Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stage 2 changes for RFC 0018 - extending the threat.* field set #1438

Merged
merged 4 commits into from
May 27, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ Thanks, you're awesome :-) -->

* `elf.*` field set added as beta. #1410
* Remove `beta` from `orchestrator` field set. #1417
* Extend `threat.*` field set beta. #1438

#### Improvements

Expand Down
59 changes: 59 additions & 0 deletions code/go/ecs/threat.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

196 changes: 196 additions & 0 deletions docs/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -7547,6 +7547,202 @@ example: `MITRE ATT&CK`

// ===============================================================

|
[[field-threat-group-alias]]
<<field-threat-group-alias, threat.group.alias>>

| beta:[ This field is beta and subject to change. ]

The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).

type: keyword


Note: this field should contain an array of values.
ebeahan marked this conversation as resolved.
Show resolved Hide resolved



example: `[ "Magecart Group 6" ]`

| extended

// ===============================================================

|
[[field-threat-group-id]]
<<field-threat-group-id, threat.group.id>>

| beta:[ This field is beta and subject to change. ]

The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.

type: keyword



example: `G0037`

| extended

// ===============================================================

|
[[field-threat-group-name]]
<<field-threat-group-name, threat.group.name>>

| beta:[ This field is beta and subject to change. ]

The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.

type: keyword



example: `FIN6`

| extended

// ===============================================================

|
[[field-threat-group-reference]]
<<field-threat-group-reference, threat.group.reference>>

| beta:[ This field is beta and subject to change. ]

The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.

type: keyword



example: `https://attack.mitre.org/groups/G0037/`

| extended

// ===============================================================

|
[[field-threat-software-id]]
<<field-threat-software-id, threat.software.id>>

| beta:[ This field is beta and subject to change. ]

The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.

type: keyword



example: `S0552`

| extended

// ===============================================================

|
[[field-threat-software-name]]
<<field-threat-software-name, threat.software.name>>

| beta:[ This field is beta and subject to change. ]

The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.

type: keyword



example: `AdFind`

| extended

// ===============================================================

|
[[field-threat-software-platforms]]
<<field-threat-software-platforms, threat.software.platforms>>

| beta:[ This field is beta and subject to change. ]

The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms.

Recommended Values:

* AWS

* Azure

* Azure AD

* GCP

* Linux

* macOS

* Network

* Office 365

* SaaS

* Windows

type: keyword


Note: this field should contain an array of values.



example: `[ "Windows" ]`

| extended

// ===============================================================

|
[[field-threat-software-reference]]
<<field-threat-software-reference, threat.software.reference>>

| beta:[ This field is beta and subject to change. ]

The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.

type: keyword



example: `https://attack.mitre.org/software/S0552/`

| extended

// ===============================================================

|
[[field-threat-software-type]]
<<field-threat-software-type, threat.software.type>>

| beta:[ This field is beta and subject to change. ]

The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type.

Recommended values

* Malware

* Tool

type: keyword



example: `Tool`

| extended

// ===============================================================

|
[[field-threat-tactic-id]]
<<field-threat-tactic-id, threat.tactic.id>>
Expand Down
12 changes: 6 additions & 6 deletions experimental/generated/beats/fields.ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7846,12 +7846,12 @@
level: extended
type: keyword
ignore_above: 1024
description: "The platform of the software used by this threat to conduct behavior\
description: "The platforms of the software used by this threat to conduct behavior\
\ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\
\ a MITRE ATT&CK\xAE software platform.\nExpected values\n * AWS\n * Azure\n\
\ * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office 365\n\
\ * PRE\n * SaaS\n * Windows"
example: Windows
\ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \
\ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\
\ 365\n * SaaS\n * Windows"
example: '[ "Windows" ]'
default_field: false
- name: software.reference
level: extended
Expand All @@ -7868,7 +7868,7 @@
ignore_above: 1024
description: "The type of software used by this threat to conduct behavior commonly\
\ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\
\ ATT&CK\xAE software type.\nExpected values\n * Malware\n * Tool"
\ ATT&CK\xAE software type.\nRecommended values\n * Malware\n * Tool"
example: Tool
default_field: false
- name: tactic.id
Expand Down
2 changes: 1 addition & 1 deletion experimental/generated/csv/fields.csv
Original file line number Diff line number Diff line change
Expand Up @@ -937,7 +937,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
2.0.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
2.0.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
2.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,,Windows,Platform of the software.
2.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
2.0.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
2.0.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
2.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
Expand Down
Loading