From c809d0501a2c42d134a9a833c78406d6288b9ede Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 26 May 2021 15:52:46 -0500 Subject: [PATCH 1/3] move threat fields into main schema --- code/go/ecs/threat.go | 59 ++++++ docs/field-details.asciidoc | 193 ++++++++++++++++++ experimental/generated/beats/fields.ecs.yml | 10 +- experimental/generated/csv/fields.csv | 2 +- experimental/generated/ecs/ecs_flat.yml | 21 +- experimental/generated/ecs/ecs_nested.yml | 21 +- experimental/schemas/threat.yml | 100 --------- generated/beats/fields.ecs.yml | 83 ++++++++ generated/csv/fields.csv | 9 + generated/ecs/ecs_flat.yml | 129 ++++++++++++ generated/ecs/ecs_nested.yml | 129 ++++++++++++ generated/elasticsearch/6/template.json | 44 ++++ generated/elasticsearch/7/template.json | 44 ++++ generated/elasticsearch/component/threat.json | 44 ++++ schemas/threat.yml | 108 ++++++++++ 15 files changed, 878 insertions(+), 118 deletions(-) diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go index 0df5e08049..ae3ef6f0b4 100644 --- a/code/go/ecs/threat.go +++ b/code/go/ecs/threat.go @@ -34,6 +34,65 @@ type Threat struct { // retrospectively tagged to events. Framework string `ecs:"framework"` + // The alias(es) of the group for a set of related intrusion activity that + // are tracked by a common name in the security community. While not + // required, you can use a MITRE ATT&CK® group alias(es). + GroupAlias string `ecs:"group.alias"` + + // The id of the group for a set of related intrusion activity that are + // tracked by a common name in the security community. While not required, + // you can use a MITRE ATT&CK® group id. + GroupID string `ecs:"group.id"` + + // The name of the group for a set of related intrusion activity that are + // tracked by a common name in the security community. While not required, + // you can use a MITRE ATT&CK® group name. + GroupName string `ecs:"group.name"` + + // The reference URL of the group for a set of related intrusion activity + // that are tracked by a common name in the security community. While not + // required, you can use a MITRE ATT&CK® group reference URL. + GroupReference string `ecs:"group.reference"` + + // The id of the software used by this threat to conduct behavior commonly + // modeled using MITRE ATT&CK®. While not required, you can use a MITRE + // ATT&CK® software id. + SoftwareID string `ecs:"software.id"` + + // The name of the software used by this threat to conduct behavior + // commonly modeled using MITRE ATT&CK®. While not required, you can use a + // MITRE ATT&CK® software name. + SoftwareName string `ecs:"software.name"` + + // The platforms of the software used by this threat to conduct behavior + // commonly modeled using MITRE ATT&CK®. While not required, you can use a + // MITRE ATT&CK® software platforms. + // Recommended Values: + // * AWS + // * Azure + // * Azure AD + // * GCP + // * Linux + // * macOS + // * Network + // * Office 365 + // * SaaS + // * Windows + SoftwarePlatforms string `ecs:"software.platforms"` + + // The reference URL of the software used by this threat to conduct + // behavior commonly modeled using MITRE ATT&CK®. While not required, you + // can use a MITRE ATT&CK® software reference URL. + SoftwareReference string `ecs:"software.reference"` + + // The type of software used by this threat to conduct behavior commonly + // modeled using MITRE ATT&CK®. While not required, you can use a MITRE + // ATT&CK® software type. + // Recommended values + // * Malware + // * Tool + SoftwareType string `ecs:"software.type"` + // The id of tactic used by this threat. You can use a MITRE ATT&CK® // tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) TacticID string `ecs:"tactic.id"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index b11b2a4aef..b32c529f0b 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7554,6 +7554,199 @@ example: `MITRE ATT&CK` // =============================================================== +| +[[field-threat-group-alias]] +<> + +| beta:[ This field is beta and subject to change. ] + +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `[ "Magecart Group 6" ]` + +| extended + +// =============================================================== + +| +[[field-threat-group-id]] +<> + +| beta:[ This field is beta and subject to change. ] + +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. + +type: keyword + + + +example: `G0037` + +| extended + +// =============================================================== + +| +[[field-threat-group-name]] +<> + +| beta:[ This field is beta and subject to change. ] + +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. + +type: keyword + + + +example: `FIN6` + +| extended + +// =============================================================== + +| +[[field-threat-group-reference]] +<> + +| beta:[ This field is beta and subject to change. ] + +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. + +type: keyword + + + +example: `https://attack.mitre.org/groups/G0037/` + +| extended + +// =============================================================== + +| +[[field-threat-software-id]] +<> + +| beta:[ This field is beta and subject to change. ] + +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. + +type: keyword + + + +example: `S0552` + +| extended + +// =============================================================== + +| +[[field-threat-software-name]] +<> + +| beta:[ This