From deb893b2c6a716a9844c5af53b3bdf24c4a61594 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 29 Jun 2021 11:26:38 -0500 Subject: [PATCH] update artifacts --- generated/ecs/ecs_nested.yml | 315 +++++++++++++++++------------------ 1 file changed, 152 insertions(+), 163 deletions(-) diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index e12c053fa4..ccff0149f5 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10221,169 +10221,6 @@ threat: level: extended name: enrichments normalize: [] - short: Reference URL of the group. - type: keyword - threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence - ignore_above: 1024 - level: extended - name: indicator.confidence - normalize: [] - short: Indicator confidence rating - type: keyword - threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description - ignore_above: 1024 - level: extended - name: indicator.description - normalize: [] - short: Indicator description - type: keyword - threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - flat_name: threat.indicator.email.address - ignore_above: 1024 - level: extended - name: indicator.email.address - normalize: [] - short: Indicator email address - type: keyword - threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen - level: extended - name: indicator.first_seen - normalize: [] - short: Date/time indicator was first reported. - type: date - threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip - level: extended - name: indicator.ip - normalize: [] - short: Indicator IP address - type: ip - threat.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen - level: extended - name: indicator.last_seen - normalize: [] - short: Date/time indicator was last reported. - type: date - threat.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp - ignore_above: 1024 - level: extended - name: indicator.marking.tlp - normalize: [] - short: Indicator TLP marking - type: keyword - threat.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at - level: extended - name: indicator.modified_at - normalize: [] - short: Date/time indicator was last updated. - type: date - threat.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-port - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - flat_name: threat.indicator.port - level: extended - name: indicator.port - normalize: [] - short: Indicator port - type: long - threat.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - flat_name: threat.indicator.scanner_stats - level: extended - name: indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long - threat.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.indicator.sightings - level: extended - name: indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long - threat.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr - flat_name: threat.indicator.type - ignore_above: 1024 - level: extended - name: indicator.type - normalize: [] - short: Type of indicator - type: keyword - threat.software.id: - beta: This field is beta and subject to change. - dashed_name: threat-software-id - description: "The id of the software used by this threat to conduct behavior\ - \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ - \ a MITRE ATT&CK\xAE software id." - example: S0552 - flat_name: threat.software.id - ignore_above: 1024 short: List of indicators enriching the event. type: nested threat.enrichments.as.number: @@ -12804,6 +12641,158 @@ threat: normalize: [] short: Reference URL of the group. type: keyword + threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword + threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword + threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword + threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword + threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at + level: extended + name: indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date + threat.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long + threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type + ignore_above: 1024 + level: extended + name: indicator.type + normalize: [] + short: Type of indicator + type: keyword threat.software.id: beta: This field is beta and subject to change. dashed_name: threat-software-id