elastic · ebeahan · Jun 23, 2021 · Mar 8, 2021 · Mar 8, 2021 · Mar 15, 2021
diff --git a/rfcs/text/0008-threat-intel.md b/rfcs/text/0008-threat-intel.md
diff --git a/rfcs/text/0008/as.yml b/rfcs/text/0008/as.yml
diff --git a/rfcs/text/0008/file.yml b/rfcs/text/0008/file.yml
diff --git a/rfcs/text/0008/geo.yml b/rfcs/text/0008/geo.yml
diff --git a/rfcs/text/0008/hash.yml b/rfcs/text/0008/hash.yml
diff --git a/rfcs/text/0008/pe.yml b/rfcs/text/0008/pe.yml
diff --git a/rfcs/text/0008/registry.yml b/rfcs/text/0008/registry.yml
diff --git a/rfcs/text/0008/threat.yml b/rfcs/text/0008/threat.yml
@@ -37,7 +37,7 @@
     description: >
       Type of indicator as represented by Cyber Observable in STIX 2.0.
 
-      Expected values
+      Recommended values
         * autonomous-system
         * artifact
         * directory
@@ -48,6 +48,7 @@
         * ipv6-addr
         * mac-addr
         * mutex
+        * port
         * process
         * software
         * url
@@ -59,7 +60,7 @@
 
   - name: indicator.description
     level: extended
-    type: wildcard
+    type: keyword
     short: Indicator description
     description: >
       Describes the type of action conducted by the threat.
@@ -75,14 +76,6 @@
 
     example: 4
 
-  - name: indicator.provider
-    level: extended
-    type: keyword
-    description: >
-      Identifies the name of the intelligence provider.
-
-    example: VirusTotal
-
   - name: indicator.confidence
     level: extended
     type: keyword
@@ -99,24 +92,6 @@
 
     example: High
 
-  - name: indicator.module
-    level: extended
-    type: keyword
-    short: Indicator module
-    description: >
-      Identifies the name of specific module this data is coming from.
-
-    example: threatintel
-
-  - name: indicator.dataset
-    level: extended
-    type: keyword
-    short: Indicator dataset
-    description: >
-      Identifies the name of specific dataset from the intelligence source.
-
-    example: threatintel.abusemalware
-
   - name: indicator.ip
     level: extended
     type: ip
@@ -126,15 +101,6 @@
 
     example: 1.2.3.4
 
-  - name: indicator.domain
-    level: extended
-    type: keyword
-    short: Indicator domain name
-    description: >
-      Identifies a threat indicator as a domain (irrespective of direction).
-
-    example: example.com
-
   - name: indicator.port
     level: extended
     type: long
@@ -160,37 +126,10 @@
     description: >
       Traffic Light Protocol sharing markings.
 
-      Expected values are:
-        * White
-        * Green
-        * Amber
-        * Red
+      Recommended values are:
+        * WHITE
+        * GREEN
+        * AMBER
+        * RED
 
     example: White
-
-  - name: indicator.matched.atomic
-    level: extended
-    type: keyword
-    short: Indicator atomic match
-    description: >
-      Identifies the atomic indicator that matched a local environment endpoint or network event.
-
-    example: example.com
-
-  - name: indicator.matched.field
-    level: extended
-    type: keyword
-    short: Indicator field match
-    description: >
-      Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
-
-    example: file.hash.sha256
-
-  - name: indicator.matched.type
-    level: extended
-    type: keyword
-    short: Indicator type match
-    description: >
-      Identifies the type of the atomic indicator that matched a local environment endpoint or network event.
-
-    example: domain-name
diff --git a/rfcs/text/0008/url.yml b/rfcs/text/0008/url.yml
diff --git a/rfcs/text/0008/x509.yml b/rfcs/text/0008/x509.yml