field is beta and subject to change. ] + +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. + +type: keyword + + + +example: `AdFind` + +| extended + +// =============================================================== + +| +[[field-threat-software-platforms]] +<> + +| beta:[ This field is beta and subject to change. ] + +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. + +Recommended Values: + + * AWS + + * Azure + + * Azure AD + + * GCP + + * Linux + + * macOS + + * Network + + * Office 365 + + * SaaS + + * Windows + +type: keyword + + + +example: `Windows` + +| extended + +// =============================================================== + +| +[[field-threat-software-reference]] +<> + +| beta:[ This field is beta and subject to change. ] + +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. + +type: keyword + + + +example: `https://attack.mitre.org/software/S0552/` + +| extended + +// =============================================================== + +| +[[field-threat-software-type]] +<> + +| beta:[ This field is beta and subject to change. ] + +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. + +Recommended values + + * Malware + + * Tool + +type: keyword + + + +example: `Tool` + +| extended + +// =============================================================== + | [[field-threat-tactic-id]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 4e0d36e184..b70ebeb138 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -7915,11 +7915,11 @@ level: extended type: keyword ignore_above: 1024 - description: "The platform of the software used by this threat to conduct behavior\ + description: "The platforms of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ - \ a MITRE ATT&CK\xAE software platform.\nExpected values\n * AWS\n * Azure\n\ - \ * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office 365\n\ - \ * PRE\n * SaaS\n * Windows" + \ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \ + \ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ + \ 365\n * SaaS\n * Windows" example: Windows default_field: false - name: software.reference @@ -7937,7 +7937,7 @@ ignore_above: 1024 description: "The type of software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\ - \ ATT&CK\xAE software type.\nExpected values\n * Malware\n * Tool" + \ ATT&CK\xAE software type.\nRecommended values\n * Malware\n * Tool" example: Tool default_field: false - name: tactic.id diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 91fa826f98..5296c165b8 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -949,7 +949,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator 2.0.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software 2.0.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. -2.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,,Windows,Platform of the software. +2.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,,Windows,Platforms of the software. 2.0.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. 2.0.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type. 2.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index e6dcabc8dd..94c9d85144 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -10052,6 +10052,7 @@ threat.framework: short: Threat classification framework. type: keyword threat.group.alias: + beta: This field is beta and subject to change. dashed_name: threat-group-alias description: "The alias(es) of the group for a set of related intrusion activity\ \ that are tracked by a common name in the security community. While not required,\ @@ -10066,6 +10067,7 @@ threat.group.alias: short: Alias of the group. type: keyword threat.group.id: + beta: This field is beta and subject to change. dashed_name: threat-group-id description: "The id of the group for a set of related intrusion activity that are\ \ tracked by a common name in the security community. While not required, you\ @@ -10079,6 +10081,7 @@ threat.group.id: short: ID of the group. type: keyword threat.group.name: + beta: This field is beta and subject to change. dashed_name: threat-group-name description: "The name of the group for a set of related intrusion activity that\ \ are tracked by a common name in the security community. While not required,\ @@ -10092,6 +10095,7 @@ threat.group.name: short: Name of the group. type: keyword threat.group.reference: + beta: This field is beta and subject to change. dashed_name: threat-group-reference description: "The reference URL of the group for a set of related intrusion activity\ \ that are tracked by a common name in the security community. While not required,\ @@ -11784,6 +11788,7 @@ threat.indicator.type: short: Type of indicator type: keyword threat.software.id: + beta: This field is beta and subject to change. dashed_name: threat-software-id description: "The id of the software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE ATT&CK\xAE\ @@ -11797,6 +11802,7 @@ threat.software.id: short: ID of the software type: keyword threat.software.name: + beta: This field is beta and subject to change. dashed_name: threat-software-name description: "The name of the software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE ATT&CK\xAE\ @@ -11810,21 +11816,23 @@ threat.software.name: short: Name of the software. type: keyword threat.software.platforms: + beta: This field is beta and subject to change. dashed_name: threat-software-platforms - description: "The platform of the software used by this threat to conduct behavior\ + description: "The platforms of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\ - \ ATT&CK\xAE software platform.