking-tlp | ||
| description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ | ||
| \ * WHITE\n * GREEN\n * AMBER\n * RED" | ||
| example: WHITE | ||
| flat_name: threat.indicator.marking.tlp | ||
| ignore_above: 1024 | ||
| level: extended | ||
| name: indicator.marking.tlp | ||
| normalize: [] | ||
| short: Indicator TLP marking | ||
| type: keyword | ||
| threat.indicator.modified_at: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-modified-at | ||
| description: The date and time when intelligence source last modified information | ||
| for this indicator. | ||
| example: '2020-11-05T17:25:47.000Z' | ||
| flat_name: threat.indicator.modified_at | ||
| level: extended | ||
| name: indicator.modified_at | ||
| normalize: [] | ||
| short: Date/time indicator was last updated. | ||
| type: date | ||
| threat.indicator.port: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-port | ||
| description: Identifies a threat indicator as a port number (irrespective of | ||
| direction). | ||
| example: 443 | ||
| flat_name: threat.indicator.port | ||
| level: extended | ||
| name: indicator.port | ||
| normalize: [] | ||
| short: Indicator port | ||
| type: long | ||
| threat.indicator.scanner_stats: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-scanner-stats | ||
| description: Count of AV/EDR vendors that successfully detected malicious file | ||
| or URL. | ||
| example: 4 | ||
| flat_name: threat.indicator.scanner_stats | ||
| level: extended | ||
| name: indicator.scanner_stats | ||
| normalize: [] | ||
| short: Scanner statistics | ||
| type: long | ||
| threat.indicator.sightings: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-sightings | ||
| description: Number of times this indicator was observed conducting threat activity. | ||
| example: 20 | ||
| flat_name: threat.indicator.sightings | ||
| level: extended | ||
| name: indicator.sightings | ||
| normalize: [] | ||
| short: Number of times indicator observed | ||
| type: long | ||
| threat.indicator.type: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-indicator-type | ||
| description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ | ||
| Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ | ||
| \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ | ||
| \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ | ||
| \ * user-account\n * windows-registry-key\n * x509-certificate" | ||
| example: ipv4-addr | ||
| flat_name: threat.indicator.type | ||
| ignore_above: 1024 | ||
| level: extended | ||
| name: indicator.type | ||
| normalize: [] | ||
| short: Type of indicator | ||
| type: keyword | ||
| threat.software.id: | ||
| beta: This field is beta and subject to change. | ||
| dashed_name: threat-software-id | ||
|
|
||