\nExpected values\n * AWS\n * Azure\n * Azure\ - \ AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office 365\n * PRE\n *\ - \ SaaS\n * Windows" + \ ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n * Azure\n *\ + \ Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office 365\n * SaaS\n\ + \ * Windows" example: Windows flat_name: threat.software.platforms ignore_above: 1024 level: extended name: software.platforms normalize: [] - short: Platform of the software. + short: Platforms of the software. type: keyword threat.software.reference: + beta: This field is beta and subject to change. dashed_name: threat-software-reference description: "The reference URL of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\ @@ -11838,10 +11846,11 @@ threat.software.reference: short: Software reference URL. type: keyword threat.software.type: + beta: This field is beta and subject to change. dashed_name: threat-software-type description: "The type of software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE ATT&CK\xAE\ - \ software type.\nExpected values\n * Malware\n * Tool" + \ software type.\nRecommended values\n * Malware\n * Tool" example: Tool flat_name: threat.software.type ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index e3593e5508..7f5656716e 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -12074,6 +12074,7 @@ threat: short: Threat classification framework. type: keyword threat.group.alias: + beta: This field is beta and subject to change. dashed_name: threat-group-alias description: "The alias(es) of the group for a set of related intrusion activity\ \ that are tracked by a common name in the security community. While not required,\ @@ -12088,6 +12089,7 @@ threat: short: Alias of the group. type: keyword threat.group.id: + beta: This field is beta and subject to change. dashed_name: threat-group-id description: "The id of the group for a set of related intrusion activity that\ \ are tracked by a common name in the security community. While not required,\ @@ -12101,6 +12103,7 @@ threat: short: ID of the group. type: keyword threat.group.name: + beta: This field is beta and subject to change. dashed_name: threat-group-name description: "The name of the group for a set of related intrusion activity\ \ that are tracked by a common name in the security community. While not required,\ @@ -12114,6 +12117,7 @@ threat: short: Name of the group. type: keyword threat.group.reference: + beta: This field is beta and subject to change. dashed_name: threat-group-reference description: "The reference URL of the group for a set of related intrusion\ \ activity that are tracked by a common name in the security community. While\ @@ -13809,6 +13813,7 @@ threat: short: Type of indicator type: keyword threat.software.id: + beta: This field is beta and subject to change. dashed_name: threat-software-id description: "The id of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ @@ -13822,6 +13827,7 @@ threat: short: ID of the software type: keyword threat.software.name: + beta: This field is beta and subject to change. dashed_name: threat-software-name description: "The name of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ @@ -13835,21 +13841,23 @@ threat: short: Name of the software. type: keyword threat.software.platforms: + beta: This field is beta and subject to change. dashed_name: threat-software-platforms - description: "The platform of the software used by this threat to conduct behavior\ + description: "The platforms of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ - \ a MITRE ATT&CK\xAE software platform.\nExpected values\n * AWS\n * Azure\n\ - \ * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office 365\n\ - \ * PRE\n * SaaS\n * Windows" + \ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \ + \ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ + \ 365\n * SaaS\n * Windows" example: Windows flat_name: threat.software.platforms ignore_above: 1024 level: extended name: software.platforms normalize: [] - short: Platform of the software. + short: Platforms of the software. type: keyword threat.software.reference: + beta: This field is beta and subject to change. dashed_name: threat-software-reference description: "The reference URL of the software used by this threat to conduct\ \ behavior commonly modeled using MITRE ATT&CK\xAE. While not required, you\ @@ -13863,10 +13871,11 @@ threat: short: Software reference URL. type: keyword threat.software.type: + beta: This field is beta and subject to change. dashed_name: threat-software-type description: "The type of software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\ - \ ATT&CK\xAE software type.\nExpected values\n * Malware\n * Tool" + \ ATT&CK\xAE software type.\nRecommended values\n * Malware\n * Tool" example: Tool flat_name: threat.software.type ignore_above: 1024 diff --git a/experimental/schemas/threat.yml b/experimental/schemas/threat.yml index dac8061c52..523f909f06 100644 --- a/experimental/schemas/threat.yml +++ b/experimental/schemas/threat.yml @@ -194,103 +194,3 @@ Identifies the type of the atomic indicator that matched a local environment endpoint or network event. example: domain-name - - - name: software.id - level: extended - type: keyword - short: ID of the software - description: > - The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. - - example: "S0552" - - - name: software.name - level: extended - type: keyword - short: Name of the software. - description: > - The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. - - example: "AdFind" - - - name: software.platforms - level: extended - type: keyword - short: Platform of the software. - description: > - The platform of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platform. - - Expected values - * AWS - * Azure - * Azure AD - * GCP - * Linux - * macOS - * Network - * Office 365 - * PRE - * SaaS - * Windows - - example: "Windows" - - - name: software.reference - level: extended - type: keyword - short: Software reference URL. - description: > - The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. - - example: "https://attack.mitre.org/software/S0552/" - - - name: software.type - level: extended - type: keyword - short: Software type. - description: > - The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. - - Expected values - * Malware - * Tool - - example: "Tool" - - - name: group.alias - level: extended - type: keyword - short: Alias of the group. - description: > - The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). - - example: '[ "Magecart Group 6" ]' - normalize: - - array - - - name: group.id - level: extended - type: keyword - short: ID of the group. - description: > - The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. - - example: "G0037" - - - name: group.name - level: extended - type: keyword - short: Name of the group. - description: > - The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. - - example: "FIN6" - - - name: group.reference - level: extended - type: keyword - short: Reference URL of the group. - description: > - The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. - - example: "https://attack.mitre.org/groups/G0037/" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index a3ee1fdf33..d3680265ab 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5894,6 +5894,89 @@ can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. example: MITRE ATT&CK + - name: group.alias + level: extended + type: keyword + ignore_above: 1024 + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + default_field: false + - name: group.id + level: extended + type: keyword + ignore_above: 1024 + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + default_field: false + - name: group.name + level: extended + type: keyword + ignore_above: 1024 + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + default_field: false + - name: group.reference + level: extended + type: keyword + ignore_above: 1024 + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + default_field: false + - name: software.id + level: extended + type: keyword + ignore_above: 1024 + description: "The id of the software used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ + \ a MITRE ATT&CK\xAE software id." + example: S0552 + default_field: false + - name: software.name + level: extended + type: keyword + ignore_above: 1024 + description: "The name of the software used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ + \ a MITRE ATT&CK\xAE software name." + example: AdFind + default_field: false + - name: software.platforms + level: extended + type: keyword + ignore_above: 1024 + description: "The platforms of the software used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ + \ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \ + \ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ + \ 365\n * SaaS\n * Windows" + example: Windows + default_field: false + - name: software.reference + level: extended + type: keyword + ignore_above: 1024 + description: "The reference URL of the software used by this threat to conduct\ + \ behavior commonly modeled using MITRE ATT&CK\xAE. While not required, you\ + \ can use a MITRE ATT&CK\xAE software reference URL." + example: https://attack.mitre.org/software/S0552/ + default_field: false + - name: software.type + level: extended + type: keyword + ignore_above: 1024 + description: "The type of software used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\ + \ ATT&CK\xAE software type.\nRecommended values\n * Malware\n * Tool" + example: Tool + default_field: false - name: tactic.id level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index aaf7bc013a..c9a26649e3 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -678,6 +678,15 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 2.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. 2.0.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +2.0.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. +2.0.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. +2.0.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. +2.0.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +2.0.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software +2.0.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. +2.0.0-dev,true,threat,threat.software.platforms,keyword,extended,,Windows,Platforms of the software. +2.0.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. +2.0.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type. 2.0.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. 2.0.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. 2.0.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index c7f65018b2..b37209c009 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8642,6 +8642,135 @@ threat.framework: normalize: [] short: Threat classification framework. type: keyword +threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias + ignore_above: 1024 + level: extended + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword +threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that are\ + \ tracked by a common name in the security community. While not required, you\ + \ can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id + normalize: [] + short: ID of the group. + type: keyword +threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 + level: extended + name: group.name + normalize: [] + short: Name of the group. + type: keyword +threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 + level: extended + name: group.reference + normalize: [] + short: Reference URL of the group. + type: keyword +threat.software.id: + beta: This field is beta and subject to change. + dashed_name: threat-software-id + description: "The id of the software used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE ATT&CK\xAE\ + \ software id." + example: S0552 + flat_name: threat.software.id + ignore_above: 1024 + level: extended + name: software.id + normalize: [] + short: ID of the software + type: keyword +threat.software.name: + beta: This field is beta and subject to change. + dashed_name: threat-software-name + description: "The name of the software used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE ATT&CK\xAE\ + \ software name." + example: AdFind + flat_name: threat.software.name + ignore_above: 1024 + level: extended + name: software.name + normalize: [] + short: Name of the software. + type: keyword +threat.software.platforms: + beta: This field is beta and subject to change. + dashed_name: threat-software-platforms + description: "The platforms of the software used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\ + \ ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n * Azure\n *\ + \ Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office 365\n * SaaS\n\ + \ * Windows" + example: Windows + flat_name: threat.software.platforms + ignore_above: 1024 + level: extended + name: software.platforms + normalize: [] + short: Platforms of the software. + type: keyword +threat.software.reference: + beta: This field is beta and subject to change. + dashed_name: threat-software-reference + description: "The reference URL of the software used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\ + \ ATT&CK\xAE software reference URL." + example: https://attack.mitre.org/software/S0552/ + flat_name: threat.software.reference + ignore_above: 1024 + level: extended + name: software.reference + normalize: [] + short: Software reference URL. + type: keyword +threat.software.type: + beta: This field is beta and subject to change. + dashed_name: threat-software-type + description: "The type of software used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE ATT&CK\xAE\ + \ software type.\nRecommended values\n * Malware\n * Tool" + example: Tool + flat_name: threat.software.type + ignore_above: 1024 + level: extended + name: software.type + normalize: [] + short: Software type. + type: keyword threat.tactic.id: dashed_name: threat-tactic-id description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 63f21fd256..5f15a96b44 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10300,6 +10300,135 @@ threat: normalize: [] short: Threat classification framework. type: keyword + threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias + ignore_above: 1024 + level: extended + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword + threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id + normalize: [] + short: ID of the group. + type: keyword + threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 + level: extended + name: group.name + normalize: [] + short: Name of the group. + type: keyword + threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 + level: extended + name: group.reference + normalize: [] + short: Reference URL of the group. + type: keyword + threat.software.id: + beta: This field is beta and subject to change. + dashed_name: threat-software-id + description: "The id of the software used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ + \ a MITRE ATT&CK\xAE software id." + example: S0552 + flat_name: threat.software.id + ignore_above: 1024 + level: extended + name: software.id + normalize: [] + short: ID of the software + type: keyword + threat.software.name: + beta: This field is beta and subject to change. + dashed_name: threat-software-name + description: "The name of the software used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ + \ a MITRE ATT&CK\xAE software name." + example: AdFind + flat_name: threat.software.name + ignore_above: 1024 + level: extended + name: software.name + normalize: [] + short: Name of the software. + type: keyword + threat.software.platforms: + beta: This field is beta and subject to change. + dashed_name: threat-software-platforms + description: "The platforms of the software used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ + \ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \ + \ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ + \ 365\n * SaaS\n * Windows" + example: Windows + flat_name: threat.software.platforms + ignore_above: 1024 + level: extended + name: software.platforms + normalize: [] + short: Platforms of the software. + type: keyword + threat.software.reference: + beta: This field is beta and subject to change. + dashed_name: threat-software-reference + description: "The reference URL of the software used by this threat to conduct\ + \ behavior commonly modeled using MITRE ATT&CK\xAE. While not required, you\ + \ can use a MITRE ATT&CK\xAE software reference URL." + example: https://attack.mitre.org/software/S0552/ + flat_name: threat.software.reference + ignore_above: 1024 + level: extended + name: software.reference + normalize: [] + short: Software reference URL. + type: keyword + threat.software.type: + beta: This field is beta and subject to change. + dashed_name: threat-software-type + description: "The type of software used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\ + \ ATT&CK\xAE software type.\nRecommended values\n * Malware\n * Tool" + example: Tool + flat_name: threat.software.type + ignore_above: 1024 + level: extended + name: software.type + normalize: [] + short: Software type. + type: keyword threat.tactic.id: dashed_name: threat-tactic-id description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index b7d1740c69..ecb92ce267 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -3157,6 +3157,50 @@ "ignore_above": 1024, "type": "keyword" }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "tactic": { "properties": { "id": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 4a071008ce..10d40418ff 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -3153,6 +3153,50 @@ "ignore_above": 1024, "type": "keyword" }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "tactic": { "properties": { "id": { diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json index 4f3a4a36c8..e976bd78fa 100644 --- a/generated/elasticsearch/component/threat.json +++ b/generated/elasticsearch/component/threat.json @@ -12,6 +12,50 @@ "ignore_above": 1024, "type": "keyword" }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "tactic": { "properties": { "id": { diff --git a/schemas/threat.yml b/schemas/threat.yml index 62477b28a1..ba74eb68ff 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -24,6 +24,114 @@ example: MITRE ATT&CK + - name: group.alias + level: extended + type: keyword + short: Alias of the group. + beta: This field is beta and subject to change. + description: > + The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). + + example: '[ "Magecart Group 6" ]' + normalize: + - array + + - name: group.id + level: extended + type: keyword + short: ID of the group. + beta: This field is beta and subject to change. + description: > + The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. + + example: "G0037" + + - name: group.name + level: extended + type: keyword + short: Name of the group. + beta: This field is beta and subject to change. + description: > + The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. + + example: "FIN6" + + - name: group.reference + level: extended + type: keyword + short: Reference URL of the group. + beta: This field is beta and subject to change. + description: > + The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. + + example: "https://attack.mitre.org/groups/G0037/" + + - name: software.id + level: extended + type: keyword + short: ID of the software + beta: This field is beta and subject to change. + description: > + The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. + + example: "S0552" + + - name: software.name + level: extended + type: keyword + short: Name of the software. + beta: This field is beta and subject to change. + description: > + The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. + + example: "AdFind" + + - name: software.platforms + level: extended + type: keyword + short: Platforms of the software. + beta: This field is beta and subject to change. + description: > + The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. + + Recommended Values: + * AWS + * Azure + * Azure AD + * GCP + * Linux + * macOS + * Network + * Office 365 + * SaaS + * Windows + + example: "Windows" + + - name: software.reference + level: extended + type: keyword + short: Software reference URL. + beta: This field is beta and subject to change. + description: > + The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. + + example: "https://attack.mitre.org/software/S0552/" + + - name: software.type + level: extended + type: keyword + short: Software type. + beta: This field is beta and subject to change. + description: > + The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. + + Recommended values + * Malware + * Tool + + example: "Tool" + - name: tactic.id level: extended type: keyword From ef80f2b3f1555f55588eb2da0c812e8fd037171e Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 26 May 2021 16:17:47 -0500 Subject: [PATCH 2/3] platforms should be an array --- docs/field-details.asciidoc | 5 ++++- experimental/generated/beats/fields.ecs.yml | 2 +- experimental/generated/csv/fields.csv | 2 +- experimental/generated/ecs/ecs_flat.yml | 5 +++-- experimental/generated/ecs/ecs_nested.yml | 5 +++-- generated/beats/fields.ecs.yml | 2 +- generated/csv/fields.csv | 2 +- generated/ecs/ecs_flat.yml | 5 +++-- generated/ecs/ecs_nested.yml | 5 +++-- schemas/threat.yml | 4 +++- 10 files changed, 23 insertions(+), 14 deletions(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index b32c529f0b..c57d1c2e77 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7698,8 +7698,11 @@ Recommended Values: type: keyword +Note: this field should contain an array of values. + + -example: `Windows` +example: `[ "Windows" ]` | extended diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index b70ebeb138..4c052af80f 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -7920,7 +7920,7 @@ \ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \ \ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ \ 365\n * SaaS\n * Windows" - example: Windows + example: '[ "Windows" ]' default_field: false - name: software.reference level: extended diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 5296c165b8..22994b2b6b 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -949,7 +949,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator 2.0.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software 2.0.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. -2.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,,Windows,Platforms of the software. +2.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. 2.0.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. 2.0.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type. 2.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 94c9d85144..0d4ef826b2 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -11823,12 +11823,13 @@ threat.software.platforms: \ ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n * Azure\n *\ \ Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office 365\n * SaaS\n\ \ * Windows" - example: Windows + example: '[ "Windows" ]' flat_name: threat.software.platforms ignore_above: 1024 level: extended name: software.platforms - normalize: [] + normalize: + - array short: Platforms of the software. type: keyword threat.software.reference: diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 7f5656716e..4fc8974f7f 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -13848,12 +13848,13 @@ threat: \ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \ \ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ \ 365\n * SaaS\n * Windows" - example: Windows + example: '[ "Windows" ]' flat_name: threat.software.platforms ignore_above: 1024 level: extended name: software.platforms - normalize: [] + normalize: + - array short: Platforms of the software. type: keyword threat.software.reference: diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index d3680265ab..b84f557702 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5957,7 +5957,7 @@ \ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \ \ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ \ 365\n * SaaS\n * Windows" - example: Windows + example: '[ "Windows" ]' default_field: false - name: software.reference level: extended diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index c9a26649e3..5421ae92e0 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -684,7 +684,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. 2.0.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software 2.0.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. -2.0.0-dev,true,threat,threat.software.platforms,keyword,extended,,Windows,Platforms of the software. +2.0.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. 2.0.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. 2.0.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type. 2.0.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index b37209c009..71d3f2f359 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8735,12 +8735,13 @@ threat.software.platforms: \ ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n * Azure\n *\ \ Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office 365\n * SaaS\n\ \ * Windows" - example: Windows + example: '[ "Windows" ]' flat_name: threat.software.platforms ignore_above: 1024 level: extended name: software.platforms - normalize: [] + normalize: + - array short: Platforms of the software. type: keyword threat.software.reference: diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 5f15a96b44..bc7ceea2a0 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10393,12 +10393,13 @@ threat: \ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \ \ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ \ 365\n * SaaS\n * Windows" - example: Windows + example: '[ "Windows" ]' flat_name: threat.software.platforms ignore_above: 1024 level: extended name: software.platforms - normalize: [] + normalize: + - array short: Platforms of the software. type: keyword threat.software.reference: diff --git a/schemas/threat.yml b/schemas/threat.yml index ba74eb68ff..acb36a2115 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -106,7 +106,9 @@ * SaaS * Windows - example: "Windows" + example: '[ "Windows" ]' + normalize: + - array - name: software.reference level: extended From 6e2e32b416edf2ef8d8359b065adce2012f81605 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 26 May 2021 16:19:01 -0500 Subject: [PATCH 3/3] changelog --- CHANGELOG.next.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 5f1a2e6401..f135c06e44 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -21,6 +21,7 @@ Thanks, you're awesome :-) --> * `elf.*` field set added as beta. #1410 * Remove `beta` from `orchestrator` field set. #1417 +* Extend `threat.*` field set beta. #1438 #### Improvements